This is an intentionally vulnerable web application created for web penetration testing practice and interview purposes. It is designed to help assess a candidate's web security knowledge and penetration testing skills.
WARNING: This application contains deliberate security vulnerabilities. DO NOT deploy it on a production server or expose it to the internet.
- User registration and login with TOTP MFA
- Product catalog and purchasing system
- User profiles
- Company profile with comments
- Admin functionality
This application intentionally includes several security vulnerabilities:
- SQL Injection in the product catalog
- MFA Bypass via an API endpoint
- IDOR (Insecure Direct Object References) in user profiles
- Logic error in payment processing
- Stored XSS in company comments
-
Install the required dependencies:
pip install -r requirements.txt -
Run the application:
python app.py -
Access the application at
http://localhost:62292
- Register a new user account
- Set up TOTP using an authenticator app
- Log in with your credentials and TOTP code
- Explore the application and try to find the vulnerabilities
To make a user an admin, you need to:
- Register at least one user
- Find the admin path printed in the console when starting the app (
Admin path: /admin/[random-string]) - Promote a user to admin through the admin panel
This application is provided for educational purposes only. The creator takes no responsibility for any misuse or damage caused by this application. Use at your own risk.