Potion Shop is an intentionally vulnerable Elixir/Phoenix application, for teaching developers about web application security. This project is vulnerable to common vulnerabilities such as XSS, CSRF, and RCE.
Warning - Do not deploy this application in your production environment. Attackers can exploit Potion Shop to gain access to the underlying server, then use this access to further compromise your network.
This guide assumes you have Erlang and Elixir running locally. See Installing Elixir and Erlang With ASDF if you need help with this step.
Elixir "~> 1.13"
Phoenix "~> 1.5.15"
* Install dependencies with `mix deps.get`
* Create and migrate your database with `mix ecto.setup`
* Start Phoenix endpoint with `mix phx.server` or inside IEx with `iex -S mix phx.server`
- Ensure that dev.exs has ip set to 0.0.0.0.
- Run
docker-compose up.
If you are experienced with Elixir, Phoenix, and web security, see the self_guided.md document. It assumes the reader is familiar with vulnerabilities such as XSS, CSRF, and RCE. The methodology for finding these issues is not covered as well.
For a walkthrough of the Potion Shop application, and guidance on how to find security problems, see tutorial.md. This document provides an introduction to web application security, Elixir security tools, and exposition on the risk of each vulnerability.
For a description of where each vulnerability is located, see answers.md. It is highly recommended to avoid reading the answers when using Potion Shop for your own education. Use this document to check your own understanding, after reading tutorial.md and putting in effort to uncover each security issue.
Michael Lubas (Paraxial.io) - https://www.linkedin.com/in/michaellubas/
Jonathan Kilby - https://www.linkedin.com/in/jonathankilby1991/
Potion Shop is funded through the generous support of the Erlang Ecosystem Foundation.
Potion Shop is sponsored by Paraxial.io, an application security platform for Elixir and Phoenix.