A hands-on project demonstrating common web security vulnerabilities and their mitigation. This lab contrasts a vulnerable implementation (v1) with a secure one (v2).
This project provides a practical demonstration of fixing a critical security flaw. It is structured into two versions:
v1: A version with a direct SQL injection vulnerability, showing how improper query construction can be exploited.v2: A refactored version that uses prepared statements to prevent SQL injection, demonstrating a secure way to handle database queries.
The goal is to provide a clear, hands-on example for developers to understand and prevent common security risks.
The system architecture is straightforward, consisting of a Python backend that interacts with a SQLite database. The key difference between v1 and v2 lies in how the database queries are handled.
| Category | Technology | Purpose |
|---|---|---|
| Language | Python | Backend logic |
| Database | SQLite | Data storage |
| Interaction | Command-Line | User input for login |
This project uses Flask.
-
Create a virtual environment:
python3 -m venv venv
-
Activate the virtual environment:
-
On Windows:
venv\Scripts\activate
-
On macOS and Linux:
source venv/bin/activate
-
-
Install dependencies:
pip install flask
-
Create a virtual environment:
python3 -m venv venv
-
Activate the virtual environment:
-
On Windows:
venv\Scripts\activate
-
On macOS and Linux:
source venv/bin/activate
-
-
Install dependencies:
pip install flask flask-bcrypt flask-limiter itsdangerous
- Scope: This lab focuses solely on SQL injection and does not cover other vulnerabilities.
- Simplicity: The application is intentionally minimal to keep the focus on the security concept.
- Environment: It is a command-line application and does not simulate a full web environment (e.g., no session management, hashing, etc.).