Search Results for "vulnerable"
Sort By:
Showing 140 open source projects for "vulnerable"
View related business solutions-
Full-stack observability with actually useful AI | Grafana CloudBuilt on open standards like Prometheus and OpenTelemetry, Grafana Cloud includes Kubernetes Monitoring, Application Observability, Incident Response, plus the AI-powered Grafana Assistant. Get started with our generous free tier today.
-
Go From AI Idea to AI App FastAccess Gemini 3 and 200+ models. Build chatbots, agents, or custom models with built-in monitoring and scaling.
-
1
Is Website Vulnerable
Finds publicly known security vulnerabilities in a website's frontend
A command-line tool that scans websites for known security vulnerabilities in their frontend dependencies by checking against the Snyk vulnerability database. -
2
DVWA
PHP/MySQL web application
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a classroom environment. -
3
Metarget
Framework for automatic construction of vulnerable infrastructures
Metarget = meta- + target, a framework providing automatic constructions of vulnerable infrastructures, used to deploy simple or complicated vulnerable cloud native targets swiftly and automatically. During security research, we might find that the deployment of a vulnerable environment often takes much time, while the time spent on testing PoC or ExP is comparatively short. In the field of cloud-native security, thanks to the complexity of cloud-native systems, this issue is more terrible. ... -
4
Damn Vulnerable GraphQL Application
Vulnerable implementation of Facebook's GraphQL technology
Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security. DVGA has numerous flaws, such as Injections, Code Executions, Bypasses, Denial of Service, and more. See the full list under the Scenarios section. A public Postman collection is also available to replay solutions to the challenges. -
AI-powered service management for IT and enterprise teamsGive your IT, operations, and business teams the ability to deliver exceptional services—without the complexity. Maximize operational efficiency with refreshingly simple, AI-powered Freshservice.
-
5
Retire.js
Scanner detecting the use of JavaScript libraries
..."Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your web app. The goal of Retire.js is to help you detect the use of versions with known vulnerabilities. Scan a web app or node app for use of vulnerable JavaScript libraries and/or node modules. grunt-retire scans your grunt-enabled app for use of vulnerable JavaScript libraries and/or node modules. Scans visited sites for references to insecure libraries and puts warnings in the developer console. An icon on the address bar displays will also indicate if vulnerable libraries were loaded. ... -
6
WPScan
WPScan WordPress security scanner
WPScan is a black-box WordPress vulnerability scanner written in Ruby. It analyzes WordPress sites to identify outdated core, plugins, themes, exposed APIs, and known vulnerabilities using a large built-in vulnerability database. It is a popular security auditing tool for pentesters and site administrators. -
7
subjack
Subdomain Takeover tool written in Go
...Subjack will also check for subdomains attached to domains that don't exist (NXDOMAIN) and are available to be registered. No need for dig ever again! This is still cross-compatible too. You can use scanio.sh which is kind of a PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar. This script parses and greps through the dump for desired CNAME records and makes a large list of subdomains to check with subjack if they're vulnerable to Hostile Subdomain Takeover. Of course, this isn't the only method to get a large amount of data to test. -
8
pagodo
Automate Google Hacking Database scraping and searching
pagodo automates Google searching for potentially vulnerable web pages and applications on the Internet. It replaces manually performing Google dork searches with a web GUI browser. There are 2 parts. The first is ghdb_scraper.py that retrieves the latest Google dorks and the second portion is pagodo.py that leverages the information gathered by ghdb_scraper.py. This version of pagodo also supports native HTTP(S) and SOCKS5 application support, so no more wrapping it in a tool like proxychains4 if you need proxy support. ... -
9
UFONet
UFONet - Denial of Service Toolkit
UFONet is a powerful and controversial Python-based toolkit for testing and conducting Distributed Denial of Service (DDoS) attacks using unconventional methods, such as leveraging third-party web applications as attack vectors. It automates the discovery of vulnerable targets and enables attackers or researchers to launch large-scale amplification attacks without directly using botnets. While primarily intended for penetration testing and educational purposes, UFONet emphasizes anonymity through the use of proxies, TOR, and encrypted command channels. -
Earn up to 16% annual interest with Nexo.Generate interest, borrow against your crypto, and trade a range of cryptocurrencies — all in one platform. Geographic restrictions, eligibility, and terms apply.
-
10
Hullu Vulnerable System
Pentesting OVA, suits VMware or VirtualBox
...It's intended for educational use, penetration testing practice, and Capture The Flag (CTF)-style scenarios in isolated virtual lab environments. Pre-installed Tools and Services: + Web Stack: - Python3 + Flask - Apache2 with HTTPS - PHP + MySQL (MariaDB) - phpMyAdmin - FlaskVA (Python-based vulnerable app) https://github.com/kaledaljebur/FlaskVA - DVWA (PHP-based vulnerable app) https://github.com/digininja/DVWA + Protocols Simulated: - HTTP / HTTPS - SSH / SFTP - SMB (under constructions) - DNS (under constructions) - FTP / FTPS (under constructions) + In FlaskVA (Python-based): - SQL Injection - Command Injection - File Upload (with SUID exploit vector) - XSS - SSRF - IDOR This is the first version of Hullu, more details are coming. ... -
11
SimpleX
The first messaging platform operating without user identifiers
...Temporary anonymous pairwise identifiers SimpleX uses temporary anonymous pairwise addresses and credentials for each user contact or group member. It allows to deliver messages without user profile identifiers, providing better meta-data privacy than alternatives. Many communication platforms are vulnerable to MITM attacks by servers or network providers. To prevent it SimpleX apps pass one-time keys out-of-band when you share an address as a link or a QR code. Double-ratchet protocol. OTR messaging with perfect forward secrecy and break-in recovery. NaCL cryptobox in each queue to prevent traffic correlation between message queues if TLS is compromised. -
12
OWASP WrongSecrets
Vulnerable app with examples showing how to not use secrets
Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to not store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy. -
13
-
14
Shannon
Fully autonomous AI hacker to find actual exploits in your web apps
...Instead of requiring you to manually reproduce findings, Shannon is designed to produce actionable evidence that a weakness can be weaponized, which helps teams prioritize what truly matters. It positions itself as a pre-attacker safety net, aiming to break your web app before someone else does and thereby reduce the gap between “potentially vulnerable” and “confirmed exploitable.” -
15
GuardDog
GuardDog is a CLI tool to Identify malicious PyPI and npm packages
guarddog is an open-source security tool by DataDog designed to detect risks in open-source dependencies. It helps developers analyze software supply chain risks and prevent malicious or vulnerable packages from being used. -
16
QRCoder
A pure C# Open Source QR Code implementation
...The main target of the QRCoder library is to deliver a small and easy-to-use solution, which has no dependencies to other libraries or network stacks. (Like QR Code generators which are relying on online services which makes them vulnerable/slow in some cases.) Although simplicity is one of the main goals, QRCoder is really flexible, in both "output formats" as well as in "payload types". Payload types? Yes, QRCoder brings its own "payload generator", which helps you to create a big list of different payload types to generate special QR codes like "WiFi QR Codes", "Girocodes", "SwissQRCodes" and many more. -
17
Splunk Attack Range
A tool that allows you to create vulnerable environments
The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud (AWS, Azure) and local environments (Virtualbox), simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections. -
18
FingerprintJS
Browser fingerprinting library
FingerprintJS is a source-available, client-side, browser fingerprinting library that queries browser attributes and computes a hashed visitor identifier from them. Unlike cookies and local storage, a fingerprint stays the same in incognito/private mode and even when browser data is purged. Since FingerprintJS processes and generates the fingerprints from within the browser itself, the accuracy is limited (40% - 60%). For example, when 2 different users send requests using identical (i.e.... -
19
HSD
Handshake Daemon & full node
...Names on the internet (top level domains, social networking handles, etc.) ultimately rely upon centralized actors with full control over a system that are relied upon to be honest, as they are vulnerable to hacking, censorship, and corruption. Handshake aims to experiment with new ways the internet can be more secure, resilient, and socially useful with a peer-to-peer system validated by the network's participants. Handshake is an experiment that seeks to explore those new ways in which the necessary tools to build a more decentralized internet. ... -
20
ThreatMapper
Open source cloud native security observability platform
...Experience rapid threat detection and remediation, while significantly reducing non-critical security alerts by 90%. Deepfence ThreatMapper hunts for threats in your production platforms, and ranks these threats based on their risk of exploit. It uncovers vulnerable software components, exposed secrets, and deviations from good security practices. ThreatMapper uses a combination of agent-based inspection and agent-less monitoring to provide the widest possible coverage to detect threats. ThreatMapper carries on the good 'shift left' security practices that you already employ in your development pipelines. ... -
21
KubeClarity
KubeClarity is a tool for detection and management of vulnerabilities
KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans both runtime K8s clusters and CI/CD pipelines for enhanced software supply chain security. Effective vulnerability scanning requires an accurate Software Bill Of Materials (SBOM) detection. KubeClarity includes a CLI that can be run locally and especially useful for CI/CD pipelines. It allows to analyze images and directories to generate... -
22
GOAD (Game of Active Directory)
game of active directory
GOAD (Gather Open Attack Data) is a security reconnaissance framework for collecting, enriching, and visualizing open-source intelligence (OSINT) around hosts, domains, and certificates. It automates queries to certificate transparency logs, passive DNS, subdomain enumeration, web endpoints, and other public threat feeds. The tool aggregates results into structured formats and can produce interactive graphs to highlight relationships between entities (e.g. domain → IP → cert → ASN). Analysts... -
23
EMBA
The firmware security analyzer
...EMBA automatically discovers possible weak spots and vulnerabilities in firmware. Examples are insecure binaries, old and outdated software components, potentially vulnerable scripts, or hard-coded passwords. EMBA is a command line tool with the possibility to generate an easy-to-use web report for further analysis. EMBA assists the penetration testers and product security teams in the identification of weak spots and vulnerabilities in the firmware image. EMBA provides as much information as possible about the firmware, that the tester can decide on focus areas and is responsible for verifying and interpreting the results. -
24
Luakit
Fast, small, webkit based browser framework extensible by Lua
...While switching to the WebKit 2 API means a vastly improved security situation, not all distributions of Linux package the most up-to-date version of WebKitGTK+, and several package very outdated versions that have many known vulnerabilities. As of September 2019, Arch, Debian, Fedora, Gentoo, and Ubuntu all have the latest version of WebKitGTK+, but OpenSUSE ships an outdated and vulnerable version in their stable channel. If you use Luakit for browsing, it is your responsibility to ensure that your distribution packages an up-to-date version of WebKitGTK+! -
25
Kubernetes Goat
Kubernetes Goat is a "Vulnerable by Design" cluster environment
Learn to attack or find security issues, misconfigurations, and real-world hacks within containers, Kubernetes, and cloud-native environments. Enumerate, exploit, and gain access to the workloads right from your browser. Understand how attackers think, work, and exploit security issues, and apply these learnings to detect and defend them. Also, learn best practices, defenses, and tools to mitigate, and detect in the real world. Learn the hacks, defenses, and tools. So that you can think like...
