High Severity
Published: Jun 24, 2025
A deliberately insecure web app to practice exploiting real-world vulnerabilities like SQL Injection, XSS, CSRF, IDOR, and more. Ideal for ethical hacking, CTF prep, and cybersecurity learning.
# ๐ VulnVault
  
> ๐ฏ A deliberately vulnerable web app built to teach and test real-world security vulnerabilities.
> โ
Great for portfolios, CTFs, red team practice, and application security education.
---
## ๐จ Screenshots
<table>
<tr>
<td><img src="https://github.com/user-attachments/assets/095f84d6-f3c4-4adb-b69c-661c1e2c9b97" alt="Home Page" width="300"></td>
<td><img src="https://github.com/user-attachments/assets/a1dc1921-e67e-413b-8308-26a9d8322432" alt="SQL Injection" width="300"></td>
</tr>
<tr>
<td align="center">Home Page</td>
<td align="center">Login SQLi</td>
</tr>
</table>
---
## ๐ฆ Tech Stack
- **Backend**: Python + Flask
- **Database**: SQLite
- **Frontend**: HTML5, CSS3 (Custom styling)
- **Deployment**: Docker-ready
---
## ๐ฃ Vulnerabilities Included
| Vulnerability | OWASP | Description |
|---------------|-------|-------------|
| ๐ฌ XSS | A7 | User comments render unescaped HTML `c\|safe` |
| ๐ SQL Injection | A1 | Login bypass using classic `' OR 1=1 --` |
| ๐ CSRF | A5 | Profile update without CSRF tokens |
| ๐งพ IDOR | A4 | Invoices accessible by changing `/invoice/<id>` |
| ๐ Insecure File Upload | A8 | Uploads allow arbitrary file types |
| ๐งโ๐ป Broken Auth | A2 | No rate limit or session expiration |
| โ๏ธ Misconfiguration | A6 | Debug mode enabled, stack traces visible |
---
## ๐ Getting Started
### ๐ง Requirements
- Python 3.8+
- pip
- Optional: Docker
### โถ๏ธ Run Locally
```bash
git clone https://github.com/pleontis/VulnVault-A-Deliberately-Insecure-Web-App.git
cd VulnVault-A-Deliberately-Insecure-Web-App
pip install -r requirements.txt
python run.py
````
Then open [http://localhost:5000](http://localhost:5000)
### ๐ณ Docker Setup
```bash
docker build -t vulnvault .
docker run -p 5000:5000