/not-slithering-anywhere

The Python Version of our Not Go-ing Anywhere Vulnerable Application

Primary LanguagePythonApache License 2.0Apache-2.0

Overview

Not Slithering Anywhere is the Python(3) version of our Not Go-ing Anywhere vulnerable application. It is meant to demonstrate a number of security issues commonly found in Python applications, as well as serve as the basis for static & dynamic tool testing grounds.

Getting started

  1. Setup a venv ala python3 -m venv ~/.venv/class
  2. Enter your venv ala source ~/.venv/class/bin/activate
  3. Install dependencies: pip3 install -r requirements.txt
  4. Run the class: python3 app.py

The class itself uses common libraries such as flask, SQLAlchemy, and jinja2 to explain vulnerabilities.

Expected Vulernabilities

Server

  1. Server Misconfiguration
    1. CORS
    2. Caching
  2. Injection Related
    1. XSS (technically separate according to OWASP)
    2. SQLi
    3. Server-Side Template Inclusion (SSTI)
  3. Incorrect data validation (paths)
  4. AuthN/AuthZ failures

General Python

  1. Unix & Python Environment
  2. Keys & Sensitive Data Storage
  3. Pickles & Serialization
  4. Dependencies & Tooling