"What's our vector, Victor?" - A collection of intentionally vulnerable code examples for security testing, training, and educational purposes.
Fun fact: This repo name is a tribute to the classic Airplane! quote, but here we're navigating through security vulnerabilities instead of flight paths. Clearance, Clarence?
DO NOT deploy these applications. These are sample code snippets that have not been tested as executables.
This repository contains deliberately insecure code designed to demonstrate common security vulnerabilities. All examples are for educational and authorized security testing purposes only.
Example agentic LLM application demonstrating OWASP Top 10 for LLM (2025) vulnerabilities:
- agent.py - Main vulnerable agent with comprehensive security issues
- prompt_injection_examples.py - LLM01: Direct/indirect prompt injection and jailbreaks
- sensitive_data_exposure.py - LLM02: Hardcoded secrets, PII leakage, system prompt exposure
- excessive_agency.py - LLM06: Unrestricted capabilities and auto-execution
- config.yaml - Vulnerable configuration with hardcoded credentials
- requirements.txt - Python dependencies
OWASP Top 10 for LLM Coverage:
- ✓ LLM01: Prompt Injection - No input validation, direct concatenation
- ✓ LLM02: Sensitive Information Disclosure - Hardcoded secrets, PII exposure
- ✓ LLM03: Supply Chain Vulnerabilities - No model verification, untrusted sources
- ✓ LLM04: Data and Model Poisoning - Insecure pickle, no data validation
- ✓ LLM05: Improper Output Handling - Auto-executing commands, eval() usage
- ✓ LLM06: Excessive Agency - Unrestricted file/DB/API access, no approvals
- ✓ LLM07: System Prompt Leakage - Weak protection, credentials in prompts
- ✓ LLM08: Vector and Embedding Weaknesses - No validation, poisoning risk
- ✓ LLM09: Misinformation - No fact-checking or source attribution
- ✓ LLM10: Unbounded Consumption - No rate limits or resource constraints
References:
- OWASP Top 10 for LLM Applications 2025
- Gandalf Lakera AI Prompt Injection Challenge
- Prompt Injection Primer for Engineers
- LLM Security Guide
Examples of insecure Docker configurations and container practices:
- Dockerfile.python-vulnerable - Python app with multiple security issues
- Dockerfile.nodejs-vulnerable - Node.js app with vulnerabilities
- Dockerfile.java-vulnerable - Java app with security flaws
- Dockerfile.secrets-exposed - Hardcoded secrets and credentials
- Dockerfile.rootful-privileged - Privileged containers running as root
- Dockerfile.multistage-bad - Insecure multi-stage builds
- docker-compose.vulnerable.yml - Insecure Docker Compose configuration
Infrastructure-as-Code examples with security misconfigurations:
- aws_s3_vulnerable.tf - Publicly accessible S3 buckets, weak encryption
- aws_ec2_vulnerable.tf - Insecure EC2 instances, security groups, SSH keys
- aws_rds_vulnerable.tf - Unencrypted databases, weak passwords, public access
- aws_iam_vulnerable.tf - Overly permissive IAM policies and roles
- aws_misc_vulnerable.tf - Additional AWS security issues
Python web application examples demonstrating OWASP Top 10 (2021) vulnerabilities:
- SQL Injection
- Cross-Site Scripting (XSS)
- XML External Entity (XXE)
- Command Injection
- Path Traversal
- Server-Side Request Forgery (SSRF)
- Insecure Deserialization
- Broken Authentication
- Weak Cryptography
- Hardcoded Secrets
- Security Training - Learn to identify and exploit common vulnerabilities
- Tool Testing - Validate security scanners and SAST/DAST tools
- CTF Challenges - Practice offensive security techniques
- Secure Code Reviews - Learn what NOT to do
- Penetration Testing - Practice in authorized environments
Each directory contains its own README with specific setup instructions and vulnerability descriptions.
- Python 3.8+
- Docker & Docker Compose
- Terraform (for IaC examples)
- Virtual environment recommended
# Clone the repository
git clone https://github.com/levinebw/vectorvictor.git
cd vectorvictor
# Navigate to specific vulnerability examples
cd vulnerable_llm_agent
pip install -r requirements.txt
python agent.py- OWASP Top 10
- OWASP Top 10 for LLM Applications
- CWE - Common Weakness Enumeration
- MITRE ATT&CK Framework
This repository is for authorized security testing and educational purposes only.
Contributions of additional vulnerability examples are welcome. Please ensure:
- Code is clearly documented
- Vulnerabilities are explicitly noted
- Examples are realistic and educational
- No actual sensitive data is included
This project is provided "as-is" for educational and demonstration purposes. See LICENSE file for details.