Announcing Potion Shop - An Open Source Vulnerable Elixir/Phoenix App for Security Education

Michael Lubas, 2023-03-21

Potion Shop is a Phoenix application vulnerable to common web security issues, such as RCE, XSS, and CSRF. Software developers interested in learning more about Elixir security can examine the source code and functionality of Potion Shop, to better understand how these vulnerabilities occur in a Phoenix project.

⚠️ Warning ⚠️

Do not deploy this application in your production environment. Attackers can exploit Potion Shop to gain access to the underlying server, then use this access to further compromise your network.

How to Learn Web Security with Potion Shop

Potion Shop can be used by developers of all security skill levels. From beginners interested in what these cryptic acronyms mean, to experienced security professionals looking to test their skills.

If you are a complete beginner, get the project running locally and read tutorial.md for a description of each vulnerability, how to understand the impact, and hints on how to discover it in potion shop.

If you have some experience with web security, start with self_guided.md. It provides a concise list of exercises, one for each vulnerability.

If you are looking for a realistic challenge, do not read either document. Test the application as you normally would, and see if you can uncover each security problem.

A full writeup on each issue will be published later in answers.md. For the best learning experience, do not read this until after you have worked through Potion Shop yourself.

Pull Requests Welcome

If there is a security topic you would like to see included in future updates, please open an issue or submit a PR on Github.

The current roadmap includes additional vulnerabilities, and a branch showing how to fix each issue.

Learn More

I will be teaching a fully remote training on April 18, 2023 for ElixirConf EU, Phoenix Application Security. Potion Shop will be used in the training, with the benefit of an interactive format where students can ask questions and experience more guided learning.

Paraxial.io stops data breaches by securing your Elixir and Phoenix apps. Detect and fix critical security issues today. Attending ElixirConf EU (April 17th) in Lisbon? Paraxial.io founder Michael Lubas is giving the training Elixir Application Security and will be speaking at the conference. Hope to see you there!

Subscribe to stay up to date on new posts.