This is a Django-based web application that is designed to be deliberately vulnerable to introduce some of the top ten vulnerabilities from the OWASP Top Ten 2021 list. The purpose of this project is to demonstrate both vulnerabilities and their fixes within a controlled environment.
The vulnerable version of the app is in the main branch, and the secure version is on the secure-version branch. Please see them both for comparison. In the main branch, the specific vulnerabilities, and where they are located on the backend code, have been commented so you can easily find where exactly the flaw is. The flaws you can find in this project are the following:
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failures
- A03:2021-Injection
- A05:2021-Security Misconfiguration
- A07:2021-Identification and Authentication Failures
- A09:2021-Security Logging and Monitoring Failures
To get this project up and running on your local machine for development and testing purposes, follow these steps:
Make sure you have Python and Django installed. If you need to install these, please refer to the official Python installation page and Django installation guide.
-
Clone the Repository
git clone https://github.com/koinsaari/owasp-demo.git cd owasp-demo -
Set Up Virtual Environment (Recommended)
Create and activate a virtual environment to manage dependencies:
python3 -m venv venv source venv/bin/activateIf you choose not to use a virtual environment, the dependencies will be installed globally.
-
Install Dependencies
Install the required Python packages:
pip install -r requirements.txt
-
Initialize the Database
Set up the database by running migrations:
cd src/owasp_demo python manage.py makemigrations python manage.py migrate -
Run the Server
Start the Django development server:
python manage.py runserver
Now you can visit
http://127.0.0.1:8000/in your browser to view the application. -
Switch Between the Branches
You can swith between the vulnerable and fixed versions of the project by simply switching branches:
git checkout secure-version
or back to the vulnerable version:
git checkout main
You can make sure the vulnerabilities are playing their part perfectly, or the same in the secure-version branch to make sure the vulnerabilities are not playing their part at all by running:
cd src/owasp_demo
python manage.py testThe application is just a simple user management system where you can create a profile, edit your personal information, and view other users' information if their profiles are public.
-
Registration: Navigate to the registration page and create a new user account by providing a username, password, email, and phone number. Note that in the vulnerable version, passwords are stored in plain text and weak passwords are permitted.
-
Login: Use the login page to authenticate with your username and password. Successful login redirects you to your profile page. In the vulnerable version, informative error messages reveal whether the username or password was incorrect.
After logging in, you can view and update your profile information, including email, phone number, bio, and the visibility of your profile (public/private).
Use the search functionality to look up other users by username if they have set their profile public. In the vulnerable version, this feature is susceptible to SQL injection attacks.
You can view the profile information of other users by clicking on their usernames in the search results. In the vulnerable version, there are no access control checks, allowing users to access any profile directly.
The vulnerable application has minimal logging for registration and login activities, and detailed stack traces are displayed to the user in case of errors.
This project is licensed under the MIT License. See the LICENSE file for details.
For any inquiries, feel free to contact me via email at aaro.koinsaari@protonmail.ch or connect in LinkedIn: aarokoinsaari.