├── Flask App ├── Static │ ├── roadmap.txt │ └── style.css ├── Templates │ ├── administration.html │ ├── cust_error.html │ ├── homepage.html │ ├── index.html │ ├── readme.html │ ├── sl.html │ └── temp.html └── app.py └── README.md /Flask App/Static/roadmap.txt: -------------------------------------------------------------------------------- 1 | 1. Hardcoded secrets like username and password 2 | There will be an admin login in the application , instead of fetching this username from the DB , username validation will happen in one of the pages like sec_adm.html. 3 | this is done and dusted ! 4 | 5 | 2. Internal IP disclosure 6 | this i am planning to put some links which mentions internal IP , random cloud IP etc. in the source. 7 | 3. PII Data being transffered via URL 8 | this can be done via a form submission , where user will enter details like credit card and this will go via GET 9 | 4. Insecure usgage of Random function 10 | I am planning to generate a value as a voucher code with a random function logic of my own so its not random at the end of the day. 11 | 5. Reflected Cross Site Scripting 12 | will take an input from the PII page and reflect it then and there and will store in db and show it somewhere elese too 13 | 6. Stored Cross Site Scripting 14 | 7. Authorization bypass issues like forced browsing 15 | will use the hidden sec_admin.html 16 | 8. Isecure direct onject reference 17 | this i dont know how to do 18 | 9. Authentication bypass using SQL Injection 19 | this can be done easily 20 | 10. Sensitive Information disclosed via comments 21 | this can be added via comments 22 | 11. Version Disclosures via Code and comments 23 | this can be done easily 24 | 12. Technical information revealed via stacktrace / error message 25 | may be an unhandled exception 26 | 27 | SQL Auth Bypass 28 | | 29 | Home Page > SignIn & Signup -> Create User 30 | | 31 | User Home > generate voucher > insecure random 32 | | 33 | Enter Credit Card Data > Save (Issue 3) 34 | | 35 | Enter Personal Details > For store and reflected XSS 36 | 37 | Hidden admin page > for Hardcoded username and password & SQL Connection string config file 38 | | 39 | Forced browsing 40 | | 41 | secret admin > senstive information in comments 42 | | 43 | Version disclosure > multiple pages 44 | | 45 | unhandled exception should spilt out the Connection string and all to the app page. 46 | 47 | 48 | 49 | @app.route('/') 50 | def home(): 51 | if not session.get('logged_in'): 52 | return render_template('index.html') 53 | else: 54 | return render_template('cust_error.html') 55 | 56 | @app.route('/login', methods=['POST']) 57 | def do_login(): 58 | if request.form['password'] =="123123asdf": 59 | session['logged_in'] = True 60 | return render_template('user_home.html') 61 | else : 62 | #flash('The username or password provided is wrong') 63 | return home() 64 | -------------------------------------------------------------------------------- /Flask App/Static/style.css: -------------------------------------------------------------------------------- 1 | * { 2 | box-sizing: border-box; 3 | } 4 | 5 | *:focus { 6 | outline: none; 7 | } 8 | body { 9 | font-family: Arial; 10 | background-color: #3498DB; 11 | padding: 50px; 12 | } 13 | .login { 14 | margin: 20px auto; 15 | width: 300px; 16 | } 17 | .login-screen { 18 | background-color: #FFF; 19 | padding: 20px; 20 | border-radius: 5px 21 | } 22 | 23 | .app-title { 24 | text-align: center; 25 | color: #777; 26 | } 27 | 28 | .login-form { 29 | text-align: center; 30 | } 31 | .control-group { 32 | margin-bottom: 10px; 33 | } 34 | 35 | input { 36 | text-align: center; 37 | background-color: #ECF0F1; 38 | border: 2px solid transparent; 39 | border-radius: 3px; 40 | font-size: 16px; 41 | font-weight: 200; 42 | padding: 10px 0; 43 | width: 250px; 44 | transition: border .5s; 45 | } 46 | 47 | input:focus { 48 | border: 2px solid #3498DB; 49 | box-shadow: none; 50 | } 51 | 52 | .btn { 53 | border: 2px solid transparent; 54 | background: #3498DB; 55 | color: #ffffff; 56 | font-size: 16px; 57 | line-height: 25px; 58 | padding: 10px 0; 59 | text-decoration: none; 60 | text-shadow: none; 61 | border-radius: 3px; 62 | box-shadow: none; 63 | transition: 0.25s; 64 | display: block; 65 | width: 250px; 66 | margin: 0 auto; 67 | } 68 | 69 | .btn:hover { 70 | background-color: #2980B9; 71 | } 72 | 73 | .login-link { 74 | font-size: 12px; 75 | color: #444; 76 | display: block; 77 | margin-top: 12px; 78 | } 79 | -------------------------------------------------------------------------------- /Flask App/Templates/administration.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | This page is not for the normal people 4 | 5 | 6 |
7 |

Admin Access Page

8 |
9 |
10 | Area 51 : This page is for some shady bussiness of the admin !! Stay Away from here. 11 |
12 | 13 | 29 | 30 | -------------------------------------------------------------------------------- /Flask App/Templates/cust_error.html: -------------------------------------------------------------------------------- 1 | < 2 | 3 | 4 | 5 | Error Page 6 | 7 | 8 | <

This is an Error Page

9 | 10 | 11 | -------------------------------------------------------------------------------- /Flask App/Templates/homepage.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |
4 |
5 | 36 |
37 |
38 | -------------------------------------------------------------------------------- /Flask App/Templates/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |
4 |
5 | 20 |
21 |
22 | -------------------------------------------------------------------------------- /Flask App/Templates/readme.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | The first ever flask app 4 | 5 | 6 |
7 |

This is a delibertly vulnerable application which will allow anyone to learn basics of the source code review. 8 |
9 |
10 |

Usually you will be seeing a lots of vulnerble applications for practice with UI, but have you ever encountered a scenario where you have a set of code to review which doesn't have a UI, this project will let you practice the basic vulnerabilities without seeing the interface. You will only have the code and the task is to manually analyse the code and find the issues. Hope you like this idea ! 11 |
12 | 13 | -------------------------------------------------------------------------------- /Flask App/Templates/sl.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |
4 |
5 | 17 |
18 |
19 | -------------------------------------------------------------------------------- /Flask App/Templates/temp.html: -------------------------------------------------------------------------------- 1 | Temp File. 2 | -------------------------------------------------------------------------------- /Flask App/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, render_template , request 2 | 3 | app = Flask(__name__) 4 | 5 | @app.route("/") 6 | def home(): 7 | return render_template('index.html') 8 | 9 | # this is the function for the admin backdoor access: 10 | @app.route("/sl", methods=["GET","POST"]) 11 | def adm_log_sec(): 12 | 13 | key_adm = '' 14 | if request.method == "POST": 15 | key_adm = request.form['key_to_admin'] 16 | if key_adm == "abcd": 17 | return render_template('administration.html') 18 | else: 19 | return render_template('index.html') 20 | else: 21 | return render_template('sl.html') 22 | 23 | # implement login process to the app 24 | 25 | 26 | 27 | # the main function this is going to execute like any other main function 28 | if __name__ == "__main__": 29 | app.run(debug=True) 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Damn-Vulnerable-Source-Code 2 | 3 | There are a lots of instances when as security researchers we may need to analyse source code without a working application front end to understand the functionalities. This open source project aims to provide a platform for beginners to start reviewing source code manually without the UI. 4 | 5 | The aim of the project is to develop intentionally vulnerable source code in various languages. 6 | 7 | At present we are trying to build common vulnerabilities based on OWASP Top 10. 8 | 9 | Contributors are always welcome to the project. We require more people to be a part of the same. 10 | 11 | The first project code will be posted on the GitHub repo (Python+Flask) for a start with the readme containing an application structure and a vulnerability list so that the contributors can start building application in various languages. 12 | 13 | Those who are interested you can make application in whichever language you are comfortable with including the vulnerabilities listed and maintaining the structure of the application and create a submission to the GitHub. 14 | 15 | Keep an eye on this repo for the updates. 16 | 17 | 18 | Update (19-Aug-2019) 19 | --------------------- 20 | 21 | This section provides the pages and the purpose of the pages in the application. Eventhough we mentioned the purpose of these pages, these information are ONLY for the development purpose of the application only. The contributors can omit the submission of UI related files, images etc. Remember the objective of the project, you ONLY have visibility to Source Code. 22 | 23 | Naming Conventions and the page details: 24 | ----------------------------------------- 25 | 26 | Please keep all the pages the same name across the platforms so that the user of the project can have a comparison of the each platform and understand how the application works easily. 27 | 28 | index.html is the landing Page of the application , where a SignIn form and Signup Link will be available. 29 | 30 | signup.html will be used to create user in the application. 31 | 32 | homepage.html page will be used as a landing page for a valid loggged in user where additional functionalities will be present. 33 | 34 | Mainly form to feed in PII data like credit card info / personal information. This is not a user profile page. 35 | 36 | sl.html is secret page for the admin to login which can be used to run some of his shady stuff. 37 | 38 | 39 | cust_error.html - this page will act as a place to dump all the errors and exceptions. 40 | 41 | style.css - this file is the CSS file which is used. 42 | 43 | app.py is the python file where the application logics are written and most of the interesting stuff happens here. 44 | 45 | # Vulnerabilites List: 46 | 47 | 1. Hardcoded secrets like username and password 48 | 2. Internal IP disclosure 49 | 3. PII Data being transffered via URL 50 | 4. Insecure usgage of Random function 51 | 5. Reflected Cross Site Scripting 52 | 6. Stored Cross Site Scripting 53 | 7. Authorization bypass issues like forced browsing 54 | 8. Isecure direct object reference 55 | 9. Authentication bypass using SQL Injection 56 | 10. Sensitive Information disclosed via comments 57 | 11. Version Disclosures via Code and comments 58 | 12. Technical information revealed via stacktrace / error message 59 | 60 | and more to come ... 61 | 62 | Update : 04-05-2020 63 | -------------------- 64 | 65 | At present this is a dead project due to work and other important stuff going on in life, Once I sort those out I will start working on this one. Till then stay safe and beat the crap out of COVID - 19. 66 | --------------------------------------------------------------------------------