OWASP VulnCodeLab | OWASP Foundation (original) (raw)

VulnCodeLab: The Future of Secure Code Review Training

Modern applications are built fast — and broken faster.
VulnCodeLab is a purpose-built, full-stack, intentionally vulnerable enterprise-grade environment designed to train developers, security engineers, and AppSec teams in manual secure code review.

Unlike traditional exploitation-based labs (like OWASP Juice Shop), VulnCodeLab focuses on white-box auditing: finding code-level bugs, security misconfigurations, business logic flaws, and advanced vulnerabilities by reading and understanding the source code itself.

Description

🚀 Key Features

• Real-World Tech Stack: Next.js + Django REST Framework
• Enterprise Simulation: ERP System flow with realistic multi-role users (Admin, Employee, Customer)
• Comprehensive Coverage: OWASP Top 10 Web, API, Mobile, and emerging categories (AI/LLM)
• Security Mapping: Every vulnerability mapped to OWASP, CWE, and business risk
• Future Ready: Expansion to Java, GraphQL, Mobile, AI/LLM vulnerabilities
• Free and Open Source: Built by the community, for the community

📚 Who Should Use VulnCodeLab?

• Developers learning secure coding
• AppSec teams building internal training
• Red/Blue/Purple teams training in code review
• Organizations strengthening Secure SDLC programs
• Anyone preparing for real-world code audit challenges

Roadmap

🔗 Quick Links

• Visit GitHub Repository
• Try the Lab Demo
• Join the Community & Contribute

Licensing

🛣️ Roadmap

Phase 0: Core MVP (May 2025)

• Build basic e-commerce platform (Frontend: Next.js + Backend: Django REST)
• Inject OWASP Top 10 Web vulnerabilities + initial Business Logic flaws
• Manual deployment setup (bash scripts)
• Launch GitHub repo and OWASP project page
• Publish documentation and vulnerability details

Phase 0.5: Polishing (2025 Q2–Q3)

• UX/UI cleanup
• CWE/OWASP mappings for each vulnerability
• Create user guides and contributor onboarding docs
• Release public screenshots, demo videos
• Add basic branding (logo, landing page visual polish)

Phase 1: Advanced AppSec Training (TBA)

• Add advanced vulnerabilities (Race conditions, Insecure serialization, SSRF chains)
• Implement multi-role user logic (Admin, Vendor, Customer)
• Introduce frontend-specific bugs (Next.js bundle leaks, SSRF in SSR)
• Build CI/CD pipelines showcasing SAST/DAST tool integration examples

Phase 2: Enterprise Expansion (TBA)

• Add separate Java-based microservice (vulnerable inventory system)
• Create GraphQL API service with vulnerable queries/mutations
• Develop initial AI/LLM vulnerable components (prompt injection, model exploits)
• Update vulnerabilities to match OWASP Top 10 Web/API 2025 versions

Phase 3: Mobile + Next-Gen Modules (TBA)

• Build Mobile app (Flutter or React Native) with mobile-specific vulnerabilities
• Add advanced AI/LLM modules (agent manipulation, data exfiltration via LLMs)
• Optional: Web3 smart contract module (if viable)

Parallel Track: Ecosystem Growth

• Recruit contributors and maintain open governance
• Monthly minor releases + community engagement
• Blog posts, webinars, contribution workshops