Hi everyone, I’m very excited to announce the release of Potion Shop, an intentionally vulnerable Elixir/Phoenix application, for teaching developers about web application security.
Warning
Do not deploy this application in your production environment. Attackers can exploit Potion Shop to gain access to the underlying server, then use this access to further compromise your network.
How to Learn Web Security with Potion Shop
Potion Shop can be used by developers of all security skill levels. From beginners interested in what these cryptic acronyms mean, to experienced security professionals looking to test their skills.
If you are a complete beginner, get the project running locally and read tutorial.md for a description of each vulnerability, how to understand the impact, and hints on how to discover it in Potion Shop.
If you have some experience with web security, start with self_guided.md. It provides a concise list of exercises, one for each vulnerability.
If you are looking for a realistic challenge, do not read either document. Test the application as you normally would, and see if you can uncover each security problem.
A full writeup on each issue will be published later in answers.md. For the best learning experience, do not read this until after you have worked through Potion Shop yourself.
Pull Requests Welcome
If there is a security topic you would like to see included in future updates, please open an issue or submit a PR on Github.
The current roadmap includes additional vulnerabilities, and a branch showing how to fix each issue.
Learn More
I will be teaching a fully remote training on April 18, 2023 for ElixirConf EU, Phoenix Application Security. Potion Shop will be used in the training, with the benefit of an interactive format where students can ask questions and experience more guided learning.
