This is a purposely insecure toy webserver for learning about security vulnerabilities.
This was originally designed for Stanford's CS106S and was authored by Cooper de Nicola, Aditya Saligrama, and George Hosono. It has since been used a few times for workshops by Stanford Applied Cyber. Feel free to use for your own lessons or learning.
This iteration has been refactored into serverless Cloudflare Pages functions in order to save on cost.
- IDOR (in
/user
endpoint) - XSS (in
/hello
endpoint) - Insecure session handling (in
/login
endpoint)
This is designed to be deployed to Cloudflare Pages Functions. Create a Pages Functions project and deploy it by either connecting Functions to the GitHub repository or by using Wrangler (i.e., wrangler pages deploy public
).