A web application with several vulnerabilities for demonstration purposes. Included vulnerabilities:
- Broken authentication
- Broken session management
- SQL Injection
- Security Misconfiguration
- Cross Site Scripting
Clone repository:
cd websecdemos
docker build -t websecdemos .
docker run -d --rm -p 127.0.0.1:5000:5000 websecdemos
or with docker-compose installed:
docker-compose up -d
Then browse to http://localhost:5000
With Python3 and Pip installed:
pip install -r requirements.txt python demos.py
Then browse to http://localhost:5000
Go to /select and choose one of the demos included. There is a short help text for each demo at /help
There are some (invalid) AWS secrets checked into the code, these can be discovered using truffle hog or any other secret scanning tool
sudo docker run --rm -it trufflesecurity/trufflehog:latest git https://github.com/immerio/websecdemos
or if running on a local repo:
sudo docker run --rm -it -v "$PWD:/repo" trufflesecurity/trufflehog:latest git file:///repo