forked from anxolerd/dvpwa
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
patched.codes[bot]
committed
Nov 4, 2024
1 parent
a1d8f89
commit f0392a1
Showing
1 changed file
with
28 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| # DVPWA - Damn Vulnerable Python Web Application | ||
|
|
||
| This project is a purposely vulnerable web application written in Python, designed for educational purposes in web security. It showcases various common vulnerabilities, including SQL Injection, Session Fixation, Stored XSS, and weak password storage. | ||
|
|
||
| ## Inputs | ||
|
|
||
| The application takes several inputs, often directly from user interaction: | ||
|
|
||
| * **User Login:** Username and password for authentication. | ||
| * **Student Management:** Allows adding new students with a name field. This is a key area for SQL injection vulnerabilities. | ||
| * **Course Management:** Allows adding new courses with title and description fields. | ||
| * **Course Reviews:** Accepts review text input, vulnerable to Stored XSS attacks. | ||
| * **Student Evaluation:** Accepts numerical points (0-5) as input for student evaluations. | ||
|
|
||
| ## Outputs | ||
|
|
||
| The application provides various outputs often based on the user's actions and role: | ||
|
|
||
| * **HTML Pages:** Dynamically generated HTML pages using Jinja2 templates. These pages are susceptible to XSS if the review text is not properly sanitized. | ||
| * **Dynamic Content:** Content adjusted based on the logged in user (e.g. admin users see an evaluation form.) | ||
| * **Error Messages:** Displayed if something goes wrong, such as invalid login credentials, SQL errors (demonstrates SQL Injection success), or input validation failures. | ||
| * **Course/Student listings:** Dynamically displays lists of student and course information pulled from the database. | ||
| * **Student Evaluation Results:** Displays past evaluation points for a student in a given course. | ||
| * **Course Reviews:** Displays user-submitted reviews for a course. | ||
|
|
||
| ## Usage | ||
|
|
||
| This application is intended for security training and testing. Users would interact with the various features to learn about vulnerabilities and practice exploiting or mitigating them. It's crucial to run this application in a controlled environment to avoid any security risks. |