flask-webgoat is a deliberately-vulnerable application written with the Flask web framework.
(_(
/_/'_____/)
" | |
|""""""|
โโโโโโโโโโโ โโโโโโ โโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโ โโโโโโ โโโโโโโโโ
โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโโ โโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโ โโโ โโโโโโโโโโโโโโโโโโโโโโโ โโโ โโ โโโโโโโโโ โโโโโโโโโโโ โโโโโโโ โโโโโโโโโโโ โโโ
โโโโโโ โโโ โโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโโ โโโโโโ โโโโโโโโโโโ โโโ
โโโ โโโโโโโโโโโ โโโโโโโโโโโโโโ โโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโ
โโโ โโโโโโโโโโโ โโโโโโโโโโโโโโ โโโ โโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโ โโโ โโโ โโโ
python -m venv .venv
. .venv/bin/activate
pip install -r requirements.txt
FLASK_APP=run.py flask run
This project contains the following vulnerabilities:
- Remote Code Execution
- SQL injection
- Insecure Deserialization
- Directory Traversal
- Open Redirect
- Sensitive Data Exposure
- Broken Access Control
- Security Misconfiguration
You can find each one in the codebase by grepping for the string
vulnerability:
$ grep vulnerability . -R -n | grep -v README
./flask_webgoat/actions.py:43: # vulnerability: Remote Code Execution
./flask_webgoat/users.py:37: # vulnerability: SQL Injection
./flask_webgoat/auth.py:17: # vulnerability: SQL Injection
./flask_webgoat/actions.py:60: # vulnerability: Insecure Deserialization
./flask_webgoat/actions.py:35: # vulnerability: Directory Traversal
./flask_webgoat/auth.py:45: # vulnerability: Open Redirect
./flask_webgoat/__init__.py:12: # vulnerability: Sensitive Data Exposure
./run.py:7: # vulnerability: Broken Access Control
./run.py:9: # vulnerability: Security Misconfiguration