|Michael Herzberg 64ccd90156 Downgraded some dependencies.||4 months ago|
|app||4 months ago|
|bin||5 months ago|
|config||4 months ago|
|db||5 months ago|
|doc||4 months ago|
|lib||5 months ago|
|log||1 year ago|
|public||5 months ago|
|tmp||1 year ago|
|.gitignore||5 months ago|
|.gitmodules||8 months ago|
|Gemfile||4 months ago|
|Gemfile.lock||4 months ago|
|LICENSE||1 year ago|
|README.md||5 months ago|
|Rakefile||1 year ago|
|config.ru||1 year ago|
Damn Vulnerable Grade Management is an intentionally vulnerable grade management application that can be used for teaching security testing and security programming. It aims to be a small application with a realistic use case that contains common vulnerabilities, making it a good target to get started with automatic security testing tools.
DVGM contains (at least) the following vulnerabilities:
We have tried many different tools to automatically find the vulnerabilities, and found the following tools to work best for this kind of application. While none of them finds all contained vulnerabilities, together they cover a reasonable amount:
Damn Vulnerable Grade Management implements a simplistic system for managing university grades. Students can upload assignments (pdf), view their grades for their assignments and lectures, download their grades as reports, and add comments to the grades which can be viewed by lecturers. The application knows three roles: admins, lecturers, and students.
You are Peter, a student and you can log in with
peter as username and
football as password. Try and see how much information/control you can gain!
The repository can be cloned as usual:
git clone https://git.logicalhacking.com/BrowserSecurity/DVGM.git
Note, if you authorized to access the confidential solutions of the exercises for DVGM, you can obtain them by executing
git submodule update --init --recursive
After cloning the repository, install the dependencies;
bundle will install
all dependencies automatically into a project-local directory:
cd DVGM bundle install --path vendor/bundle
To make exploration of the app a bit easier, we run DVGM in development mode. This means that
Now, start the server:
Now, open your browser, go to http://localhost:3000, and start exploring!
This project is licensed under the GPL 3.0 (or any later version).
The master git repository for this project is hosted by the Software Assurance & Security Research Team at https://git.logicalhacking.com/BrowserSecurity/DVGM.