One more target for security practice. Nothing fancy here.
Should you use it, please take note: DO NOT RUN THIS ON YOUR OWN LAPTOP FOR OTHER PEOPLE AS A TARGET. RUNNING THIS APPLICATION WILL BE A SECURITY RISK SHOULD YOU DO IT.
- Install Python + Flask (
pip install flask
) export FLASK_APP=flask-vuln.py
flask run
Or use run.sh
.
Or use run_docker.sh
(which builds the image and starts a container). Remember to stop and remove the container after you're done.
Enjoy the puzzles at http://localhost:5000
If you run this for other people, somewhere, you should add --host=0.0.0.0
to flask command parameters to listen for all IP addresses. Please understand that doing so puts the machine at risk where you run this application and take appropriate measures.
Flask is a single-threaded development server. Which means it hangs and sucks in a workshop setting. As a remedy, do something like this:
- Setup Ubuntu server on EC2, proper firewalls etc.
- Configure host ip for Ansible
ansible-playbook playbook.yml -i hosts
run-gunicorn.sh
This runs it through Gunicorn which is a better implementation for multi-threaded web server.
People should try to solve and figure out this manually. Running OWASP ZAP will immediately reveal most of the vulnerabilities on this application (as you can expect, given that this is intentionally a soft target for practice) taking all the learning out of the experience.
See LICENSE