realcorvus

realcorvus

Potion Shop - A vulnerable Elixir and Phoenix application for learning web security

Hi everyone, I’m very excited to announce the release of Potion Shop, an intentionally vulnerable Elixir/Phoenix application, for teaching developers about web application security.

https://github.com/securityelixir/potion_shop


:warning: Warning :warning:

Do not deploy this application in your production environment. Attackers can exploit Potion Shop to gain access to the underlying server, then use this access to further compromise your network.


How to Learn Web Security with Potion Shop

Potion Shop can be used by developers of all security skill levels. From beginners interested in what these cryptic acronyms mean, to experienced security professionals looking to test their skills.

If you are a complete beginner, get the project running locally and read tutorial.md for a description of each vulnerability, how to understand the impact, and hints on how to discover it in Potion Shop.

If you have some experience with web security, start with self_guided.md. It provides a concise list of exercises, one for each vulnerability.

If you are looking for a realistic challenge, do not read either document. Test the application as you normally would, and see if you can uncover each security problem.

A full writeup on each issue will be published later in answers.md. For the best learning experience, do not read this until after you have worked through Potion Shop yourself.

Pull Requests Welcome

If there is a security topic you would like to see included in future updates, please open an issue or submit a PR on Github.

The current roadmap includes additional vulnerabilities, and a branch showing how to fix each issue.

Learn More

I will be teaching a fully remote training on April 18, 2023 for ElixirConf EU, Phoenix Application Security. Potion Shop will be used in the training, with the benefit of an interactive format where students can ask questions and experience more guided learning.

Most Liked

ChrisYammine

ChrisYammine

Heh like the OWASP Juice Shop example application. Love it - thank you for this. I’m eager to explore this soon

dimitarvp

dimitarvp

Awesome. I’ll check it out for sure.

Where Next?

Popular in Announcing Top

OvermindDL1
I created a new library (rather I pulled out a couple files from my big project), it manages an operating system PID file for the BEAM. ...
New
tmbb
PhoenixWS - Websockets over Phoenix Channels Source code on Github here: GitHub - tmbb/phoenix_ws: Websockets implemented over Phoenix Ch...
New
sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
985 43487 311
New
tmbb
I’ve been working on two packages (not on hex.pm yet) to build admin interfaces for phoenix apps: bureaucrat - which contains a bunch ...
New
wojtekmach
Hey everyone! Req is an HTTP client for Elixir that I’ve been working on for quite some time. There is already a lot of HTTP clients out...
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 36352 110
New
Azolo
Hey everyone, I just released WebSockex which is a Elixir WebSocket client. WebSockex strives to work as a OTP special process, be RFC6...
New
achempion
Hi, I would like to tell about my initiative to further maintain and develop Waffle project which is the fork of Arc library. The progre...
New
zachdaniel
Ash Framework What is Ash? Ash Framework is a declarative, resource-oriented application development framework for Elixir. A resource can...
New
wfgilman
I’ve cleaned up and open sourced three financial libraries I was using for my company. They are bindings for the APIs of these three comp...
New

Other popular topics Top

malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
Qqwy
Update: How to use the Blogs & Podcasts section You can post links to your blog posts or podcasts either in one of the Official Blog...
3271 127089 1222
New
AstonJ
Seen any cool LiveView demos, sample apps or examples? Please post them here! :003:
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement