{"id":13739593,"url":"https://github.com/mpirnat/lets-be-bad-guys","last_synced_at":"2025-04-09T10:05:04.981Z","repository":{"id":6380023,"uuid":"7617599","full_name":"mpirnat/lets-be-bad-guys","owner":"mpirnat","description":"A deliberately-vulnerable website and exercises for teaching about the OWASP Top 10","archived":false,"fork":false,"pushed_at":"2024-07-18T22:38:06.000Z","size":638,"stargazers_count":186,"open_issues_count":1,"forks_count":345,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-04-02T09:04:39.500Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mpirnat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2013-01-15T03:08:06.000Z","updated_at":"2024-11-28T06:32:17.000Z","dependencies_parsed_at":"2024-01-25T05:49:49.618Z","dependency_job_id":null,"html_url":"https://github.com/mpirnat/lets-be-bad-guys","commit_stats":{"total_commits":99,"total_committers":5,"mean_commits":19.8,"dds":0.202020202020202,"last_synced_commit":"7cbf11014bfc6dc9e199dc0b8a64e4597bc2338f"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpirnat%2Flets-be-bad-guys","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpirnat%2Flets-be-bad-guys/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpirnat%2Flets-be-bad-guys/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpirnat%2Flets-be-bad-guys/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mpirnat","download_url":"https://codeload.github.com/mpirnat/lets-be-bad-guys/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248018060,"owners_count":21034048,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T04:00:35.598Z","updated_at":"2025-04-09T10:05:04.958Z","avatar_url":"https://github.com/mpirnat.png","language":"HTML","funding_links":[],"categories":["Hacking Playground"],"sub_categories":[],"readme":"# Shiny, Let's Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulnerabilities\n\nThe Internet is a dangerous place, filled with evildoers out to attack your code\nfor fun or profit, so it's not enough to just ship your awesome new web app--you\nhave to take the security of your application, your users, and your data\nseriously.  You'll get into the mindset of the bad guys as we discuss, exploit,\nand mitigate the most common web app security flaws in a controlled environment.\n\nWe'll discuss each kind of the most prevalent security flaws at the theoretical\nlevel, then using a specially-crafted, deliberately vulnerable Django app,\nindividuals or pairs will carry out exploits against these flaws, and we'll\nillustrate solutions to mitigate each kind of attack.\n\nThis repository contains a deliberately-vulnerable website and exercises for\nlearning about different kinds of attacks.\n\nWe'll be using the [OWASP Top 10][top10] as our topic roadmap, addressing\nsubjects such as:\n\n * Injection attacks\n * Cross-Site Scripting (XSS)\n * Cross-Site Request Forgery (CSRF)\n * Insecure Direct Object References\n * Insecure Cryptographic Storage\n * Failure to Restrict URL Access\n * Unvalidated Redirects and Forwards\n * Security Misconfiguration\n * Broken Authentication and Session Management\n * Insufficient Transport Layer Protection\n\n**Disclaimer:** Topics and techniques discussed in this tutorial should be used\nonly for “white hat” purposes of securing your own applications and systems from\nattackers.  Use of this information against other organizations without their\nconsent may be a criminal act.  Attendees agree that the presenters and\nconference staff are not responsible for what attendees choose to do with this\ninformation.\n\n\n## Getting Set Up\n\nYou should work through this section to **install and set up the demo\napplication prior to the start of the tutorial**.  Getting ready in advance\nwill help ensure a smoother and more efficient tutorial experience.\n\nThese instructions assume a UNIX-like environment (Mac OS X, Linux, etc.).\nWe'll call out differences for Windows folks as needed.\n\n\n### Things to Install\n\nFirst, make sure you have all of the following items installed.\n\n#### Git\n\nYou’ll need Git to check out the code repository that we’ll be working with. You\ncan download it from [http://git-scm.com](http://git-scm.com \"Git\").\n\n\n#### Python\n\nAll of our examples were developed and tested against Python 2.7 and 3.4.\nIf you don’t have Python, you can download it from\n[http://www.python.org/download/](http://www.python.org/download/ \"Python\").\n\nWe recommend either Python 3.4 (or later) or Python 2.7.\n\n\n#### Pip\n\nIt’s nicer than easy_install, especially for installing project requirements.\n\nYou get pip for free with Python 3.4! (And also with newer versions too.)\n\nIf you're using Python 2.7 and don't already have Pip, [follow the instructions\nhere](https://pip.pypa.io/en/stable/installing/), or take a shortcut and run:\n\n    $ curl -O https://raw.github.com/pypa/pip/master/contrib/get-pip.py\n    $ sudo python get-pip.py\n\n\n#### Virtualenv\n\nVirtualenv will keep our code and its dependencies isolated from the rest of\nyour system.\n\nYou get virtualenv for free with Python 3.4!\n\nIf you're using Python 2.7 and don’t already have virtualenv\ninstalled, you can get it by running:\n\n    $ sudo pip install virtualenv\n\n### Setting Your Path (Windows)\n\n**If you're on Windows**,\nyou may need to update your PATH\nso that Windows can find your python.exe.\nThis varies a bit between\n[different versions of Windows][windows-path]\nso use the method that's right for your OS.\n\nIf you installed Python 3.4, add:\n\n    C:\\Python34\\;C:\\Python34\\Scripts\\;C:\\Python34\\Tools\\Scripts\n\nFor Python 3.5, add:\n\n    C:\\Python35\\;C:\\Python35\\Scripts\\;C:\\Python35\\Tools\\Scripts\n\nIf you installed Python 2.7, add:\n\n    C:\\Python27\\;C:\\Python27\\Scripts\\\n\n\n### Getting the Demo Application\n\n#### Installation: Mac \u0026 Linux\n\nIf you're using Python 3.4 (or later), create the virtual environment with:\n\n    $ pyvenv badguys\n\nIf you're using Python 2.7, create the virtual environment with:\n\n    $ virtualenv badguys\n\nActivate the virtual environment; this puts you into the “sandbox” where you\nwon’t interfere with other Python apps or your main system Python:\n\n    $ cd badguys\n    $ source ./bin/activate\n\nClone a copy of the application repository:\n\n    $ git clone https://github.com/mpirnat/lets-be-bad-guys.git src\n\nInstall the application’s dependencies:\n\n    $ cd src\n    $ pip install -r requirements.txt\n\n\n#### Installation: Windows\n\nIf you're using Python 3.4, create the virtual environment with:\n\n    \u003e pyvenv.py badguys\n\nIf you're using Python 2.7, create the virtual environment with:\n\n    \u003e virtualenv badguys\n\nActivate the virtual environment; this puts you into the “sandbox” where you\nwon’t interfere with other Python apps or your main system Python:\n\n    \u003e cd badguys\n    \u003e Scripts/activate.bat\n\nClone a copy of the application repository:\n\n    $ git clone https://github.com/mpirnat/lets-be-bad-guys.git src\n\nInstall the application’s dependencies:\n\n    \u003e cd src\n    \u003e pip.exe install -r requirements.txt\n\n\n#### Start the Application\n\nSince this application contains some real, live vulnerabilities, you may want to\nturn off your wi-fi or network connection at this point to protect yourself from\npotential malicious activity.  (This isn't a problem if you're only listening on\n127.0.0.1--our default--but is for real if you tend to listen on 0.0.0.0!)\n\nStart up the vulnerable application:\n\n    $ python manage.py runserver\n\n**For advanced users who are setting this up inside a Docker container\n--and *only* if you are doing something like that (see security warning above)**\n--you *will* have to make it listen on 0.0.0.0:\n\n    # Totally DON'T do this unless you are using Docker...\n    $ python manage.py runserver 0.0.0.0:8000\n\nYou should now be able to open up a web browser and visit:\n\n[http://localhost:8000/](http://localhost:8000/ \"the demo app\")\n\n\n## Resources\n\nYou may find these resources to be valuable during and after the tutorial.\n\n#### Tutorial Website\n\nCode, setup instructions, and links to the slides and documentation are\navailable from:\n\n[https://github.com/mpirnat/lets-be-bad-guys](https://github.com/mpirnat/lets-be-bad-guys\n\"\")\n\n#### The OWASP Top 10 List\n\nWe’ve included the latest Top 10 list at the time of the tutorial in the\nhandout; however it may change or be revised.  There’s also a lot of additional\ninformation, as well as previous versions of the Top 10 list available.\n\n[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\n\"OWASP Top 10\")\n\n#### URL Encoder/Decoder\n\nA number of the exercises may require escaping values for inclusion in the query\nstring of a URL.  A convenient shortcut is available:\n\n[http://meyerweb.com/eric/tools/dencoder/](http://meyerweb.com/eric/tools/dencoder/\n\"URL Encoder/Decoder\")\n\nOr as an alternative, you can always:\n\n    $ python\n    \u003e\u003e\u003e import urllib\n    \u003e\u003e\u003e urllib.quote(\"...\")\n\n#### Slides\n\nSlides for various presentations of this material are available online for your\nfuture reference:\n\n\n* [The CodeMash 2017 slides][slides7] (once more in glorious widescreen)\n* [The PyCon 2016 slides][slides6] (in retro 4x3)\n* [The OSCON 2016 slides][slides5] (now in glorious widescreen)\n* [The PyCon 2015 slides][slides4]\n* [The PyCon 2014 slides][slides3]\n* [The PyOhio 2013 slides][slides2]\n* [The PyCon 2013 slides][slides1]\n\n\n[top10]: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\n[slides1]: http://www.slideshare.net/mpirnat/lets-be-bad-guys\n[slides2]: https://speakerdeck.com/mpirnat/shiny-lets-be-bad-guys-exploiting-and-mitigating-the-top-10-web-app-vulnerabilities\n[slides3]: https://speakerdeck.com/mpirnat/shiny-lets-be-bad-guys-exploiting-and-mitigating-the-top-10-web-app-vulnerabilities-2014-edition\n[slides4]: https://speakerdeck.com/mpirnat/shiny-lets-be-bad-guys-exploiting-and-mitigating-the-top-10-web-app-vulnerabilities-2015-edition\n[slides5]: https://speakerdeck.com/mpirnat/shiny-lets-be-bad-guys-exploiting-and-mitigating-the-top-10-web-app-vulnerabilities-oscon-2016-edition\n[slides6]: https://speakerdeck.com/mpirnat/shiny-lets-be-bad-guys-exploiting-and-mitigating-the-top-10-web-app-vulnerabilities-pycon-2016-edition\n[slides7]: https://speakerdeck.com/mpirnat/shiny-lets-be-bad-guys-exploiting-and-mitigating-the-top-10-web-app-vulnerabilities-codemash-2017-edition\n[windows-path]: http://www.java.com/en/download/help/path.xml\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmpirnat%2Flets-be-bad-guys","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmpirnat%2Flets-be-bad-guys","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmpirnat%2Flets-be-bad-guys/lists"}