realcorvus

realcorvus

Potion Shop - A vulnerable Elixir and Phoenix application for learning web security

Hi everyone, I’m very excited to announce the release of Potion Shop, an intentionally vulnerable Elixir/Phoenix application, for teaching developers about web application security.

https://github.com/securityelixir/potion_shop


:warning: Warning :warning:

Do not deploy this application in your production environment. Attackers can exploit Potion Shop to gain access to the underlying server, then use this access to further compromise your network.


How to Learn Web Security with Potion Shop

Potion Shop can be used by developers of all security skill levels. From beginners interested in what these cryptic acronyms mean, to experienced security professionals looking to test their skills.

If you are a complete beginner, get the project running locally and read tutorial.md for a description of each vulnerability, how to understand the impact, and hints on how to discover it in Potion Shop.

If you have some experience with web security, start with self_guided.md. It provides a concise list of exercises, one for each vulnerability.

If you are looking for a realistic challenge, do not read either document. Test the application as you normally would, and see if you can uncover each security problem.

A full writeup on each issue will be published later in answers.md. For the best learning experience, do not read this until after you have worked through Potion Shop yourself.

Pull Requests Welcome

If there is a security topic you would like to see included in future updates, please open an issue or submit a PR on Github.

The current roadmap includes additional vulnerabilities, and a branch showing how to fix each issue.

Learn More

I will be teaching a fully remote training on April 18, 2023 for ElixirConf EU, Phoenix Application Security. Potion Shop will be used in the training, with the benefit of an interactive format where students can ask questions and experience more guided learning.

Most Liked

ChrisYammine

ChrisYammine

Heh like the OWASP Juice Shop example application. Love it - thank you for this. I’m eager to explore this soon

dimitarvp

dimitarvp

Awesome. I’ll check it out for sure.

Where Next?

Popular in Announcing Top

asiniy
Hey there! I wrote a download elixir package which does exactly what its name about - an easy way to download files. I saw solutions ab...
New
Crowdhailer
The latest release of Ace (0.10.0) includes serving content over HTTP/2. I have started writing a webserver to teach my self more about...
New
tfwright
After working on it for a couple of months and using it in production for most of that time, today I’ve released LiveAdmin, a LiveView ba...
New
restlessronin
The repo is at GitHub - cyberchitta/openai_ex: Community maintained Elixir library for OpenAI API · GitHub. Docs are at OpenaiEx User Gu...
152 10167 134
New
maltoe
Hello! Came here to announce ChromicPDF, a pet project PDF generator I’ve been working on for the past few months. Why another PDF gener...
New
aesmail
Hello guys, I have finally made it. I created an admin interface for a framework. It’s been on my todo list for years and with the curre...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52341 488
New
kip
Image is an image processing library for Elixir. It is based upon the fabulous vix library that provides a libvips wrapper for Elixir. I...
622 18474 194
New
fuelen
Hey folks! Want to present a toolkit for writing command-line user interfaces. It provides a convenient interface for colorizing text...
New
benlime
LiveMotion enables high performance animations declared on the server and run on the client. As a follow up to my previous thread A libr...
New

Other popular topics Top

TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41539 114
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a > b) do {:ok, "a"} end if (a < b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New

We're in Beta

About us Mission Statement