Skip to content

A laboratory for learning secure web and mobile development in a practical manner.

License

Notifications You must be signed in to change notification settings

devopsdemoapps/secDevLabs

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

A laboratory for learning secure web and mobile development in a practical manner.

Build your lab

By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. 👩‍💻

How do I start?

After forking this repository, you will find multiple intended vulnerable apps based on real-life scenarios in various languages such as Golang, Python and PHP. A good start would be installing the ones you are most familiar with. You can find instructions to do this on each of the apps. 💡

Each of them has an Attack Narrative section that describes how an attacker would exploit the corresponding vulnerability. Before reading any code, it may be a good idea following these steps so you can better understand the attack itself. 💉

Now it's time to shield the application up! Imagine that this is your application and you need to fix these flaws! Your mission is writing new codes that mitigate them and sending a new Pull Request to deploy a secure app! 🔐

How secure is my new code?

After mitigating a vulnerability, you can send a Pull Request to gently ask the secDevLabs community to review your new secure codes. If you're feeling a bit lost, try having a look at this mitigation solution, it might help! 🚀

OWASP Top 10 (2017) apps: 💻

Disclaimer: You are about to install vulnerable apps in your machine! 🔥

Vulnerability Language Application
A1 - Injection Golang CopyNPaste API
A1 - Injection NodeJS Mongection
A1 - Injection Python SSType
A2 - Broken Authentication Python Saidajaula Monster Fit
A2 - Broken Authentication Golang Insecure go project
A3 - Sensitive Data Exposure Golang SnakePro
A4 - XML External Entities (XXE) PHP ViniJr Blog
A5 - Broken Access Control Golang Vulnerable Ecommerce API
A5 - Broken Access Control NodeJS Tic-Tac-Toe
A6 - Security Misconfiguration PHP Vulnerable Wordpress Misconfig
A6 - Security Misconfiguration NodeJS Stegonography
A7 - Cross-Site Scripting (XSS) Python Gossip World
A7 - Cross-Site Scripting (XSS) React Comment Killer
A7 - Cross-Site Scripting (XSS) Angular/Spring Streaming
A8 - Insecure Deserialization Python Amarelo Designs
A9 - Using Components With Known Vulnerabilities PHP Cimentech
A10 - Insufficient Logging & Monitoring Python GamesIrados.com

OWASP Top 10 (2016) Mobile apps: 📲

Disclaimer: You are about to install vulnerable mobile apps in your machine! 🔥

Vulnerability Language Application
M2 - Insecure Data Storage Dart/Flutter Cool Games
M4 - Insecure Authentication Dart/Flutter Note Box
M5 - Insufficient Cryptography Dart/Flutter Panda Zap

Contributing

We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉

License

This project is licensed under the BSD 3-Clause "New" or "Revised" License - read LICENSE.md file for details. 📖

About

A laboratory for learning secure web and mobile development in a practical manner.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PHP 44.3%
  • JavaScript 19.5%
  • CSS 13.6%
  • HTML 12.8%
  • SCSS 2.7%
  • Less 2.3%
  • Other 4.8%