This company doesn't exist. It's just a fiction I created for a talk at Django Boston. Their sprawling web empire is great for the sake of exploring how XSS and CSRF attacks work.

If you're just landing here, check out the slides first. Otherwise, the rest might be a bit confusing.

All the code is at github.com/johnhess/

• Slides (source)
• The variously vulnerable and evil web properties of Very Very Vulnerable, Inc:
  • Very Consequential Web Application (source)
  • Seemingly Secure Django Application (source)
  • Rogue/Evil Web Application (source is just a branch of VCWA)
• My personal site, used to launch some CSRF attacks (source)
• CSRF Attack against VCWA
• The same CSRF Attack, this time against CSRF-middleware protected SSDA.
• Abusing a "safe" HTTP method to attack SSDA.
• VeryVeryVulnerable.com (source is just a branch of jthess.com)

Looking for some more playgrounds to try out attacks? There are a bunch out there. Here are some I know of and that people have suggested to me.

• OWASP WebGoat
• Google's Gruyere

Here's some reading that helped me make sense of things.

• "HTTP cookies, or how not to design protocols"
• My favorite thing I learned about while making this talk: The Public Suffix List. It's the reason the last attack doesn't work when you access SSDA via ssda.herokuapp.com :-)