The Most Vulnerable .NET App - Educational Project
February 24, 2026 ยท View on GitHub
This application contains intentionally vulnerable code for educational purposes only!

This is an interactive educational project that demonstrates common security vulnerabilities in .NET applications. Each vulnerability is reproduced in a real working .NET environment where you can debug, explore, and understand what NOT to do, along with recommended secure practices.
Learning Process
- Learn by Example: See real vulnerable code in action
- Debug and Explore: Step through vulnerable code paths
- Learn Best Practices: Each example includes secure alternatives
- CWE (Common Weakness Enumeration) References: Every vulnerability links to official CWE documentation for pro insights
Note
This repository compliments the following YouTube video: I Built the Most Insecure .NET App
Vulnerability Categories
Injection Attacks
-
SQL Injection (CWE-89)
Executing arbitrary SQL commands through string concatenation in queries -
Command Injection (CWE-78)
Executing system commands via Process.Start with user input -
Code Injection (CSharpScript) (CWE-94)
Executing arbitrary C# code through dynamic script evaluation -
Template Injection (CWE-1336)
Injecting code into template engines (Razor, etc.) -
LDAP Injection (CWE-90)
Manipulating LDAP queries through unsafe search filters -
XPath Injection (CWE-643)
Manipulating XPath queries to XML documents -
XML Injection (CWE-91)
Injecting malicious XML content -
CRLF Injection (CWE-93)
Injecting carriage return and line feed characters -
Expression Language Injection (Dynamic LINQ) (CWE-917)
Injecting code into dynamic LINQ expressions -
JSON Injection (CWE-91)
Manipulating JSON serialization/deserialization -
Log Injection (Log Forging) (CWE-117)
Injecting malicious data into logs through improper sanitization
Cross-Site Scripting (XSS)
-
Stored XSS (CWE-79)
Storing and displaying HTML content from database without sanitization -
Reflected XSS (CWE-79)
Displaying URL parameters without escaping in HTML -
XSS With JS Interop (CWE-79)
Client-side JavaScript manipulation with user input -
XSS via Attributes (CWE-79)
Injecting malicious code into HTML attributes -
XSS via SVG (CWE-79)
Embedding JavaScript in SVG files -
XSS via File Upload (CWE-79)
Uploading HTML files with malicious scripts -
XSS via CSS (CWE-79)
Using CSS expressions for code execution
Authentication & Authorization
-
Hardcoded Credentials (CWE-798)
Usernames and passwords hardcoded in source code -
Missing Authorization Check (CWE-862)
API endpoints accessible without authorization checks -
Broken JWT Implementation (CWE-347)
JWT without signature validation -
Privilege Escalation (CWE-269)
Modifying user role through form field -
Insecure Direct Object Reference (IDOR) (CWE-639)
Accessing other users' data by modifying ID parameters -
Password Reset Poisoning (CWE-640)
Host header injection in password reset -
Weak Password Requirements (CWE-521)
Allowing weak passwords
Cryptography Issues
-
Weak Hashing (MD5/SHA1) (CWE-327)
Using cryptographically weak hashing algorithms -
ECB Mode Encryption (CWE-327)
Using Electronic Codebook mode -
Insufficient Key Length (CWE-326)
Using short encryption keys (DES, 3DES) -
No Salt in Password Hashing (CWE-759)
Hashing passwords without unique salt -
Predictable Random Numbers (CWE-338)
Using Random instead of cryptographically secure generator -
Improper Certificate Validation (CWE-295)
Disabling SSL certificate validation
Sensitive Data Exposure
-
API Keys Exposure (CWE-798)
Exposing API keys in client-side code -
Sensitive Data in Logs (CWE-532)
Logging passwords, credit cards, tokens -
Verbose Error Messages (CWE-209)
Exposing stack traces and internal details -
Directory Listing (CWE-548)
Exposing directory contents -
Sensitive Data in URLs (CWE-598)
Passing tokens/passwords in query strings
XML & Serialization
-
XXE (XML External Entity) (CWE-611)
Processing untrusted XML with external entities -
Insecure Deserialization (BinaryFormatter) (CWE-502)
Using BinaryFormatter with untrusted data -
JSON Deserialization Attacks (CWE-502)
Type name handling in JSON.NET -
Insecure YAML Deserialization (CWE-502)
YAML deserialization vulnerabilities -
XML Bomb (Billion Laughs) (CWE-776)
Exponential entity expansion attack
File Operations
-
Path Traversal (CWE-22)
Reading arbitrary files through path manipulation (../) -
Arbitrary File Write (CWE-73)
Writing to arbitrary file locations -
Zip Slip (CWE-22)
Archive extraction with path traversal
Server-Side Request Forgery
-
Basic SSRF (CWE-918)
Fetching URLs provided by user -
SSRF via File Upload (CWE-918)
Processing files with external references
Business Logic Flaws
-
Mass Assignment (CWE-915)
Over-posting attack on model binding -
Negative Quantities (CWE-20)
Accepting negative numbers in business logic -
Integer Overflow (CWE-190)
Arithmetic operations causing overflow
API Security
-
Missing Rate Limiting (CWE-799)
APIs without throttling -
CORS Misconfiguration (CWE-942)
Overly permissive CORS policy -
CSRF (Cross-Site Request Forgery) (CWE-352)
Executing unauthorized actions on behalf of authenticated users -
Excessive Data Exposure (CWE-213)
Returning more data than needed
How to Use This Project
- Browse the Categories: Start from the home page and explore vulnerabilities by category
- Read the Description: Each page explains the vulnerability and its impact
- Try the Attack: Use the provided attack payloads to see the vulnerability in action
- Debug the Code: Set breakpoints and step through the vulnerable code
- Study the Fix: Review the secure implementation recommendations
- Check CWE Links: Follow the CWE links for comprehensive security knowledge
Additional Resources
Contributing
This is an educational project. If you'd like to add more examples or enhance them, contributions are welcome!
Remember: The only way to truly understand security vulnerabilities is to see them in action. This project provides a safe, controlled environment to do exactly that. Happy learning!