There are a couple that come to mind.

Definitely the worst, a C# .net mvc application with multiple controllers that were 10s of thousands of lines long. I ran sonarqube on this at one point and it reported over 70% code duplication.

This code base actively ignored features in the framework that would have made things easier and instead opted to do things in ways that were both worse, and harder to do. For example, all SQL queries were done using antiquated methods that, as an added benefit, also made them all injectable.

Reading the code itself was like looking at old school PHP, but c#. I know that statement probably doesn’t make sense, but neither did the code.

Lastly, there was no auth on any of the endpoints. None. There was a login, but you could supply whatever data you wanted on any call and the system would just accept it.

At the time I was running an internal penetration test team and this app was from a recent acquisition. After two weeks I had to tell my team to stop testing so we could just write up what we had already and schedule another test a couple months down the line.

I once saw an application that would encrypt (not hash, encrypt) passwords but then when a user was logging in, they’d encrypt the password candidate and then compare the cipher texts to see if they were the same. This was using 3des, so no IV.