This application is intentionally vulnerable. It exists to teach students how to find and fix security flaws using AI coding agents. Reporting a planted vulnerability as a bug is not useful — finding them is the assignment.
This repo contains five deliberately-introduced security vulnerabilities, each mapped to a real-world category:
- Cross-Site Scripting (XSS) via unsafe DOM rendering
- Hardcoded credentials in client-side source
- Arbitrary code execution via
eval()on user input - Open redirect via unvalidated URL parameter
- Prototype pollution via unsafe object merge
Each vulnerability is marked in the source with a comment containing the phrase
INTENTIONAL VULNERABILITY for training so it is unambiguous.
The full mapping of vulnerabilities to OWASP categories, the "before" and "after" code, and the audit report are reserved for instructor reference and are not published in this public repository.
If you find a problem that is genuinely not a planted vulnerability — for example a broken link, a typo in the README, or a UI glitch — you can open an issue on the repository. Please do not report security findings; this app is meant to be insecure.
For the avoidance of doubt, the planted vulnerabilities are all client-side. They cannot:
- Read files on the user's machine
- Make network requests to any external server
- Install software
- Persist data outside
localStoragefor this origin - Affect any other browser tab
The app is safe to open and explore in any modern browser.