diff --git a/README.md b/README.md new file mode 100644 index 00000000..0df2f2a9 --- /dev/null +++ b/README.md @@ -0,0 +1,22 @@ +# DVPWA - Damn Vulnerable Python Web Application + +This project is a purposely vulnerable web application written in Python. It's designed to be a safe environment for learning about and experimenting with common web vulnerabilities. + +## Inputs + +- **User Input:** The application accepts various user inputs, including student names, course details, and reviews. +- **Login Credentials:** Users can log in with a username and password, with an admin user having elevated privileges. + +## Outputs + +- **HTML Pages:** The application renders dynamic HTML pages based on user requests and database content, using Jinja2 templates. +- **Dynamic Content:** Course information, student details, reviews, and evaluation results are displayed dynamically. +- **Error Messages:** The application shows error messages to the user in cases of invalid input or vulnerabilities being exploited, including SQL injection errors and HTTP error codes. + +## Vulnerabilities + +- **Session Fixation:** The application is vulnerable to session fixation, allowing attackers to potentially hijack user sessions. +- **SQL Injection:** User inputs are not properly sanitized, leading to SQL injection vulnerabilities, enabling database manipulation and deletion. +- **Stored XSS:** User-provided review content is not sanitized or escaped, allowing attackers to inject malicious JavaScript code that will be executed by other users. +- **Weak Password Storage:** Passwords are stored as MD5 hashes, which is a weak hashing algorithm, making the passwords susceptible to cracking. +- **CSRF:** Application is also vulnerable to cross-site request forgery.