https://github.com/fandigunawan/vulnerable-flask-application

A vulnerable Python Flask application for OWASP TOP 10 vulnerabilities demo
https://github.com/fandigunawan/vulnerable-flask-application

flask owasp owasp-top-10 python vulnerable-web-app

Last synced: 7 months ago
JSON representation

A vulnerable Python Flask application for OWASP TOP 10 vulnerabilities demo

• Host: GitHub
• URL: https://github.com/fandigunawan/vulnerable-flask-application
• Owner: fandigunawan
• License: mit
• Created: 2025-03-01T08:12:21.000Z (7 months ago)
• Default Branch: main
• Last Pushed: 2025-03-01T08:47:27.000Z (7 months ago)
• Last Synced: 2025-03-01T09:26:42.398Z (7 months ago)
• Topics: flask, owasp, owasp-top-10, python, vulnerable-web-app
• Language: HTML
• Homepage:
• Size: 17.6 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Vulnerable Flask Application

**WARNING: This application contains intentional security vulnerabilities!**

This is a deliberately vulnerable Flask application that demonstrates the OWASP Top 10 web application security risks. It is intended for educational purposes only, to help developers understand common security vulnerabilities and how to prevent them.

## OWASP Top 10 Vulnerabilities Demonstrated

1. **Broken Access Control** - Missing authentication checks, insecure direct object references

2. **Cryptographic Failures** - Storing passwords in plaintext, weak encryption

3. **Injection** - SQL injection, command injection

4. **Insecure Design** - Weak password reset functionality

5. **Security Misconfiguration** - Debug information exposure

6. **Vulnerable and Outdated Components** - Using outdated libraries

7. **Identification and Authentication Failures** - Weak password policies, no account lockout

8. **Software and Data Integrity Failures** - Insecure deserialization

9. **Security Logging and Monitoring Failures** - Insufficient logging

10. **Server-Side Request Forgery (SSRF)** - Unvalidated URL fetching

## Setup Instructions

0. Install Python 3.8.* (old and unsupported Python version).\

Use pyenv and env to prevent this obsolete version from ruining your computer.

1. Install the required dependencies:

   ```

   pip install -r requirements.txt

   ```

2. Run the application:

   ```

   python app.py

   ```

3. Access the application at http://127.0.0.1:5000

## Default Credentials

- Username: admin

- Password: admin123

## Educational Purpose

This application is designed for:

- Security training

- Learning about web vulnerabilities

- Understanding how to fix security issues

- Practicing security testing techniques

## DO NOT USE IN PRODUCTION

This application is intentionally insecure and should never be deployed in a production environment or exposed to the public internet.