{"id":28410793,"url":"https://github.com/koinsaari/owasp-demo","last_synced_at":"2026-05-19T04:10:52.983Z","repository":{"id":241783588,"uuid":"807120189","full_name":"koinsaari/owasp-demo","owner":"koinsaari","description":"Django web application with common security vulnerabilities from the OWASP Top Ten list and their fixes.","archived":false,"fork":false,"pushed_at":"2025-04-27T15:00:22.000Z","size":55,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-25T07:53:16.511Z","etag":null,"topics":["django","owasp","owasp-top-10","security","web"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/koinsaari.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-28T14:17:08.000Z","updated_at":"2025-07-09T07:39:45.000Z","dependencies_parsed_at":"2024-05-30T03:44:34.768Z","dependency_job_id":"585480dc-90ec-4662-9660-c330aa1c4222","html_url":"https://github.com/koinsaari/owasp-demo","commit_stats":null,"previous_names":["aarokoinsaari/django-owasp-demo","koinsaari/django-owasp-demo","koinsaari/owasp-demo"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/koinsaari/owasp-demo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koinsaari%2Fowasp-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koinsaari%2Fowasp-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koinsaari%2Fowasp-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koinsaari%2Fowasp-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/koinsaari","download_url":"https://codeload.github.com/koinsaari/owasp-demo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koinsaari%2Fowasp-demo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33201543,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-18T09:27:30.708Z","status":"online","status_checked_at":"2026-05-19T02:00:06.763Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["django","owasp","owasp-top-10","security","web"],"created_at":"2025-06-02T12:38:20.023Z","updated_at":"2026-05-19T04:10:52.974Z","avatar_url":"https://github.com/koinsaari.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OWASP Demo\n\nThis is a Django-based web application that is designed to be deliberately vulnerable to introduce some of the top ten vulnerabilities from the OWASP Top Ten 2021 list. The purpose of this project is to demonstrate both vulnerabilities and their fixes within a controlled environment.\n\nThe vulnerable version of the app is in the `main` branch, and the secure version is on the `secure-version` branch. Please see them both for comparison. In the `main` branch, the specific vulnerabilities, and where they are located on the backend code, have been commented so you can easily find where exactly the flaw is. The flaws you can find in this project are the following:\n\n- A01:2021-Broken Access Control\n- A02:2021-Cryptographic Failures\n- A03:2021-Injection\n- A05:2021-Security Misconfiguration\n- A07:2021-Identification and Authentication Failures\n- A09:2021-Security Logging and Monitoring Failures\n\n## Installation Instructions\n\nTo get this project up and running on your local machine for development and testing purposes, follow these steps:\n\n### Prerequisites\n\nMake sure you have Python and Django installed. If you need to install these, please refer to the [official Python installation page](https://www.python.org/downloads/) and [Django installation guide](https://docs.djangoproject.com/en/stable/intro/install/).\n\n### Setup\n\n1. **Clone the Repository**\n\n   ```bash\n   git clone https://github.com/koinsaari/owasp-demo.git\n   cd owasp-demo\n   ```\n\n2. **Set Up Virtual Environment** (Recommended)\n\n   Create and activate a virtual environment to manage dependencies:\n\n   ```bash\n   python3 -m venv venv\n   source venv/bin/activate\n   ```\n\n   If you choose not to use a virtual environment, the dependencies will be installed globally.\n\n3. **Install Dependencies**\n\n   Install the required Python packages:\n\n   ```bash\n   pip install -r requirements.txt\n   ```\n\n4. **Initialize the Database**\n\n   Set up the database by running migrations:\n\n   ```bash\n   cd src/owasp_demo\n   python manage.py makemigrations\n   python manage.py migrate\n   ```\n\n5. **Run the Server**\n\n   Start the Django development server:\n\n   ```bash\n   python manage.py runserver\n   ```\n\n   Now you can visit `http://127.0.0.1:8000/` in your browser to view the application.\n\n6. **Switch Between the Branches**\n\n   You can swith between the vulnerable and fixed versions of the project by simply switching branches:\n\n   ```bash\n   git checkout secure-version\n   ```\n\n   or back to the vulnerable version:\n\n   ```bash\n   git checkout main\n   ```\n\n## Testing\n\nYou can make sure the vulnerabilities are playing their part perfectly, or the same in the `secure-version` branch to make sure the vulnerabilities are not playing their part at all by running:\n\n```bash\ncd src/owasp_demo\npython manage.py test\n```\n\n## Application Usage\n\nThe application is just a simple user management system where you can create a profile, edit your personal information, and view other users' information if their profiles are public.\n\n### Registration and Login\n\n1. **Registration**: Navigate to the registration page and create a new user account by providing a username, password, email, and phone number. Note that in the vulnerable version, passwords are stored in plain text and weak passwords are permitted.\n\n2. **Login**: Use the login page to authenticate with your username and password. Successful login redirects you to your profile page. In the vulnerable version, informative error messages reveal whether the username or password was incorrect.\n\n### User Profile\n\nAfter logging in, you can view and update your profile information, including email, phone number, bio, and the visibility of your profile (public/private).\n\n### User Search\n\nUse the search functionality to look up other users by username if they have set their profile public. In the vulnerable version, this feature is susceptible to SQL injection attacks.\n\n### Viewing Other User Profiles\n\nYou can view the profile information of other users by clicking on their usernames in the search results. In the vulnerable version, there are no access control checks, allowing users to access any profile directly.\n\n### Logging and Error Handling\n\nThe vulnerable application has minimal logging for registration and login activities, and detailed stack traces are displayed to the user in case of errors.\n\n## License\n\nThis project is licensed under the MIT License. See the [LICENSE](./LICENSE) file for details.\n\n## Contact\n\nFor any inquiries, feel free to contact me via email at [aaro.koinsaari@protonmail.ch](mailto:aaro.koinsaari@protonmail.ch) or connect in LinkedIn: [aarokoinsaari](https://www.linkedin.com/in/AaroKoinsaari).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoinsaari%2Fowasp-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkoinsaari%2Fowasp-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoinsaari%2Fowasp-demo/lists"}