A laboratory for learning secure web and mobile development in a practical manner.

Build your lab

By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. 👩‍💻

How do I start?

After forking this repository, you will find multiple intended vulnerable apps based on real-life scenarios in various languages such as Golang, Python and PHP. A good start would be installing the ones you are most familiar with. You can find instructions to do this on each of the apps. 💡

Each of them has an Attack Narrative section that describes how an attacker would exploit the corresponding vulnerability. Before reading any code, it may be a good idea following these steps so you can better understand the attack itself. 💉

Now it's time to shield the application up! Imagine that this is your application and you need to fix these flaws! Your mission is writing new codes that mitigate them and sending a new Pull Request to deploy a secure app! 🔐

How secure is my new code?

After mitigating a vulnerability, you can send a Pull Request to gently ask the secDevLabs community to review your new secure codes. If you're feeling a bit lost, try having a look at this mitigation solution, it might help! 🚀

OWASP Top 10 (2021) apps: 💻

Disclaimer: You are about to install vulnerable apps in your machine! 🔥

Vulnerability	Language	Application
A1 - Broken Access Control	Golang	Vulnerable Ecommerce API
A1 - Broken Access Control	NodeJS	Tic-Tac-Toe
A1 - Broken Access Control	Golang	Camplake-API
A2 - Cryptographic Failures	Golang	SnakePro
A3 - Injection	Golang	CopyNPaste API
A3 - Injection	NodeJS	Mongection
A3 - Injection	Python	SSType
A3 - Injection (XSS)	Python	Gossip World
A3 - Injection (XSS)	React	Comment Killer
A3 - Injection (XSS)	Angular/Spring	Streaming
A4 - Insecure Design	React/Go	Super Recovery Password App
A5 - Security Misconfiguration (XXE)	PHP	ViniJr Blog
A5 - Security Misconfiguration	PHP	Vulnerable Wordpress Misconfig
A5 - Security Misconfiguration	NodeJS	Stegonography
A6 - Vulnerable and Outdated Components	PHP	Cimentech
A6 - Vulnerable and Outdated Components	Python	Golden Hat Society
A7 - Identity and Authentication Failures	Python	Saidajaula Monster Fit
A7 - Identity and Authentication Failures	Golang	Insecure go project
A8 - Software and Data Integrity Failures	Python	Amarelo Designs
A9 - Security Logging and Monitoring Failures	Python	GamesIrados.com

OWASP Top 10 (2016) Mobile apps: 📲

Disclaimer: You are about to install vulnerable mobile apps in your machine! 🔥

Vulnerability	Language	Application
M2 - Insecure Data Storage	Dart/Flutter	Cool Games
M4 - Insecure Authentication	Dart/Flutter	Note Box
M5 - Insufficient Cryptography	Dart/Flutter	Panda Zap

Contributing

We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉

License

This project is licensed under the BSD 3-Clause "New" or "Revised" License - read LICENSE.md file for details. 📖

License

globocom/secDevLabs

About

Topics

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 26

Languages

Packages