README.md
February 25, 2026 Β· View on GitHub
Warning
This repository and its tools are provided "as is" without warranty of any kind, either express or implied, including but not limited to, any warranties of merchantability, fitness for a particular purpose, and non-infringement. The authors shall not be liable for any claims, damages, or other liabilities arising from, out of, or in connection with the use of this tool. The user is solely responsible for ensuring their use of this tool complies with all applicable laws and regulations. The authors disclaim any liability for illegal or unethical use.
π± Attack Surface
flowchart TD
A{**.NET REST API**}
A --> B[SQL DB]
A --> C[File System]
A --> D[Host services]
A --> F[GraphQL]
A --> G[App Services]
A --> H[Memory]
B --> I(*Identities*)
C --> J(*Logs*)
C --> K(*Secrets*)
D --> L(*DNS*)
F --> M(*Sensitive Data*)
G --> O(*Serialized Data*)
G --> R(*Business Logic*)
G --> U(*Updates*)
H --> P(*Variables and functions*)
π’ Business Value
| Business Workflow | Relevant OWASP ASVS Chapters |
|---|---|
| Personal Data Management | V1 Architecture, Design and Threat Modeling, V5 Validation, Sanitization and Encoding |
| Employee Management | V2 Authentication, V9 Cryptography |
| Client Management | V4 Access Control, V6 Stored Data |
| Banking data Management | V7 Cryptography at Rest, V10 Malicious Code |
| Contracts and Documents Management | V13 File and Resources, V5 Validation, Sanitization and Encoding |
| Identities and Secrets Management | V2 Authentication, V9 Cryptography |
| Administrative Tasks | V4 Access Control, V17 Business Logic |
| Log Management | V19 Logging and Monitoring |
| Service Behavior | V14 API and Web Service Security, V17 Business Logic |
π Vulnerabilities
| MITRE Reference | Description | Difficulty |
|---|---|---|
| CWE-22 | Path Traversal | Medium |
| CWE-78 | OS Command Injection | Medium |
| CWE-79 | Cross-site Scripting | Medium |
| CWE-89 | SQL Injection | Easy |
| CWE-94 | Code Injection | Hard |
| CWE-91 | XML Injection | Hard |
| CWE-98 | Remote File Inclusion | Hard |
| CWE-184 | Incomplete List of Disallowed Inputs | Medium |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | Medium |
| CWE-209 | Generation of Error Message Containing Sensitive Information | Easy |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | Easy |
| CWE-284 | Improper Access Control | Medium |
| CWE-287 | Improper Authentication | Medium |
| CWE-319 | Cleartext Transmission of Sensitive Information | Easy |
| CWE-326 | Inadequate Encryption Strength | Easy |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | Hard |
| CWE-502 | Deserialization of Untrusted Data | Hard |
| CWE-506 | Embedded Malicious Code | Hard |
| CWE-521 | Weak Password Requirements | Easy |
| CWE-532 | Insertion of Sensitive Information into Log File | Easy |
| CWE 639 | Insecure Direct Object Reference | Medium |
| CWE-611 | XML External Entity Reference | Hard |
| CWE-787 | Out-of-bounds Write | Easy |
| CWE-798 | Use of Hard-coded Credentials | Easy |
| CWE-829 | Local File Inclusion | Easy |
| CWE-840 | Business Logic Error | Easy |
| CWE-912 | Backdoor | Hard |
| CWE-918 | Server-Side Request Forgery | Medium |
| CWE-1270 | Generation of Incorrect Security Tokens | Medium |
Note
logs are SIEM ready for Blue Team training.
π Hint & Write Up
-
Try reading Dojo-101, this project contains all you need to hack this app.
-
Become a sponsor and get access to the full methodology and complete write-up.
β¬οΈ Download
git clone https://github.com/Aif4thah/VulnerableLightApp.git
cd .\VulnerableLightApp\
π§π₯ Build and Run
You can use Dotnet or Docker
Dotnet
Check .csproj file to get the current dotnet version and install .NET SDK
dotnet run [--url=<url>]
Docker
docker build -t vulnerablelightapp .
docker run -p 3000:3000 vulnerablelightapp
first request
Default : 127.0.0.1:3000
curl -k https://127.0.0.1:3000
π οΈ Debug
Dotnet install on Linux
Ubuntu / Debian exemple
wget https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
dpkg -i packages-microsoft-prod.deb
apt update && apt install -y dotnet-sdk-8.0 dotnet-runtime-8.0
Dotnet Framework
Verify you use the intended .NET Framework
where dotnet
dotnet --version
dotnet --list-sdks
Certificates
To trust the certificate on windows / mac
dotnet dev-certs https --trust
To generate your cert from Linux :
#!/bin/bash
openssl req -x509 -newkey rsa:4096 -keyout /app/key.pem -out /app/cert.pem -days 365 -nodes -subj "/CN=localhost"
openssl pkcs12 -export -out /app/cert.pfx -inkey /app/key.pem -in /app/cert.pem -passout pass:mypassword
export ASPNETCORE_Kestrel__Certificates__Default__Path=/app/cert.pfx
export ASPNETCORE_Kestrel__Certificates__Default__Password=mypassword
Dependancies
dependancies have to be dowloaded from standard sources
dotnet nuget add source "https://api.nuget.org/v3/index.json" --name "Microsoft"
π CrΓ©dits
-
Special thanks to all the hackers and students who pushed me to improve this work
-
Project maintened by Michael Vacarella
-
Support this effort and give back by sponsoring on GitHub!