DevSecOps App

A deliberately vulnerable Flask application for DevSecOps training and testing purposes.

Features

• Flask API with multiple vulnerable endpoints
• Login form with HTML/CSS
• FTP integration with environment variable configuration
• Docker and Docker Compose support

Quick Start

Using Docker Compose

1. Build and start all services:

docker-compose up -d

2. Access the application:

• API: http://localhost:5000
• Login Form: http://localhost:5000/login-form
• FTP Server: ftp://localhost:21 (user: admin, password: hardcodedpassword)

3. Stop the services:

docker-compose down

Using Docker Only

Build the image:

docker build -t devsecops-api .

Run the container:

docker run -p 5000:5000 -e FTP_HOST=ftp.example.com devsecops-api

API Endpoints

• GET / - Hello World
• GET /login-form - HTML login form with CSS
• POST /login - Login endpoint (SQL injection vulnerable)
• POST /register - User registration (weak hashing)
• GET /debug - Debug endpoint (code injection vulnerable)
• GET /ftp - FTP file listing
• POST /execute - Command execution (command injection vulnerable)

Environment Variables

• FTP_HOST - FTP server hostname (default: ftp.example.com)

FTP Server

The docker-compose setup includes an FTP server with:

• Username: admin
• Password: hardcodedpassword
• Contains fake sensitive files for testing:
  • credentials.txt
  • customer_data.csv
  • internal_memo.txt

Security Warning

⚠️ WARNING: This application contains intentional security vulnerabilities for educational purposes. Do NOT use in production or expose to the internet.

Known vulnerabilities include:

• SQL Injection
• Command Injection
• Code Injection (eval)
• Hardcoded credentials
• Weak password hashing (MD5)
• Debug mode enabled
• Sensitive data exposure

License

See LICENSE file for details.