This is an intentionally vulnerable Rust/Actix-web application designed for testing security remediation tools, SAST/SCA scanners, and security training.
- 200+ open source dependency vulnerabilities requiring complex remediation
- 20+ code-level security vulnerabilities covering OWASP Top 10
- Realistic vulnerable code patterns found in real-world Rust applications
- Various remediation scenarios (simple upgrades, breaking changes, deprecated crates)
- 30 vulnerable Rust crates from 2019
- actix-web 1.0, tokio 0.1.22, openssl 0.10.24 with known vulnerabilities
- Expected 200+ total vulnerabilities across direct and transitive dependencies
Key Vulnerable Crates:
actix-web: 1.0(multiple security issues)tokio: 0.1.22(memory safety issues)openssl: 0.10.24(cryptographic vulnerabilities)reqwest: 0.9.19(SSRF, header injection)diesel: 1.4.4(SQL injection patterns)regex: 1.1.9(ReDoS vulnerabilities)yaml-rust: 0.4.3(deserialization issues)- And 23+ more...
- SQL Injection (CWE-89) - main.rs:73
- Command Injection (CWE-78) - main.rs:83-91
- Path Traversal (CWE-22) - main.rs:99-107
- XSS (CWE-79) - main.rs:114-119
- SSRF (CWE-918) - main.rs:124-134
- Unsafe Code Patterns (CWE-94) - main.rs:137-143
- Mass Assignment (CWE-915) - main.rs:148-162
- IDOR (CWE-639) - main.rs:167-175
- Missing Authentication (CWE-306) - main.rs:180-190
- Sensitive Data Exposure (CWE-200) - main.rs:195-202
- Open Redirect (CWE-601) - main.rs:207-215
- Weak Cryptography (CWE-327) - main.rs:222-232
- ReDoS (CWE-1333) - main.rs:237-246
- Insecure Randomness (CWE-330) - main.rs:251-260
- Hardcoded Credentials (CWE-798) - main.rs:14-17, 265-275
- Information Exposure via Errors (CWE-209) - main.rs:280-288
- Missing Rate Limiting (CWE-770) - main.rs:293-300
- Cleartext Transmission (CWE-319) - main.rs:307-314
- Sensitive Data in GET (CWE-598) - main.rs:319-330
- Exposed Secrets - .env file
- Rust 1.40+ (2019 edition)
- Cargo
git clone https://github.com/YOUR_USERNAME/vulnerable-rust-app.git
cd vulnerable-rust-app
# Build (expect warnings about vulnerabilities)
cargo build
# Run
cargo runAccess at: http://localhost:8080
snyk testcargo install cargo-audit
cargo auditPOST /api/login- SQL InjectionGET /api/exec?cmd=ls- Command InjectionGET /api/files?filename=test.txt- Path TraversalGET /api/search?query=test- XSSGET /api/proxy?url=http://example.com- SSRFPOST /api/eval- Unsafe Code ExecutionPOST /api/register- Mass AssignmentGET /api/users/{id}- IDORDELETE /api/admin/users/{id}- Missing AuthenticationGET /api/debug- Sensitive Data ExposureGET /api/redirect?url=evil.com- Open RedirectPOST /api/hash- Weak CryptographyGET /api/regex?input=aaa!- ReDoSGET /api/generate-token- Insecure Randomness- And 5 more...
cargo update actix-web
cargo update tokio# actix-web 1.0 → 4.0
# Requires significant code refactoring- Some old crates no longer maintained
- May require alternative solutions
DO NOT:
- Deploy to production
- Expose to the internet
- Use code patterns in real applications
- Commit .env to version control
DO:
- Use for security testing
- Use for security training
- Run in isolated environments
cargo build
cargo run
# In another terminal:
curl http://localhost:8080/api/debugRemember: Intentionally insecure. Use responsibly in controlled environments only!
MIT License - Educational and testing purposes only.