This repository contains a small Flask web application used for study and demonstration of web security topics. The project includes a simple image gallery, an upload endpoint, and a feedback form backed by SQLite. Several insecure patterns are present intentionally for controlled testing and learning purposes.
Important: do NOT deploy this application to a public or production environment. It contains intentionally vulnerable code intended for controlled, local testing only.
Quick overview
- Routes:
/(home),/images(gallery + upload),/images/<filename>(serve uploads),/feedback(submit and view comments),/secret(secret images),/under-development. - Data: stores feedback and picture metadata in
feedback.db(SQLite). - Purpose: educational demonstration of common web vulnerabilities and their impact.
Getting started (local dev)
- Create and activate a Python virtual environment (cross-platform)
Windows PowerShell:
python -m venv .venv
.\.venv\Scripts\Activate.ps1macOS / Linux (bash / zsh):
python3 -m venv .venv
source .venv/bin/activate- Install dependencies
pip install -r requirements.txt- Run the app
python app.pyThe app listens on port 5000 by default (development mode).
Notes and safety
- The application intentionally contains examples of: SQL injection, reflected/stored XSS, command injection, and local file inclusion (LFI). These are included for learning and are not production-ready.
- The database file
feedback.dbis stored in the repository folder for convenience. Do not expose it publicly. - A
CHANGELOG.mdfile contains the project's historical notes.
If writeups for vulns are required, please reach out.