flask-webgoat is a deliberately-vulnerable application written with the Flaskweb framework.
(_( /_/'_____/) " | | |""""""|███████╗██╗ █████╗ ███████╗██╗ ██╗ ██╗ ██╗███████╗██████╗ ██████╗ ██████╗ █████╗ ████████╗██╔════╝██║ ██╔══██╗██╔════╝██║ ██╔╝ ██║ ██║██╔════╝██╔══██╗██╔════╝ ██╔═══██╗██╔══██╗╚══██╔══╝█████╗ ██║ ███████║███████╗█████╔╝ ██║ █╗ ██║█████╗ ██████╔╝██║ ███╗██║ ██║███████║ ██║██╔══╝ ██║ ██╔══██║╚════██║██╔═██╗ ██║███╗██║██╔══╝ ██╔══██╗██║ ██║██║ ██║██╔══██║ ██║██║ ███████╗██║ ██║███████║██║ ██╗ ╚███╔███╔╝███████╗██████╔╝╚██████╔╝╚██████╔╝██║ ██║ ██║╚═╝ ╚══════╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ ╚══════╝╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝
python -m venv .venv. .venv/bin/activatepip install -r requirements.txtFLASK_APP=run.py flask run
This project contains the following vulnerabilities:
- Remote Code Execution
- SQL injection
- Insecure Deserialization
- Directory Traversal
- Open Redirect
- Sensitive Data Exposure
- Broken Access Control
- Security Misconfiguration
You can find each one in the codebase by grepping for the stringvulnerability:
$ grep vulnerability . -R -n | grep -v README./flask_webgoat/actions.py:43: # vulnerability: Remote Code Execution./flask_webgoat/users.py:37: # vulnerability: SQL Injection./flask_webgoat/auth.py:17: # vulnerability: SQL Injection./flask_webgoat/actions.py:60: # vulnerability: Insecure Deserialization./flask_webgoat/actions.py:35: # vulnerability: Directory Traversal./flask_webgoat/auth.py:45: # vulnerability: Open Redirect./flask_webgoat/__init__.py:12: # vulnerability: Sensitive Data Exposure./run.py:7: # vulnerability: Broken Access Control./run.py:9: # vulnerability: Security Misconfiguration