PHPackages oliverklee/insecurity - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. oliverklee/insecurity ActiveProject[Security](/categories/security) oliverklee/insecurity ===================== Web application that consists of a plethora of security vulnerabilities held together by some functionality 165[21 issues](https://github.com/oliverklee/insecurity/issues)PHPCI failing Since Jan 1Pushed 6y ago1 watchersCompare [ Source](https://github.com/oliverklee/insecurity)[ Packagist](https://packagist.org/packages/oliverklee/insecurity)[ RSS](/packages/oliverklee-insecurity/feed)WikiDiscussions master Synced 5d ago READMEChangelogDependenciesVersions (2)Used By (0) Insecurity ========== [](#insecurity) [![Build Status](https://camo.githubusercontent.com/2ba5382b98edb7903fd371104163a9d79295abb29e2f27033ebd6f91f7063dce/68747470733a2f2f7472617669732d63692e6f72672f6f6c697665726b6c65652f696e73656375726974792e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/oliverklee/insecurity)[![Latest Stable Version](https://camo.githubusercontent.com/03c0afd076f11351d6260cb7c04639f4a356ec9fe682ffe51c736085a57dbfa9/68747470733a2f2f706f7365722e707567782e6f72672f6f6c697665726b6c65652f696e73656375726974792f762f737461626c652e737667)](https://packagist.org/packages/oliverklee/insecurity)[![Total Downloads](https://camo.githubusercontent.com/dfaaa40aeb9f0fc241b9b51fc0282d7f9831a622b0bd603f1503f694e1cd154e/68747470733a2f2f706f7365722e707567782e6f72672f6f6c697665726b6c65652f696e73656375726974792f646f776e6c6f6164732e737667)](https://packagist.org/packages/oliverklee/insecurity)[![Latest Unstable Version](https://camo.githubusercontent.com/630aaee6f9dc6757e330eb5c49ec6383f2424db6a54606e882b2a3f9d3a3dc41/68747470733a2f2f706f7365722e707567782e6f72672f6f6c697665726b6c65652f696e73656375726974792f762f756e737461626c652e737667)](https://packagist.org/packages/oliverklee/insecurity)[![License](https://camo.githubusercontent.com/2c682ce5d7607f1733b00aec425cb25805fb15c9a401928d11913245f1d600e4/68747470733a2f2f706f7365722e707567782e6f72672f6f6c697665726b6c65652f696e73656375726974792f6c6963656e73652e737667)](https://packagist.org/packages/oliverklee/insecurity) What is this all about? ----------------------- [](#what-is-this-all-about) This project is a web application that consists of a plethora of security vulnerabilities held together by some functionality. This project has been created as an educational resource for workshops on PHP web security. You could use in several ways: - show the attendees the vulnerabilities and how to fix them - have the attendees search for vulnerabilities - have the attendees fix the vulnerabilities Warning ------- [](#warning) Never, ever put this project on any web server that is accessible from the internet. Your server will get hacked. How to use this project for learning ------------------------------------ [](#how-to-use-this-project-for-learning) For learning as much as possible (e.g., at a workshop on web application security), I propose you do the exercises in the following order: 1. Install the application and try to find as many vulnerabilities as possible without reading the code and without using any automatic vulnerability scanning tools. Just use the application front end (without logging in, then with the `user` login and with the `admin` login). Use browser plugins that help you manipulate the requests and read the web site source. 2. Try to find more vulnerabilities by reading the code. 3. Try to find more vulnerabilities by using automated vulnerability scanners. 4. Compare the list of vulnerabilities you have found in the previous two steps with the list available in the `solutions` branch. 5. Fix the vulnerabilities. Installation ------------ [](#installation) 1. Install [Vagrant](https://www.vagrantup.com/) and run `vagrant up` . 2. `vagrant ssh` 3. `cd /var/www/` 4. `composer install` 5. Log out from the virtual box. 6. You now can access your insecure site at . 7. You can log in as either `admin@example.com / 12345678` or as `user@example.com / asdfqwer` . Resetting the database ---------------------- [](#resetting-the-database) The database and its contents are automatically created when you run `vagrant up`. If you ever need to rebuild the database from scratch, follow this list of steps: 1. `vagrant ssh` 2. `sh /var/www/db/setup-database.sh` 3. Log out from the virtual box. List of vulnerabilities ----------------------- [](#list-of-vulnerabilities) There is a list of vulnerabilities in the file `Vulnerabilities.md` in the branch `solutions` (to keep you from seeing the solutions by accident before you have had the chance to find the vulnerabilities yourself). About me (Oliver Klee) ---------------------- [](#about-me-oliver-klee) I am a former member of the TYPO3 Security Team and the maintainer of the [PHPUnit TYPO3 extension](http://typo3.org/extensions/repository/view/phpunit), which is available in the TYPO3 extension repository (TER). You can book me for [workshops](https://www.oliverklee.de/workshops/workshops.html)at your company. I also frequently give workshops at the TYPO3 Developer Days. Contributing ------------ [](#contributing) Contributions in the form of bug fixes, more vulnerabilities or clean-up in the form of pull requests is always more than welcome. Please do not report any security vulnerabilities, and please do not submit pull requests with security fixes - you're missing the point. License ------- [](#license) The application is licensed under the Gnu Public License (GPL) V3. The included Twitter Bootstrap and jQuery are licensed under the MIT License (MIT). ### Health Score 17 ↓ LowBetter than 6% of packages Maintenance0 Infrequent updates — may be unmaintained Popularity9 Limited adoption so far Community10 Small or concentrated contributor base Maturity43 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/2cc98eb6580d4532340e818ea893009da65365b7f3525f518d143732e838735a?d=identicon)[oliverklee](/maintainers/oliverklee) --- Top Contributors [![oliverklee](https://avatars.githubusercontent.com/u/765746?v=4)](https://github.com/oliverklee "oliverklee (93 commits)") ### Embed Badge ![Health badge](/badges/oliverklee-insecurity/health.svg) ``` [![Health](https://phpackages.com/badges/oliverklee-insecurity/health.svg)](https://phpackages.com/packages/oliverklee-insecurity) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)