GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → lokori → flask-vuln

lokori / flask-vuln

Licence: MIT license
Pretty vulnerable flask app..

Programming Languages

HTML
75241 projects
python
139335 projects - #7 most used programming language
shell
77523 projects
Dockerfile
14818 projects

Labels

securitypracticehackingxssflask-applicationvulnerabilities

Projects that are alternatives of or similar to flask-vuln

Reconftw
reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities
Stars: ✭ 974 (+4134.78%)
Mutual labels:  xss, vulnerabilities
Wssat
WEB SERVICE SECURITY ASSESSMENT TOOL
Stars: ✭ 360 (+1465.22%)
Mutual labels:  xss, vulnerabilities
vulnerabilities
List of every possible vulnerabilities in computer security.
Stars: ✭ 14 (-39.13%)
Mutual labels:  xss, vulnerabilities
diwa
A Deliberately Insecure Web Application
Stars: ✭ 32 (+39.13%)
Mutual labels:  practice, xss
cd
CloudDefense.ai is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross-site scripting and other exploitable vulnerabilities.
Stars: ✭ 33 (+43.48%)
Mutual labels:  xss
cve-2016-1764
Extraction of iMessage Data via XSS
Stars: ✭ 52 (+126.09%)
Mutual labels:  xss
Python
All Algorithms implemented in Python
Stars: ✭ 125,688 (+546369.57%)
Mutual labels:  practice
Javascript Total
Сборник практических вопросов, задач разного уровня сложности, сниппетов (утилит), паттерны проектирования, а также полезные ссылки по JavaScript
Stars: ✭ 214 (+830.43%)
Mutual labels:  practice
serverless-snyk
Serverless plugin for securing your dependencies with Snyk
Stars: ✭ 40 (+73.91%)
Mutual labels:  vulnerabilities
java-modern-tech-practice
😎 Java™ modern tech practice sandbox ⏳
Stars: ✭ 43 (+86.96%)
Mutual labels:  practice
inthewilddb
Hourly updated database of exploit and exploitation reports
Stars: ✭ 127 (+452.17%)
Mutual labels:  vulnerabilities
yavdb
Yet Another Vulnerability Database
Stars: ✭ 14 (-39.13%)
Mutual labels:  vulnerabilities
ARGoal
Get more goals. | Virtual Goals & Goal Distance | App Doctor Hu
Stars: ✭ 14 (-39.13%)
Mutual labels:  practice
RenameThemSubs
Rename multiple subtitles files to match video file names for automatic loading with just one click
Stars: ✭ 40 (+73.91%)
Mutual labels:  flask-application
html-contextual-autoescaper-java
Prevents XSS by figuring out how to escape untrusted values in templates
Stars: ✭ 15 (-34.78%)
Mutual labels:  xss
Pytudes
Python programs, usually short, of considerable difficulty, to perfect particular skills.
Stars: ✭ 17,219 (+74765.22%)
Mutual labels:  practice
HenCoderPractice-Kotlin
HenCoder 练习项目- Kotlin 版
Stars: ✭ 26 (+13.04%)
Mutual labels:  practice
snyk-maven-plugin
Test and monitor your projects for vulnerabilities with Maven. This plugin is officially maintained by Snyk.
Stars: ✭ 64 (+178.26%)
Mutual labels:  vulnerabilities
cwe-tool
A command line CWE discovery tool based on OWASP / CAPSEC database of Common Weakness Enumeration.
Stars: ✭ 40 (+73.91%)
Mutual labels:  vulnerabilities
FUTURE
A private, free, open-source search engine built on a P2P network
Stars: ✭ 19 (-17.39%)
Mutual labels:  flask-application
View All Similar Projects ➔

Vulnerable app

One more target for security practice. Nothing fancy here.

Should you use it, please take note: DO NOT RUN THIS ON YOUR OWN LAPTOP FOR OTHER PEOPLE AS A TARGET. RUNNING THIS APPLICATION WILL BE A SECURITY RISK SHOULD YOU DO IT.

Run

  1. Install Python + Flask (pip install flask)
  2. export FLASK_APP=flask-vuln.py
  3. flask run

Or use run.sh.

Or use run_docker.sh (which builds the image and starts a container). Remember to stop and remove the container after you're done.

Enjoy the puzzles at http://localhost:5000

Running properly for other people

If you run this for other people, somewhere, you should add --host=0.0.0.0 to flask command parameters to listen for all IP addresses. Please understand that doing so puts the machine at risk where you run this application and take appropriate measures.

"Professional" setting

Flask is a single-threaded development server. Which means it hangs and sucks in a workshop setting. As a remedy, do something like this:

  1. Setup Ubuntu server on EC2, proper firewalls etc.
  2. Configure host ip for Ansible
  3. ansible-playbook playbook.yml -i hosts
  4. run-gunicorn.sh

This runs it through Gunicorn which is a better implementation for multi-threaded web server.

About vulnerability scanners

People should try to solve and figure out this manually. Running OWASP ZAP will immediately reveal most of the vulnerabilities on this application (as you can expect, given that this is intentionally a soft target for practice) taking all the learning out of the experience.

License

See LICENSE

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].