https://github.com/mattuebel/vulnerability-example

Educational FastAPI application demonstrating CWE-863 authorization bypass vulnerability in document sharing with comprehensive security fixes
https://github.com/mattuebel/vulnerability-example

authorization cwe-863 cybersecurity docker education fastapi owasp python security vulnerability

Last synced: about 2 months ago
JSON representation

Educational FastAPI application demonstrating CWE-863 authorization bypass vulnerability in document sharing with comprehensive security fixes

• Host: GitHub
• URL: https://github.com/mattuebel/vulnerability-example
• Owner: MattUebel
• License: mit
• Created: 2025-06-06T18:18:58.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-06-07T16:42:16.000Z (about 1 year ago)
• Last Synced: 2026-05-08T00:42:40.870Z (about 2 months ago)
• Topics: authorization, cwe-863, cybersecurity, docker, education, fastapi, owasp, python, security, vulnerability
• Language: Python
• Size: 19.5 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Share Code Authorization Vulnerability

A vulnerable FastAPI application demonstrating **CWE-863: Incorrect Authorization** in document sharing functionality.

## 🔗 **Key Links**

- **📋 [Issue #1: Security Vulnerability Report](https://github.com/MattUebel/vulnerability-example/issues/1)** - Detailed vulnerability analysis and reproduction steps

- **🔧 [Pull Request #2: Security Fixes](https://github.com/MattUebel/vulnerability-example/pull/2)** - Comprehensive security implementation and testing

## 🚨 **Vulnerability Summary**

**The Problem**: Any authenticated user can use any share code to access documents they don't own.

**Real-World Scenario**: 

- Alice creates a share code intended for Bob

- Eve (an attacker) intercepts or guesses the share code

- Eve can access Alice's confidential document using Bob's intended share code

- The same share code can be reused multiple times

**Security Classification**: 

- [CWE-863: Incorrect Authorization](https://cwe.mitre.org/data/definitions/863.html)

- [OWASP A01:2021 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)

- **Severity**: High

## 🎯 **Quick Demonstration**

```bash

# Start the vulnerable application

docker compose up --build

# Run the exploit demonstration

./exploit_demo.sh

# View API documentation

open http://localhost:8000/docs

```

The `exploit_demo.sh` script demonstrates the complete attack scenario where Eve successfully accesses Alice's document using Bob's intended share code.

## 👥 **Test Users**

All users have password `password123`:

- **alice** - Document owner (creates share codes)

- **bob** - Intended recipient 

- **eve** - Unauthorized attacker

## 📚 **Educational Purpose**

This repository demonstrates:

- How authorization bypass vulnerabilities occur in real applications

- The impact of insufficient access controls in document sharing systems

- Proper security implementation and testing practices

For detailed technical analysis, vulnerability reproduction steps, and comprehensive security fixes, see the linked issue and pull request above.

---

*This application is intentionally vulnerable for educational purposes only.*