by Michael Lubas
Potion Shop is a Phoenix application vulnerable to common web security issues, such as RCE, XSS, and CSRF. Software developers interested in learning more about Elixir security can examine the source code and functionality of Potion Shop, to better understand how these vulnerabilities occur in a Phoenix project.
⚠️ Warning ⚠️
Do not deploy this application in your production environment. Attackers can exploit Potion Shop to gain access to the underlying server, then use this access to further compromise your network.
Potion Shop can be used by developers of all security skill levels. From beginners interested in what these cryptic acronyms mean, to experienced security professionals looking to test their skills.
If you are a complete beginner, get the project running locally and read tutorial.md for a description of each vulnerability, how to understand the impact, and hints on how to discover it in potion shop.
If you have some experience with web security, start with self_guided.md. It provides a concise list of exercises, one for each vulnerability.
If you are looking for a realistic challenge, do not read either document. Test the application as you normally would, and see if you can uncover each security problem.
A full writeup on each issue will be published later in answers.md. For the best learning experience, do not read this until after you have worked through Potion Shop yourself.
If there is a security topic you would like to see included in future updates, please open an issue or submit a PR on Github.
The current roadmap includes additional vulnerabilities, and a branch showing how to fix each issue.
I will be teaching a fully remote training on April 18, 2023 for ElixirConf EU, Phoenix Application Security. Potion Shop will be used in the training, with the benefit of an interactive format where students can ask questions and experience more guided learning.
Paraxial.io is a security platform built for Elixir, which replaces Snyk, reCaptcha, and Cloudflare bot defense. Sign up for a 30 day free trial, no credit card required, or schedule a demo today.
Paraxial.io is the only application security and compliance platform made for Elixir.
Subscribe for new posts about Elixir and Phoenix security.