DVPWA was inspired by famous dvwa project and bobby-tables xkcd comics. The purpose of this project is to implement real-world like application in Python with as many vulnerabilities as possible while having a good design and intentions.
This project was used as demonstration of vulnerabilities during my Web vulnerabilities presentation at EVO Summer Python Lab'17.
DVPWA is packaged into docker container. All the dependencies described in docker-compose.yml
. You can easiliy run it and its dependencies using a simple command:
Then visit http://localhost:8080 in your favorite browser.
To rebuild the container, please use ./recreate.sh
script, which will delete old container and create new from scratch. This script is primarly used in order to rebuild application image.
If you have screwed up the database (i.e. with DROP TABLE students;
, please issue the following commands to recreate database container:
If for some reasons you cannot use docker or docker-compose you can run the application on your host system.
- Python3.6.2
- PostgreSQL database for data storage
- Redis for session storage
Then visit http://localhost:8080 in your favorite browser.
- Open http://localhost:8080.
- Open browser devtools.
- Get value for
AIOHTTP_SESSION
cookie. - Open http://localhost:8080 in the incognito tab.
- In the incognito tab, change cookie value to the one, obtained in step 3.
- In the normal tab (the one from steps 1-3) log in as any user.
- Refresh page in the incognito tab.
You are now logged in the incognito tab as user from step 6 as well.
Rotate session identifiers on every single login and logout. Rotate session identifiers on every user_id and/or permissions change.
- Open http://localhost:8080.
- Log in as
superadmin:superadmin
. - Go to http://localhost:8080/students/.
- Add new student with the name
Robert'); DROP TABLE students CASCADE; --
.
Table "students" is deleted from database. You observe error message, which says: _"relation "students" does not exist"_.
Never construct database queries using string concatenation. Use library-provided way to pass parameters and query separated. Use ORM.
- Open http://localhost:8080/courses/1/review.
Fill in review content with the following payload:
<b>Is this bold?</b> Yes!
- Submit the review by clicking "Save" button.
- Observe the newly created review. Note that text "Is it bold?" is bold, which means review content is probably neither sanitized on input nor escaped on output.
- Open http://localhost:8080/courses/1/review.
Fill in review content with the following payload:
<script> alert('I am a stored XSS. Your cookies are: ' + document.cookie); </script>
- Submit the review by clicking "Save" button.
- Observe the result.
Now whenever you load http://localhost:8080/courses/1, you will receive an alert, which displays your cookie. You can play with different ways to inject your custom javascript to the page now: event handlers (i.e. <img src="nonexistent" onerror="alert(document.cookie)">
, links with javascript targets, etc.
Escape all untrusted content, when you output it. In this example, to mitigate this kind of attack you can set autoescape=True
when setting up templating engine (Jinja2) in sqli/app.py
. You can also sanitize text, when users input it and prohibit different kinds of code injection.