Awesome
Go Test Bench
Intentionally vulnerable go app. Used Go's standard library,
net/http
, for client/server implementations. For more info on this framework, visit net/http.
The go-test-bench application includes vulnerabilities from the OWASP Top 10 and is intended to be used as an educational tool for developers and security professionals. Any maintainers are welcome to make pull requests.
For customer demonstrations click here to follow the Demo.md readme.
Installation Requirements
-
Optional Docker for Mac
How to Run Locally
- standard library
go build -o app ./cmd/std
./app
To run with gin instead, substitute gin
for std
in the build command; likewise for go-swagger
and julienschmidt
.
View app at http://localhost:8080
How to Run Using Docker
# To stand up application with standard library
docker-compose up std -d
# Alternative: To stand up application with Gin framework
# docker-compose up gin -d
# To stand up application with Julienschmidt/httprouter:
# docker-compose up julienschmidt -d
# To stop app container and related service containers
docker-compose down
View app at http://0.0.0.0:8080
Acknowledgements
The development team.
Experimenting with the code
organization
- code for vulnerable functions is located in
internal/
- exception: vulnerable functions from a particular framework (see below)
- framework-specific code is located under
cmd/
andpkg/
- html templates and css are under
views/
- vulnerability and route data is in go structs,
located in the relevant package under
internal/
quirks
Each framework is different. We've tried to separate framework logic from vulnerability logic so that adding a framework necessitates a minimum of changes to vulnerability logic, and vice versa.
swagger
Swagger is a bit unique, in that it has a lot of generated code and requires a swagger spec. To maintain a single source of truth, we generate the swagger spec from our route data. We also generate boilerplate tying a route handler to each swagger endpoint.
For details, see cmd/go-swagger/README.md