A laboratory for learning secure web and mobile development in a practical manner.
This fork has been created to add CTF-like flags in the following applications :
- Tic-Tac-Toe
- modifications done
- changed DB port exposition
- SnakePro
- no changes needed in app
- changed DB port exposition
- Gossip World
- no changes needed in app
- added a python script
- changed DB port exposition
- CopyNPaste API
- no changes needed in app
- changed DB port exposition
- SSType
- ViniJr Blog
- no changes needed in app
- Stegonography
- no changes needed in app
- changed DB port exposition
- changed app port
- Cimentech
- no changes needed in app
- changed DB port exposition
- changed app port
- Golden Hat Society
- added flag in app script
- Saidajaula Monster Fit
- added flag in app script
- changed DB port exposition
- Amarelo Designs
- no changes needed in app
- GamesIrados.com
- added a coupon and a fonction reset_flag_coupon
- changed DB port exposition
When starting an app with a flag, just start it with make ctf flag=YouFlag{Wh4tev3risUrFl4g}
instead of make install
. Some apps require a 2nd parameter, such as the coupon for GamesIrados. use make help
to see the syntax.
Also, some ports bindings have been changed, in order to have all the applications up at the same time
By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. 👩💻
After forking this repository, you will find multiple intended vulnerable apps based on real-life scenarios in various languages such as Golang, Python and PHP. A good start would be installing the ones you are most familiar with. You can find instructions to do this on each of the apps. 💡
Each of them has an Attack Narrative
section that describes how an attacker would exploit the corresponding vulnerability. Before reading any code, it may be a good idea following these steps so you can better understand the attack itself. 💉
Now it's time to shield the application up! Imagine that this is your application and you need to fix these flaws! Your mission is writing new codes that mitigate them and sending a new Pull Request to deploy a secure app! 🔐
After mitigating a vulnerability, you can send a Pull Request to gently ask the secDevLabs community to review your new secure codes. If you're feeling a bit lost, try having a look at this mitigation solution, it might help! 🚀
Disclaimer: You are about to install vulnerable apps in your machine! 🔥
Vulnerability | Language | Application |
---|---|---|
A1 - Broken Access Control | Golang | Vulnerable Ecommerce API |
A1 - Broken Access Control | NodeJS | Tic-Tac-Toe |
A1 - Broken Access Control | Golang | Camplake-API |
A2 - Cryptographic Failures | Golang | SnakePro |
A3 - Injection | Golang | CopyNPaste API |
A3 - Injection | NodeJS | Mongection |
A3 - Injection | Python | SSType |
A3 - Injection (XSS) | Python | Gossip World |
A3 - Injection (XSS) | React | Comment Killer |
A3 - Injection (XSS) | Angular/Spring | Streaming |
A5 - Security Misconfiguration (XXE) | PHP | ViniJr Blog |
A5 - Security Misconfiguration | PHP | Vulnerable Wordpress Misconfig |
A5 - Security Misconfiguration | NodeJS | Stegonography |
A6 - Vulnerable and Outdated Components | PHP | Cimentech |
A6 - Vulnerable and Outdated Components | Python | Golden Hat Society |
A7 - Identity and Authentication Failures | Python | Saidajaula Monster Fit |
A7 - Identity and Authentication Failures | Golang | Insecure go project |
A8 - Software and Data Integrity Failures | Python | Amarelo Designs |
A9 - Security Logging and Monitoring Failures | Python | GamesIrados.com |
Disclaimer: You are about to install vulnerable mobile apps in your machine! 🔥
Vulnerability | Language | Application |
---|---|---|
M2 - Insecure Data Storage | Dart/Flutter | Cool Games |
M4 - Insecure Authentication | Dart/Flutter | Note Box |
M5 - Insufficient Cryptography | Dart/Flutter | Panda Zap |
We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉
This project is licensed under the BSD 3-Clause "New" or "Revised" License - read LICENSE.md file for details. 📖