Memory leak, redirect loop, deadlock, XSS, CSRF, XEE, ..., understanding bugs by using too buggy web application

If you start developing a web application, you will probably face many problems. For example, memory leak, redirect loop, deadlock, connection leak and so on. In case unexpected trouble happen, you may need to understand bugs and learn/practice how to troubleshoot them in advance. In addtion, you may also need to learn how to prevent vulnerabilities, for example, XSS, SQL injection, CSRF, XEE and so on.

So I created a too buggy web application which can intentionally reproduce many problems:

• Troubles

  • Memory Leak (Java heap space)
  • Memory Leak (PermGen space/Metaspace)
  • Memory Leak (C heap space)
  • Deadlock (Java)
  • Deadlock (SQL)
  • Endless Waiting Process
  • Infinite Loop
  • Redirect Loop
  • Forward Loop
  • JVM Crash
  • Network Socket Leak
  • Database Connection Leak
  • File Descriptor Leak
  • Thread Leak
  • Mojibake
  • Integer Overflow
  • Round Off Error
  • Truncation Error
  • Loss of Trailing Digits

• Vulnerabilities

  • XSS (Cross-Site Scripting)
  • SQL Injection
  • LDAP Injection
  • Code Injection
  • OS Command Injection (OGNL Expression Injection)
  • Mail Header Injection
  • Null Byte Injection
  • Extension Unrestricted File Upload
  • Size Unrestricted File Upload
  • Open Redirect
  • Brute-force Attack
  • Session Fixation Attacks
  • Verbose Login Error Messages
  • Dangerous File Inclusion
  • Directory Traversal
  • Unintended File Disclosure
  • CSRF (Cross-Site Request Forgery)
  • XEE (XML Entity Expansion)
  • XXE (XML eXternal Entity)
  • Clickjacking

• Performance Degradation

  • Slow Regular Expression Parsing
  • Delay of creating string due to +(plus) operator
  • Delay due to unnecessary object creation

• Java Errors

  • AssertionError
  • ExceptionInInitializerError
  • FactoryConfigurationError
  • GenericSignatureFormatError
  • NoClassDefFoundError
  • OutOfMemoryError (Java heap space)
  • OutOfMemoryError (Requested array size exceeds VM limit)
  • OutOfMemoryError (unable to create new native thread)
  • OutOfMemoryError (GC overhead limit exceeded)
  • OutOfMemoryError (PermGen space)
  • OutOfMemoryError (Direct buffer memory)
  • StackOverflowError
  • TransformerFactoryConfigurationError
  • UnsatisfiedLinkError

Quick Start

1. Go to the latest release page and download easybuggy.jar
2. Run the command: $ java -jar easybuggy.jar
3. Access to http://localhost:8080.

Demo

This demo shows:
Start up -> Infinite Loop -> LDAP Injection -> UnsatisfiedLinkError -> BufferOverflowException -> Deadlock -> Memory Leak -> JVM Crash (Shut down)

Warning

This application can cause severe memory leaks or increase CPU usage rate and make your computer unstable. So I recommend that you run it on your VM.

Other versions

EasyBuggy is implemented in Java Servlet 3.0 and old technologies. You can also use other versions you like:

• EasyBuggy Boot: EasyBuggy clone build on Spring Boot
• EasyBuggy Bootlin: EasyBuggy clone build on Spring Boot and written in Kotlin
• EasyBuggy Django: EasyBuggy clone build on Django 2 and written in Python 3

Comments

[Rémi Lavedrine]

That is very interesting.
I am using a lot of on-purpose vulnerable app to try some tools on them.

Do you think of releasing it with only the vulnerability so that one does not have the "memory consumption" issue?

[Kohei Tamura]

Thank you for your comment and sorry for my late reply. I didn't notice your comment.

Easybuggy has "only-vulnerabilities" mode which displays only vulnerability pages and does not cause memory consumption:

java -Deasybuggy.mode=only-vulnerabilities -jar easybuggy.jar

If you will use tools like OWASP ZAP, this mode is useful.

[Rémi Lavedrine]

Oh that is brilliant.

I'll test it soon. :-)