Vulpy – Web Application Security Lab

Vulpy is a web application developed in Python / Flask / SQLite that has two faces.

GOOD: Tries to code with secure development best practices in mind.

BAD: Tries to code like (possibly) you. :p

Features

• Login/Logout
• Read posts from other users
• Publish posts
• Multi-Factor Authentication (MFA)
• API for read and write posts
• Content Security Policy
• SSL/TLS Server

Vulnerabilities

Some of the vulnerabilities present on the “BAD” version:

• Cross-Site Scripting (XSS)
• SQL Injection
• Cross-Site Request Forgery (CSRF)
• Session Impersonation
• Insecure Deserialization
• Authentication Bruteforce
• Authentication Bypass

Database Initialization

Both, “BAD” and “GOOD” versions, requires an initialization of the database.

This is done with the script “db_init.py” inside each of the directories (bad, and good).

Each version has its own sqlite files for the users and posts.

The execution of the script is, for example:

cd bad
./db_init.py

Install

git clone https://github.com/portantier/vulpy.git
cd vulpy
pip3 install –user -r requirements.txt

Default Credentials

After database initialization, three users are created:

Username    Password
--------    -----------
admin       SuperSecret
elliot      123123123
tim         12345678

You can log in with any user, the application doesn’t have a permissions system, so, the three have the same permissions.

Copyright (c) 2019 Fabian Martinez Portantier

Source: https://github.com/portantier/