Building DVCA: A Damn Vulnerable Chat App for Ethical Hackers
Hey everyone, Yeti here πΎ
As part of my journey into deeper AppSec, I wanted to build something that combines everything Iβve been learning: APIs, real-time backend behavior, front-end vulns, and secure(ish) architecture β then rip it all wide open.
So I built DVCA β Damn Vulnerable Chat App
An intentionally insecure, Go-powered chat platform for red teamers, CTF players, and curious developers.
Tech Stack & Architecture
DVCA uses:
- Go β for backend services and microservices
- WebSockets β for real-time chat messaging
- SQLite β lightweight storage for SQLi practice
- HTML/CSS (terminal-style) β simple static frontend
- Microservices β including a hilariously vulnerable AI bot
π― Vulnerabilities You Can Explore
Hereβs what you (or your students/friends/team) can attack:
π JWT Token Tampering
Modify the local JWT and give yourself admin access:
localStorage.setItem("dvca_token", btoa(JSON.stringify({user: "hacker", role: "admin"})));
location.reload();
π SQL Injection
Simple GET endpoint with no input filtering:
/api/messages?user=' OR 1=1--
π€ Insecure Bot Commands
The bot microservice listens to @ai commands in plain text:
@ai help
@ai joke
@ai hack
π¬ XSS in Chat
Try this:
<script>alert(document.cookie)</script>
π Why I Built DVCA
I originally started because I wanted to learn about web sockets and build a chat app but later it spiraled into something bigger.
βThe best way to learn is by building β then breaking what you built.β β 404Yeti
So I made DVCA for:
- Learning how Go + WebSocket's behave under attack
- Wanted to create a chat app project
- Teaching junior devs or students about real-world risks
- Wanted to create a full stack project
π¦ Get the Code
GitHub: 404Yeti/dvca
Clone it, run it, and try to break it.
And if you add a new vuln, PRs are always welcome.
β οΈ Final Notes
DO NOT deploy this in production.
This is built to be insecure β thatβs the whole point. Use it locally or in a secure lab environment only.
Built with love, Go, and a desire to teach and hack.
404Yeti out. πΎ
