The main goal of this project is to provide a laboratory for those who are interested in learning about web security development in a practical manner.
By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable code can be fixed to mitigate them. 👩💻
After forking this repository, you will find multiple intended vulnerable apps based on real life cenarios in various languages such as Golang, Python and PHP. A good start would be installing the ones you are most familiar with. 💡
Each of them has an Attack Narrative
section that describes how an attacker would exploit the corresponding vulnerability. Before reading any code, it may be a good idea following these steps so you can better understand the attack itself. 💉
Now it's time to shield the application up! Imagine that this is your application and you need to fix these flaws! Your mission is writing new code that mitigates them and sending a new Pull Request to deploy a secure app! 🔐
After mitigating a vulnerability, you can send a Pull Request to gently ask secDevLabs community to review your new secure code. If you're feeling a bit lost, try having a look at this mitigation solution, it might help! 🚀
Disclaimer: You are about to install vulnerable apps in your machine! 🔥
Vulnerability | Language | Application |
---|---|---|
A1 - Injection | Golang | CopyNPaste API |
A2 - Broken Authentication | Python | Saidajaula Monster Fit |
A2 - Broken Authentication | Golang | Insecure go project |
A3 - Sensitive Data Exposure | Golang | SnakePro |
A4 - XML External Entities (XXE) | PHP | ViniJr Blog |
A5 - Broken Access Control | Golang | Vulnerable Ecommerce API |
A6 - Security Misconfiguration | PHP | Vulnerable Wordpress Misconfig |
A6 - Security Misconfiguration | NodeJS | Stegonography |
A7 - Cross-Site Scripting (XSS) | Python | Gossip World |
A8 - Insecure Deserialization | Python | Amarelo Designs |
A9 - Using Components With Known Vulnerabilities | PHP | Cimentech |
A10 - Insufficient Logging & Monitoring | Python | GamesIrados.com |
We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉
This project is licensed under the BSD 3-Clause "New" or "Revised" License - read LICENSE.md file for details. 📖