VulnApp - Security Learning Platform

🔐 Login

⚠️ This is a vulnerable application for learning purposes!

Test Accounts:

admin	admin123	Admin
john	john123	User
jane	jane123	User
bob	bob123	User

🎯 Welcome to VulnApp Security Learning Platform

⚠️ WARNING: This application contains INTENTIONAL security vulnerabilities for educational purposes. DO NOT deploy in production!

Vulnerabilities Included:

🚫 BAC

Broken Access Control
Admin endpoints accessible by normal users

🔗 IDOR

Insecure Direct Object Reference
Access other users' data via ID manipulation

Vulnerable Endpoints:

Endpoint	Vulnerability	Description
`GET /api/admin/users`	BAC	List all users (no admin check)
`POST /api/admin/users`	BAC	Create users (no admin check)
`DELETE /api/admin/users/:id`	BAC	Delete users (no admin check)
`GET /api/admin/settings`	BAC	View sensitive settings (no admin check)
`GET /api/admin/logs`	BAC	View admin logs (no admin check)
`GET /api/user/:id/profile`	IDOR	Access any user's profile
`GET /api/user/:id/orders`	IDOR	Access any user's orders
`GET /api/order/:orderId`	IDOR	Access any order details

👤 User Profile IDOR Vulnerable

💡 Try changing the User ID to access other users' profiles!

User ID to fetch:

📦 Orders IDOR Vulnerable

💡 Try changing User ID or Order ID to access other users' orders!

Fetch orders by User ID:

Fetch order by Order ID:

⚙️ Admin Panel BAC Vulnerable

🔓 This panel should only be accessible to admins, but there's no proper role check!

-

Total Users

-

Total Orders

-

Revenue

🧪 API Tester

Quick Endpoints:

GET/api/admin/users BAC

GET/api/admin/settings BAC

GET/api/admin/logs BAC

GET/api/admin/dashboard BAC

GET/api/user/1/profile IDOR

GET/api/user/2/orders IDOR

GET/api/order/101 IDOR

DELETE/api/admin/users/3 BAC

Method:

Endpoint:

Body (JSON):