Memory leak, redirect loop, deadlock, XSS, CSRF, XEE, ..., understanding bugs by using too buggy web application

Kohei Tamura — Wed, 14 Nov 2018 05:14:12 +0000

If you start developing a web application, you will probably face many problems. For example, memory leak, redirect loop, deadlock, connection leak and so on. In case unexpected trouble happen, you may need to understand bugs and learn/practice how to troubleshoot them in advance. In addtion, you may also need to learn how to prevent vulnerabilities, for example, XSS, SQL injection, CSRF, XEE and so on.

So I created a too buggy web application which can intentionally reproduce many problems:

Troubles
- Memory Leak (Java heap space)
- Memory Leak (PermGen space/Metaspace)
- Memory Leak (C heap space)
- Deadlock (Java)
- Deadlock (SQL)
- Endless Waiting Process
- Infinite Loop
- Redirect Loop
- Forward Loop
- JVM Crash
- Network Socket Leak
- Database Connection Leak
- File Descriptor Leak
- Thread Leak
- Mojibake
- Integer Overflow
- Round Off Error
- Truncation Error
- Loss of Trailing Digits
Vulnerabilities
- XSS (Cross-Site Scripting)
- SQL Injection
- LDAP Injection
- Code Injection
- OS Command Injection (OGNL Expression Injection)
- Mail Header Injection
- Null Byte Injection
- Extension Unrestricted File Upload
- Size Unrestricted File Upload
- Open Redirect
- Brute-force Attack
- Session Fixation Attacks
- Verbose Login Error Messages
- Dangerous File Inclusion
- Directory Traversal
- Unintended File Disclosure
- CSRF (Cross-Site Request Forgery)
- XEE (XML Entity Expansion)
- XXE (XML eXternal Entity)
- Clickjacking
Performance Degradation
- Slow Regular Expression Parsing
- Delay of creating string due to +(plus) operator
- Delay due to unnecessary object creation
Java Errors
- AssertionError
- ExceptionInInitializerError
- FactoryConfigurationError
- GenericSignatureFormatError
- NoClassDefFoundError
- OutOfMemoryError (Java heap space)
- OutOfMemoryError (Requested array size exceeds VM limit)
- OutOfMemoryError (unable to create new native thread)
- OutOfMemoryError (GC overhead limit exceeded)
- OutOfMemoryError (PermGen space)
- OutOfMemoryError (Direct buffer memory)
- StackOverflowError
- TransformerFactoryConfigurationError
- UnsatisfiedLinkError

Quick Start

Go to the latest release page and download easybuggy.jar
Run the command: $ java -jar easybuggy.jar
Access to http://localhost:8080.

Demo

This demo shows:
Start up -> Infinite Loop -> LDAP Injection -> UnsatisfiedLinkError -> BufferOverflowException -> Deadlock -> Memory Leak -> JVM Crash (Shut down)

Warning

This application can cause severe memory leaks or increase CPU usage rate and make your computer unstable. So I recommend that you run it on your VM.

Other versions

EasyBuggy is implemented in Java Servlet 3.0 and old technologies. You can also use other versions you like:

EasyBuggy Boot: EasyBuggy clone build on Spring Boot
EasyBuggy Bootlin: EasyBuggy clone build on Spring Boot and written in Kotlin
EasyBuggy Django: EasyBuggy clone build on Django 2 and written in Python 3

DEV Community: Kohei Tamura

Memory leak, redirect loop, deadlock, XSS, CSRF, XEE, ..., understanding bugs by using too buggy web application

Quick Start

Demo

Warning

Other versions