Phishing Awareness Test Page

A themed fake login page for cybersecurity competitions (ISTS 2026). Displays a space-command-styled login form that discards all input and redirects the user to a configurable URL. No credentials are stored, logged, or processed.

Quick Start for Competition (to connect to from other boxes)

python3 -m venv venv
venv/bin/pip install -r requirements.txt
REDIRECT_URL="https://www.youtube.com/watch?v=Aq5WXmQQooo" \
SECRET_KEY="$(python3 -c 'import secrets; print(secrets.token_hex(32))')" \
authbind venv/bin/gunicorn --bind 0.0.0.0:80 wsgi:app >> gunicorn.log 2>&1 &

To kill, run ps aux | grep gunicorn and kill the process that's running the website.

Info on Connections

Check gunicorn.log to see all IPs that connect to the website.

Quick Start on Localhost

python3 -m venv venv
venv/bin/pip install -r requirements.txt
REDIRECT_URL="https://www.youtube.com/watch?v=Aq5WXmQQooo" \
SECRET_KEY="$(python3 -c 'import secrets; print(secrets.token_hex(32))')" \
venv/bin/gunicorn --bind 127.0.0.1:8000 wsgi:app

Visit http://127.0.0.1:8000 — any form submission redirects to REDIRECT_URL.

Configuration

Variable	Description	Default / Required
REDIRECT_URL	URL users are sent to after form submit	https://www.youtube.com/watch?v=Aq5WXmQQooo
SECRET_KEY	Flask secret for CSRF tokens and sessions	Random bytes (set explicitly in production)
GUNICORN_BIND	Gunicorn bind address (overrides config)	unix:/run/phishing-test/gunicorn.sock

Note: REDIRECT_URL is validated against an allowlist in app.py (ALLOWED_REDIRECT_HOSTS). Add your domain there before changing the URL.

Production Deployment

The repo includes optional production configs:

• nginx.conf — Reverse proxy with TLS, security headers, and CSP. Update server_name and certificate paths before use.
• gunicorn.conf.py — Worker count, timeouts, socket permissions, and Unix socket binding.
• phishing-test.service — systemd unit file. Expects the app at /opt/phishing-test/. Set SECRET_KEY in the Environment= line.

License

GPL-3.0