A Vulnerable Web Application Lab

About the app & idea

  • As a web app security person, we already have a lot of awesome vulnerable web application projects available to learn web app security. The main idea behind creating ThreadsApp came when we (Team Enciphers), while taking some web hacking training, realised that the current vulnerable lab apps does not give a feel of real world web apps ...i.e. the app itself tells that it is a vulnerable web app. So, we wanted to create a real world like app which works fine, unless you start looking from a security point of view. ThreadsApp is a simple web app, which has some simple features like creating posts, uploading pics, managing accounts, admin functionality etc. If you do not look from a security perspective, the app would work just fine. The fun starts when you start looking at the app from a penetration tester's point of view. Then, you end up finding security flaws, like in any other web app. This being the first release, we tried to add some basic functionaliites and related vulnerabilities. Future releases will have more interesting vulnerabilities and functionalities.
  • ThreadsaApp is a Vulnerable Web Application build in Node.js for learning web application security. It is like a social media platform where people can connect with each other.
  • EJS is used as a frontend development templating engine with bootstrap and a mix of a simple HTML, CSS is used to build this vulnerable web application.
  • Express libraries used are:
    1. Multer (file upload both with s3 bucket and disk storage).
    2. Passport.js (for cookie-based authentication and JWT authentication).
  • Basically this application contains various vulnerabilities as challenges for you to solve.

How to Install

  • GitHub Repo Of ThreadsApp: Click here
  • Check the Set Up page and follow instructions.


This is like a social media application so it consist some of the similar features like:
  • A user can sign up and create an account in this application.
  • A user can create posts with images and links.
  • A user can like, comment on other user's posts.
  • A user can share and bookmark other user's post.
  • A user can also chat with other users in the group chat section.
  • A user can follow another user and also can get followed by other users.
  • You can add 25 dummy users to the application while installing.
  • A user can delete his account after which all information like his post, bookmarks, likes, comments, following, followers will get deleted
  • Profile section has bio field where you can write about yourself

All Challenges

ThreadsApp like any other web app, has some vulnerabilities which are of different levels of severity like Low, Medium, High & critical. Vulnerabilities are mentioned according to their category below


  • Self XSS
  • CSRF(Cross-site Request Forgery)
  • Hidden directories
  • No Password Policy
  • Weak Reset Password Implementation
  • Automatic user Enumeration
  • No Password required for account deletion
  • Simultaneous sessions are being kept active on the same browser


  • No rate limiting
  • Failure to invalidate the session after password change
  • Clickjacking
  • Bruteforce of password leading to account takeover


  • IDOR(Insecure Direct Object Reference)
  • Stored XSS(2)
  • SSRF(Server-side Request Forgery)
  • Blind SSRF
  • Account takeover via IDOR
  • Chainning of IDOR with XSS


  • JWT Authentication
  • NoSQL Injection