Websheep is a willingly vulnerable set of applications and ReSTful APIs.
It is meant to demo and learn common vulnerabilities on frontend JavaScript applications and ReSTful APIs.
- Broken Authentication, Session Management and Access Control.
- CSRF (Cross-Site Request Forgery). Learn more about CORS & CSRF
- JWT (Json Web Token) issues. Learn more about JWT security
- ReDoS issues.
- Code Injection.
- OAuth2, OpenID Connect (Session Fixation). [not implemented yet]
Learn more about ReSTful APIs Best Pratcices & Security
git clone https://github.com/wishtack/wishtack-websheep.git
npm install // or yarn install
npm start // or yarn start
You will end up with two servers running locally:
- The vulnerable application running on
http://localhost:3000
. - The attacking application running on
http://localhost:8080
.
Visit the vulnerable application http://localhost:3000
to discover the available endpoints.
Edit the code in src/attacker/index.html
in order to the attack the vulnerable application.
Avoid looking at the code in src/attacker/attack.html
that contains the working attack payloads.
You can run your attack from the browser using the console or snippets feature. There are some helpful tools out there:
Run your attack by opening http://localhost:8080
on your browser.
You can see the solution demo by running npm run start:solution
.
You can run the C.S.R.F. attack demo by opening http://localhost:8080/attack.html
on your browser.
Here's a white paper that describes common ReSTful APIs vulnerabilities: ReST APIs Best Practices and Security
And remember that cookies are evil!