{"id":24678641,"url":"https://github.com/contrast-security-oss/vulnpy","last_synced_at":"2025-10-08T11:31:16.268Z","repository":{"id":37843824,"uuid":"273034267","full_name":"Contrast-Security-OSS/vulnpy","owner":"Contrast-Security-OSS","description":"Purposely-vulnerable Python functions","archived":false,"fork":false,"pushed_at":"2025-01-03T18:36:33.000Z","size":208,"stargazers_count":17,"open_issues_count":0,"forks_count":42,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-01-19T21:38:03.832Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Contrast-Security-OSS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-06-17T17:08:51.000Z","updated_at":"2025-01-03T18:36:36.000Z","dependencies_parsed_at":"2024-02-07T22:29:00.876Z","dependency_job_id":"b21de2c2-53e7-4c19-a57c-849dcc78b0b8","html_url":"https://github.com/Contrast-Security-OSS/vulnpy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fvulnpy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fvulnpy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fvulnpy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fvulnpy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Contrast-Security-OSS","download_url":"https://codeload.github.com/Contrast-Security-OSS/vulnpy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235706306,"owners_count":19032607,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-26T13:17:48.610Z","updated_at":"2025-10-08T11:31:10.978Z","avatar_url":"https://github.com/Contrast-Security-OSS.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# VulnPy\n\nA library of purposely-vulnerable Python functions. These serve as a foundation for creating\ninsecure web applications, to be used for security testing and demonstration.\n\n**WARNING: Do not use this library in a production environment!**\n\n## Installation\n\nVulnPy contains both standalone functions and plug-and-play API extensions to various popular\nPython web frameworks. To use vulnpy with your web framework, be sure to install this package with\nthe appropriate extra dependencies specified - detailed below.\n\n### Flask\n\nInstall vulnpy with flask extensions:\n\n```\npip install 'git+https://github.com/Contrast-Security-OSS/vulnpy#egg=vulnpy[flask]'\n```\n\nWhen setting up your application, register the vulnerable blueprint to your `Flask` application\nobject:\n\n```py\nfrom vulnpy.flask import vulnerable_blueprint\n\napp = Flask(__name__)\napp.register_blueprint(vulnerable_blueprint)\n```\n\n### Django\n\nInstall vulnpy with django extensions:\n\n```\npip install 'git+https://github.com/Contrast-Security-OSS/vulnpy#egg=vulnpy[django]'\n```\n\nAdd vulnpy's routes to your `urlpatterns` sequence (in the module specified by the ROOT_URLCONF\nsetting). For example:\n\n```py\nfrom vulnpy.django import vulnerable_urlpatterns\n\nurlpatterns = [\n\tpath('example/', views.example),\n    # ... etc\n] + vulnerable_urlpatterns\n```\n\n`vulnpy.django.vulnerable_urlpatterns` is a list of paths.\n\n\n### Pyramid\n\nInstall vulnpy with pyramid extensions:\n\n```\npip install 'git+https://github.com/Contrast-Security-OSS/vulnpy#egg=vulnpy[pyramid]'\n```\n\nDuring application configuration, include vulnpy's vulnerable routes:\n\n```py\nconfig = Configurator()\nconfig.include(\"vulnpy.pyramid.vulnerable_routes\")\n```\n\n### Falcon\n\nInstall vulnpy with falcon extensions:\n\n```\npip install 'git+https://github.com/Contrast-Security-OSS/vulnpy#egg=vulnpy[falcon]'\n```\n\nUse the `add_vulnerable_routes` function to register vulnpy's routes with your `Falcon.API`\napplication object:\n\n```py\nimport vulnpy.falcon\n\napp = Falcon.API()\nvulnpy.falcon.add_vulnerable_routes(app)\n```\n\n### WSGI\n\nInstall vulnpy with wsgi extensions:\n\n```\npip install 'git+https://github.com/Contrast-Security-OSS/vulnpy#egg=vulnpy[wsgi]'\n```\n\n`vulnpy.wsgi.vulnerable_app` is a vulnerable WSGI application. This versatile component\ncan be used with a variety of frameworks. For example, Pylons provides a `Cascade` class,\nwhich can be used to compose WSGI applications serially.\n\n### Bottle\n\nInstall vulnpy with bottle extensions:\n\n```\npip install 'git+https://github.com/Contrast-Security-OSS/vulnpy#egg=vulnpy[bottle]'\n```\n\nUse the `add_vulnerable_routes` function to register vulnpy's routes with your `bottle`\napplication:\n\n```py\nfrom bottle import Bottle\nfrom vulnpy.bottle import add_vulnerable_routes\n\napp = Bottle()\nadd_vulnerable_routes(app)\n```\n\n### FastAPI\n\nInstall vulnpy with fastapi extensions:\n\n```\npip install 'git+https://github.com/Contrast-Security-OSS/vulnpy#egg=vulnpy[fastapi]'\n```\n\nUse the `include_router` function to register vulnpy's router with your `fastapi`\napplication:\n\n```py\nfrom fastapi import FastAPI\nfrom vulnpy.fastapi import vulnerable_routes\n\napp = FastAPI()\napp.include_router(vulnerable_routes)\n```\n\n### Sample Servers\n\n`vulnpy` is intended to extend the functionality of an existing web application. However, for\nconvenience, we provide tiny webapps for each supported framework with `vulnpy` attached.\n\n#### Running Directly\n\nTo serve a webapp on your local machine,\n- check out the source repo and `cd` into it\n- ensure that vulnpy is installed in your current virtual environment with the appropriate extensions (see above)\n- run:\n\n```sh\nmake (your_framework)\n```\n\nFor example, `pip install -e \".[flask]\" \u0026\u0026 make flask` launches a simple flask webapp with vulnpy\nendpoints.\n\nTo run with Contrast, install the agent (`pip install -U contrast-agent`) and set\n`VULNPY_USE_CONTRAST=true` before running your desired `make` command.\n\n#### Running Different Servers\n\nWhile some frameworks come with their own servers, you can use the uWSGI or \ngunicorn servers as well.\n\n`pip install -e \".[flask,uwsgi-max]\" \u0026\u0026 make flask-uwsgi`\nlaunches the flask app with the maximum supported uWSGI version.\n\n`pip install -e \".[falcon,gunicorn-min]\" \u0026\u0026 make falcon-gunicorn`\nlaunches the falcon app with the minimum supported gunicorn version.\n\n#### Running with Contrast in Docker\n\n`vulnpy` provides a Dockerfile that is also preconfigured to enable Contrast Security's\ninstrumentation. To run a `vulnpy` web server with Contrast enabled using Docker:\n\n1. Copy a `contrast_security.yaml` configuration file into the `vulnpy` root directory\n2. Build the image with `docker build -t vulnpy .` from the `vulnpy` root\n3. Run the container with `docker run --rm -it -p \u003cport\u003e:\u003cport\u003e -e PORT=\u003cport\u003e vulnpy`\n\t* Select a value for `\u003cport\u003e` to expose this port on your host machine\n\t* Optionally specify your framework with `-e FRAMEWORK=\u003csome_framework\u003e`\n\t* Framework options include django, falcon, flask, pyramid, and wsgi (default)\n4. The webserver is now running on your selected port on the host machine\n\n### Note on SSRF\n\nBy default, SSRF requests (requests made by the webserver to a third party) are mocked out, meaning\nvulnpy will not send real requests when invoking SSRF endpoints. To disable this behavior and\nenable vulnpy to send real network requests, set the VULNPY_REAL_SSRF_REQUESTS to any nonzero value.\nThe reason for this is simply to avoid accidentally overwhelming a third-party server when testing.\n\nVulnpy's sample web applications make use of this option.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrast-security-oss%2Fvulnpy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontrast-security-oss%2Fvulnpy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrast-security-oss%2Fvulnpy/lists"}