https://github.com/blakley/secureweb
A project dedicated to showcasing web-app security attacks and the corresponding measures to safeguard against those attacks
https://github.com/blakley/secureweb
django-framework owasp-top-10 password-security sqllite3
Last synced: 6 months ago
JSON representation
A project dedicated to showcasing web-app security attacks and the corresponding measures to safeguard against those attacks
- Host: GitHub
- URL: https://github.com/blakley/secureweb
- Owner: Blakley
- Created: 2023-09-11T18:22:01.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2024-05-21T10:43:45.000Z (over 1 year ago)
- Last Synced: 2025-02-01T04:27:31.891Z (8 months ago)
- Topics: django-framework, owasp-top-10, password-security, sqllite3
- Language: Python
- Homepage:
- Size: 11.3 MB
- Stars: 0
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# SecureWeb
A project built using the `Django` framework. It features a demo where users can attack various login forms to understand various
security measures. Additionally, the goal of this project is to
encourage users to employ industry standards when designing
applications with user authentication.
## Login Forms :
Below is an overview of the basic security behind each login form.
### [Form 1]
- No security. This login form is meant to be completely vulnerable to password spraying attacks.
### [Form 2]
- In this login form, the approach used in form 1 will not work. This form rate limits client requests. If the number of requests exceed a certain threshold within a minute, the client will no longer be able to send requests to this login form. To bypass this, one could use proxies.
### [Form 3]
- Basic captchas were introduced in this login form. Once you make a login attempt, you then must solve a captcha before you get the login success status.
Given that the logic behind how the captcha's are generated in this form, one could create a script to generate and submit them.
### [Form 4]
- This login form focuses on locking out users after `x amount` of failed tries as opposed to blocking clients. In situations where this is the only security measure, an attacker might purposely lock out as many accounts as possible.
## Utility scripts :
I have provided several `python` scripts that you can try
out to attack each login form. Otherwise, use any tool such as
[Burp Suite](https://portswigger.net/burp) or [John the Ripper](https://github.com/openwall/john).
1. `attack.py` : A script that attempts to bypass the security measures in place for each login form.
2. `monitor.py` : A useful script that will continually monitor updates to the login.log file, which shows the login attempts to each login form.
3. `proxies.py` : A script that creates 1500 [Private IP Addresses](https://whatismyipaddress.com/private-ip#private-ip)
which are then used to mimic [rotating proxies](https://nordvpn.com/cybersecurity/glossary/rotating-proxy/#:~:text=A%20rotating%20proxy%20is%20a,to%20track%20or%20block%20users.) in order to bypass rate limiting and IP blocking. Note, only works on Linux.
## Dependenices :
Execute the following command to install the necessary modules.
Note, `requirements.txt` is located in the src directory.
```
pip install -r requirements.txt
```
## Deployment :
To start the web server, execute run the command:
```properties
python manage.py runserver
```
and then navigate to the [SecureWeb URL](http://localhost:8000/secureweb/)