Python Vulnerable Web Lab 🛡️🐍
A hands-on web application security lab built with Flask and SQLite.
This project is intentionally designed to run in two modes:
🔴 Vulnerable mode — insecure implementations for learning how attacks work
🟢 Secure mode — hardened implementations showing how to fix them
The goal is to understand vulnerabilities by building them first, then securing them.
🚀 Features (Current)
User registration
User login
Session-based authentication
Logout functionality
/me endpoint to inspect the current logged-in user
Environment-based security toggle (APP_MODE)
SQLite database backend
⚙️ Tech Stack
Python 3
Flask — web framework
SQLite — lightweight database
Werkzeug — password hashing (secure mode)
🧪 Application Modes
This application switches behavior using an environment variable:
APP_MODE=vulnerable
🔴 Vulnerable Mode
Passwords stored in plaintext
Weak authentication logic
Intentionally insecure patterns for learning
🟢 Secure Mode
Password hashing
Improved authentication logic
Safer session handling
🛠️ Local Setup Instructions
1️⃣ Clone the repository
git clone https://github.com/YOUR_USERNAME/python-vulnerable-web-lab.git cd python-vulnerable-web-lab
2️⃣ Create and activate a virtual environment
python -m venv .venv source .venv/bin/activate # macOS / Linux
3️⃣ Install dependencies
pip install -r requirements.txt
4️⃣ Create environment configuration
cp .env.example .env
Edit .env and set:
APP_MODE=vulnerable FLASK_SECRET_KEY=change-me
5️⃣ (Optional) Seed the database
python seed.py
6️⃣ Run the application
python app.py
Visit in your browser:
http://127.0.0.1:5000/register
🧠 Learning Objectives
This lab is built to practice:
Authentication flows
Session management
Password storage mistakes
Secure vs insecure coding patterns
OWASP Top 10 concepts
🗺️ Roadmap
📎 Disclaimer
This repository intentionally contains insecure patterns for educational purposes only.
Do not use this code as-is in production environments.
✨ Author
Built as a hands-on web security learning project.