Kali Linux

VuCSA : Vulnerable Client-Server Application – Made For Learning/Presenting

Vulnerable client-server application (VuCSA) is made for learning/presenting how to perform penetration tests of non-http thick clients. It is written in Java (with JavaFX graphical user interface).

Currently the vulnerable application contains the following challenges:

  1. Buffer Over-read (simulated)
  2. Command Execution
  3. SQL Injection
  4. Enumeration
  5. XML
  6. Horizontal Access Control
  7. Vertical Access Control

If you want to know how to solve these challenges, take a look at the PETEP website, which describes how to use the open-source tool PETEP to exploit them.

Tip: Before you start hacking, do not forget to check the data structure of messages bellow.

How to Run?

In order to run the vulnerable server and client, you can use one of releases on GitHub or run gradle assemble, which creates distribution packages (for both Windows and Unix). These packages contain sh/bat scripts that will run the server and client using JVM.

Project Structure

Project is divided into three modules:

  • vucsa-common – common functionality for both client and server (including protocol processing utilities)
  • vucsa-client – vulnerable client with JavaFX GUI
  • vucsa-server – vulnerable server for terminal use

Data Structure

Messages transmitted between server and client have the following simple format:

[type][target][length][payload]
  32b    32b     32b     ???

These four parts have the following meaning:

  • type – type of the message (used for serialization/deserialization)
  • target – target handler that will receive the message
  • length – length of the payload
  • payload – data serialized into bytes
R K

Recent Posts

Nmap cheat sheet for beginners

Nmap (Network Mapper) is a free tool that helps you find devices on a network,…

19 hours ago

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

1 week ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

1 week ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

1 week ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

1 week ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

1 week ago