globocom · mayasrl · Oct 23, 2025
diff --git a/README.md b/README.md
@@ -67,7 +67,7 @@ Disclaimer: You are about to install vulnerable mobile apps in your machine!
 
 ## Contributing
 
-We encourage you to contribute to SecDevLabs! Please check out the [Contributing to SecDevLabs](/docs/CONTRIBUTING.md) section for guidelines on how to proceed! 🎉
+We encourage you to contribute to SecDevLabs! Please check out the [Contributing to SecDevLabs](docs/CONTRIBUTING.md) section for guidelines on how to proceed! 🎉
 
 ## License
 

diff --git a/owasp-top10-2021-apps/a1/tictactoe/deployments/docker-compose.yml b/owasp-top10-2021-apps/a1/tictactoe/deployments/docker-compose.yml
@@ -3,14 +3,14 @@ version: '3'
 services:
 
     api:
-        container_name: a5_tictactoe
+        container_name: a1_tictactoe
         build:
             context: ../
             dockerfile: deployments/Dockerfile
         ports:
             - "10005:10005"
         networks:
-            - a5net
+            - a1net
         env_file:
             - .dockers.env
         depends_on:
@@ -29,10 +29,10 @@ services:
         env_file:
             - .dockers.env
         networks:
-            - a5net
+            - a1net
 
 networks:
-    a5net:
+    a1net:
 
 volumes:
     db_data:
diff --git a/owasp-top10-2021-apps/a3/comment-killer/deployments/docker-compose.yml b/owasp-top10-2021-apps/a3/comment-killer/deployments/docker-compose.yml
@@ -1,27 +1,27 @@
 version: "3.7"
 
 networks:
-    a7_net:
+    a3_net:
 
 services:
     app:
-        container_name: app-a7
+        container_name: app-a3
         build:
             context: ../
             dockerfile: deployments/app.Dockerfile
         ports:
             - "10007:3000"
         stdin_open: true
         networks:
-            - a7_net
+            - a3_net
 
     api:
-        container_name: api-a7
+        container_name: api-a3
         build:
             context: ../
             dockerfile: deployments/api.Dockerfile
         ports:
             - "10017:10017"
         command: "go run main.go"
         networks:
-            - a7_net
+            - a3_net
diff --git a/owasp-top10-2021-apps/a3/copy-n-paste/README.md b/owasp-top10-2021-apps/a3/copy-n-paste/README.md
@@ -63,7 +63,7 @@ Now that you know the purpose of this app, what could go wrong? The following se
 
 #### Lack of input validation allows injection of SQL queries
 
-After reviewing `NewUser()` , `CheckIfUserExists()` and `AuthenticateUser()` from [`db.go`](<(https://github.com/globocom/secDevLabs/blob/master/owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go#)>) file, it was possible to see that some input from users are concatenated with SQL queries, as shown in the following code snippets:
+After reviewing `NewUser()` , `CheckIfUserExists()` and `AuthenticateUser()` from [`db.go`](https://github.com/globocom/secDevLabs/blob/master/owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go) file, it was possible to see that some input from users are concatenated with SQL queries, as shown in the following code snippets:
 
 ```go
 query := fmt.Sprint("select * from Users where username = '" + user + "'")

diff --git a/...copy-n-paste/deployments/a1inj.Dockerfile → ...copy-n-paste/deployments/a3inj.Dockerfile b/...copy-n-paste/deployments/a1inj.Dockerfile → ...copy-n-paste/deployments/a3inj.Dockerfile
diff --git a/owasp-top10-2021-apps/a3/copy-n-paste/deployments/docker-compose.yml b/owasp-top10-2021-apps/a3/copy-n-paste/deployments/docker-compose.yml
@@ -1,20 +1,20 @@
 version: '3.4'
 services:
     api:
-        container_name: a1_api
+        container_name: a3_api
         build:
             context: ../
-            dockerfile: deployments/a1inj.Dockerfile
+            dockerfile: deployments/a3inj.Dockerfile
         ports:
             - "10001:10001"
         networks:
-            - a1net
+            - a3net
         command: "go run server.go"
         environment:
             MYSQL_ROOT_PASSWORD: root
             MYSQL_USER: user
             MYSQL_PASSWORD: pass
-            MYSQL_DATABASE: a1db
+            MYSQL_DATABASE: a3db
         depends_on:
             - mysqldb
         external_links:
@@ -32,12 +32,12 @@ services:
             MYSQL_ROOT_PASSWORD: root
             MYSQL_USER: user
             MYSQL_PASSWORD: pass
-            MYSQL_DATABASE: a1db
+            MYSQL_DATABASE: a3db
         networks:
-            - a1net
+            - a3net
 
 networks:
-    a1net:
+    a3net:
 
 volumes:
     db_data:
diff --git a/owasp-top10-2021-apps/a3/gossip-world/deployments/docker-compose.yml b/owasp-top10-2021-apps/a3/gossip-world/deployments/docker-compose.yml
@@ -1,7 +1,7 @@
 version: "3.4"
 services:
   app:
-    container_name: app-a7 
+    container_name: app-a3 
     build:
       context: ../
       dockerfile: deployments/Dockerfile
@@ -11,35 +11,36 @@ services:
       - "../app/:/app"
     environment:
       SECRET_KEY: secretkey
-      MYSQL_ENDPOINT: mysqldb-a7
+      MYSQL_ENDPOINT: mysqldb-a3
       MYSQL_PASSWORD: pass
       MYSQL_USER: user
-      MYSQL_DB: a7db
+      MYSQL_DB: a3db
     networks: 
-      - a7_net
+      - a3_net
     depends_on:
-      - mysqldb-a7
+      - mysqldb-a3
     external_links:
-      - mysqldb-a7:mysqldb-a7
+      - mysqldb-a3:mysqldb-a3
     restart: always
 
-  mysqldb-a7:
-    container_name: mysqldb-a7
+  mysqldb-a3:
+    container_name: mysqldb-a3
     image: mariadb:10.6.3
     ports:
       - "3307:3307"
     environment:
       MYSQL_ROOT_PASSWORD: root
-      MYSQL_DATABASE: a7db 
+      MYSQL_DATABASE: a3db 
       MYSQL_USER: user
       MYSQL_PASSWORD: pass
     networks:
-      - a7_net
+      - a3_net
     volumes:
-      - storage-a7-database:/var/lib/mysql
+      - storage-a3-database:/var/lib/mysql
 
 volumes:
-  storage-a7-database:
+  storage-a3-database:
 
 networks:
-  a7_net:
+  a3_net:
+
diff --git a/owasp-top10-2021-apps/a3/mongection/deployments/docker-compose.yml b/owasp-top10-2021-apps/a3/mongection/deployments/docker-compose.yml
@@ -3,7 +3,7 @@ version: '3'
 services:
 
     server:
-        container_name: a1_mongection
+        container_name: a3_mongection
         build:
             context: ../
             dockerfile: deployments/mongection.Dockerfile
@@ -13,7 +13,7 @@ services:
         ports:
             - "10001:10001"
         networks:
-            - a1net
+            - a3net
         depends_on:
             - mongo
         external_links:
@@ -28,7 +28,7 @@ services:
         ports:
           - "27017:27017"
         networks:
-            - a1net
+            - a3net
 
 networks:
-    a1net:
+    a3net:
diff --git a/owasp-top10-2021-apps/a3/sstype/deployments/docker-compose.yml b/owasp-top10-2021-apps/a3/sstype/deployments/docker-compose.yml
@@ -3,15 +3,15 @@ version: '3'
 services:
 
     server:
-        container_name: a1_sstype
+        container_name: a3_sstype
         build:
             context: ../
             dockerfile: deployments/sstype.Dockerfile
         ports:
             - "10001:10001"
         networks:
-            - a1net
+            - a3net
         restart: always
 
 networks:
-    a1net:
+    a3net:
diff --git a/owasp-top10-2021-apps/a3/streaming/README.md b/owasp-top10-2021-apps/a3/streaming/README.md
@@ -45,7 +45,7 @@ Now that you know the purpose of this app, what could go wrong? The following se
 
 #### Non-sanitization of user input allows for cross-site scripting
 
-After reviewing `buildLiveHTMLMessage(message)` from [`play.component.ts`](<(https://github.com/globocom/secDevLabs/blob/master/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts#)>) file, it was possible to identify that loaded messages and username are not sanitized and can be executed on a web browser (as shown in the message bellow).
+After reviewing `buildLiveHTMLMessage(message)` from [`play.component.ts`](https://github.com/globocom/secDevLabs/blob/master/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts) file, it was possible to identify that loaded messages and username are not sanitized and can be executed on a web browser (as shown in the message bellow).
 
 <p align="center">
     <img src="images/vulnerable-function.png"/>

diff --git a/owasp-top10-2021-apps/a5/misconfig-wordpress/deployments/docker-compose.yml b/owasp-top10-2021-apps/a5/misconfig-wordpress/deployments/docker-compose.yml
@@ -1,7 +1,7 @@
 version: '3.4'
 services:
    db:
-    container_name: a6db
+    container_name: a5db
     image: mariadb:10.6.3
     restart: always
     environment:
@@ -11,10 +11,10 @@ services:
       MYSQL_PASSWORD: wordpress
 
    wordpress:
-    container_name: a6-wordpress
+    container_name: a5-wordpress
     depends_on:
       - db
-    image: secdevlabs/a6-the-mistery:wp-version-2
+    image: secdevlabs/a5-the-mistery:wp-version-2
     ports:
       - "8000:80"
     restart: always

diff --git a/owasp-top10-2021-apps/a5/stegonography/deployments/docker-compose.yml b/owasp-top10-2021-apps/a5/stegonography/deployments/docker-compose.yml
@@ -11,7 +11,7 @@ services:
     ports:
       - 10006:10006
     networks:
-      - a6_net
+      - a5_net
     restart: always
 
   db:
@@ -23,7 +23,7 @@ services:
       - 27017:27017
       - 27018:27018
     networks:
-      - a6_net
+      - a5_net
 
 networks:
-    a6_net:
+    a5_net:
diff --git a/owasp-top10-2021-apps/a6/cimentech/deployments/docker-compose.yml b/owasp-top10-2021-apps/a6/cimentech/deployments/docker-compose.yml
@@ -14,17 +14,17 @@ services:
       - ../app/html/themes:/var/www/html/themes
     restart: always
     networks: 
-      - a9_net
+      - a6_net
 
   db:
     image: postgres:10.5
-    container_name: a9db
+    container_name: a6db
     environment:
       POSTGRES_PASSWORD: example
     ports:
       - 5432:5432
     networks: 
-      - a9_net
+      - a6_net
     volumes:
       - db_data:/var/lib/postgresql/data
       - ../app/dump.db:/docker-entrypoint-initdb.d/dump.sql
@@ -33,4 +33,4 @@ volumes:
   db_data:
 
 networks: 
-  a9_net:
+  a6_net:
diff --git a/owasp-top10-2021-apps/a7/insecure-go-project/README.md b/owasp-top10-2021-apps/a7/insecure-go-project/README.md
@@ -49,11 +49,11 @@ Now that you know the purpose of this app, what could go wrong? The following se
 
 #### Sensitive hardcoded credentials allow an attacker access to the database
 
-After inspecting the application source code, it is possible to identify that some sensitive data from MongoDB are hardcoded on the [`config.yml`](../app/config.yml), as shown on the picture below:
+After inspecting the application source code, it is possible to identify that some sensitive data from MongoDB are hardcoded on the [`config.yml`](app/config.yml), as shown on the picture below:
 
 <img src="images/attack-1.png" align="center"/>
 
-This issue can also be found on [`mongo-init.js`](../deployments/mongo-init.js) file, as shown bellow:
+This issue can also be found on [`mongo-init.js`](deployments/mongo-init.js) file, as shown bellow:
 
 <img src="images/attack-2.png" align="center"/>
 

diff --git a/owasp-top10-2021-apps/a7/insecure-go-project/deployments/docker-compose.yml b/owasp-top10-2021-apps/a7/insecure-go-project/deployments/docker-compose.yml
@@ -8,7 +8,7 @@ volumes:
 
 services:
     api:
-        container_name: a2_insecure_api
+        container_name: a7_insecure_api
         build:
             context: ../
             dockerfile: deployments/api.Dockerfile

diff --git a/owasp-top10-2021-apps/a7/saidajaula-monster/app/app.py b/owasp-top10-2021-apps/a7/saidajaula-monster/app/app.py
@@ -12,10 +12,10 @@
 
 
 app = Flask(__name__)
-database = DataBase(os.environ.get('A2_DATABASE_HOST'),
-                    os.environ.get('A2_DATABASE_USER'),
-                    os.environ.get('A2_DATABASE_PASSWORD'),
-                    os.environ.get('A2_DATABASE_NAME'))
+database = DataBase(os.environ.get('A7_DATABASE_HOST'),
+                    os.environ.get('A7_DATABASE_USER'),
+                    os.environ.get('A7_DATABASE_PASSWORD'),
+                    os.environ.get('A7_DATABASE_NAME'))
 
 
 def login_admin_required(f):