• Stars
    star
    894
  • Rank 51,071 (Top 2 %)
  • Language
    PHP
  • License
    BSD 3-Clause "New...
  • Created about 6 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A laboratory for learning secure web and mobile development in a practical manner.

A laboratory for learning secure web and mobile development in a practical manner.

Build your lab

By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. ๐Ÿ‘ฉโ€๐Ÿ’ป

How do I start?

After forking this repository, you will find multiple intended vulnerable apps based on real-life scenarios in various languages such as Golang, Python and PHP. A good start would be installing the ones you are most familiar with. You can find instructions to do this on each of the apps. ๐Ÿ’ก

Each of them has an Attack Narrative section that describes how an attacker would exploit the corresponding vulnerability. Before reading any code, it may be a good idea following these steps so you can better understand the attack itself. ๐Ÿ’‰

Now it's time to shield the application up! Imagine that this is your application and you need to fix these flaws! Your mission is writing new codes that mitigate them and sending a new Pull Request to deploy a secure app! ๐Ÿ”

How secure is my new code?

After mitigating a vulnerability, you can send a Pull Request to gently ask the secDevLabs community to review your new secure codes. If you're feeling a bit lost, try having a look at this mitigation solution, it might help! ๐Ÿš€

OWASP Top 10 (2021) apps: ๐Ÿ’ป

Disclaimer: You are about to install vulnerable apps in your machine! ๐Ÿ”ฅ

Vulnerability Language Application
A1 - Broken Access Control Golang Vulnerable Ecommerce API
A1 - Broken Access Control NodeJS Tic-Tac-Toe
A1 - Broken Access Control Golang Camplake-API
A2 - Cryptographic Failures Golang SnakePro
A3 - Injection Golang CopyNPaste API
A3 - Injection NodeJS Mongection
A3 - Injection Python SSType
A3 - Injection (XSS) Python Gossip World
A3 - Injection (XSS) React Comment Killer
A3 - Injection (XSS) Angular/Spring Streaming
A4 - Insecure Design React/Go Super Recovery Password App
A5 - Security Misconfiguration (XXE) PHP ViniJr Blog
A5 - Security Misconfiguration PHP Vulnerable Wordpress Misconfig
A5 - Security Misconfiguration NodeJS Stegonography
A6 - Vulnerable and Outdated Components PHP Cimentech
A6 - Vulnerable and Outdated Components Python Golden Hat Society
A7 - Identity and Authentication Failures Python Saidajaula Monster Fit
A7 - Identity and Authentication Failures Golang Insecure go project
A8 - Software and Data Integrity Failures Python Amarelo Designs
A9 - Security Logging and Monitoring Failures Python GamesIrados.com

OWASP Top 10 (2016) Mobile apps: ๐Ÿ“ฒ

Disclaimer: You are about to install vulnerable mobile apps in your machine! ๐Ÿ”ฅ

Vulnerability Language Application
M2 - Insecure Data Storage Dart/Flutter Cool Games
M4 - Insecure Authentication Dart/Flutter Note Box
M5 - Insufficient Cryptography Dart/Flutter Panda Zap

Contributing

We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! ๐ŸŽ‰

License

This project is licensed under the BSD 3-Clause "New" or "Revised" License - read LICENSE.md file for details. ๐Ÿ“–

More Repositories

1

m3u8

Python m3u8 Parser for HTTP Live Streaming (HLS) Transmissions
Python
2,027
star
2

megadraft

Megadraft is a Rich Text editor built on top of Facebook's Draft.JS featuring a nice default base of components and extensibility
JavaScript
1,210
star
3

huskyCI

Performing security tests inside your CI
Go
572
star
4

react-native-draftjs-render

React Native render for draft.js model
JavaScript
386
star
5

database-as-a-service

Database as a service (DBaaS) that allows users to quickly and easily deploy and manage database instances using cloud infrastructure
Python
368
star
6

gitlab-ci-monitor

A simple dashboard for monitoring GitLab CI builds. Alpha version.
JavaScript
177
star
7

share-bar

A pure JS plugin to generate a share bar for social media, used by Globo.com.
JavaScript
159
star
8

sawpf

Salve a web, por favor
JavaScript
154
star
9

GloboDNS

Api to manage Bind Name Server
Ruby
139
star
10

opensource

Conheรงa os projetos Open Source na Globo.com
JavaScript
133
star
11

slo-generator

Easy setup a service level objective using prometheus
Go
129
star
12

destaque

Destaque is a simple slideshow plugin with built-in parallax effect.
JavaScript
125
star
13

dojo

Dojos realizados na Globo.com ao longo dos รบltimos anos.
JavaScript
120
star
14

hlsclient

Python HLS Client
TypeScript
105
star
15

tornado-es

A tornado-powered python library that provides asynchronous access to elasticsearch
Python
96
star
16

GloboNetworkAPI

API to automate IP Networking management, resource allocation and provisioning.
Python
85
star
17

tapioca

Tapioca is a small and flexible micro-framework on top of Tornado. It provides a simpler way to create RESTful API's.
Python
77
star
18

prettylog

Logs for human beings
Go
65
star
19

redis-healthy

It retrieves metrics, periodically, from Redis (or sentinel) and send them to Logstash
Go
63
star
20

nautilus.js

[separated fork] Async JavaScript loader & dependency manager in ~600B [gziped]
JavaScript
59
star
21

loopback-jsonschema

Adds JSON Schema support to LoopBack
JavaScript
57
star
22

echo-prometheus

Middleware for echo v4 to instrument all handlers as metrics
Go
52
star
23

functions

DEPRECATED: An Open Source Serverless Platform
JavaScript
49
star
24

kong-plugin-proxy-cache

A Proxy Caching plugin for Kong makes it fast and easy to configure caching of responses and serving of those cached responses in Redis
Lua
46
star
25

content-gateway-ruby

An easy way to get external content with two cache levels. The first is a performance cache and second is the stale
Ruby
45
star
26

pluct

A JSON Hyper Schema client that allows hypermedia navigation and resource validation
Python
39
star
27

tornado-cors

Makes it easier to add CORS support to tornado apps.
Python
38
star
28

react-native-ua

React Native module for Urban Airship
Objective-C
37
star
29

alchemetrics

Elixir metrics reporter and collector
Elixir
35
star
30

responsive-hub

JavaScript goodies for Responsive Design
JavaScript
34
star
31

alf

Python OAuth2 Client
Python
32
star
32

derpconf

derpconf abstracts loading configuration files for your app.
Python
31
star
33

glog-cli

Python
28
star
34

gifv-player

Javascript library for playing video files with gif fallback
JavaScript
25
star
35

go-buffer

Asynchronous data buffer for Go applications
Go
24
star
36

gothumbor

Golang client for Thumbor Image Service
Go
23
star
37

huskyCI-dashboard

Frontend to display data from huskyCI analyses
JavaScript
23
star
38

go-redis-opentracing

go-redis hook to collect OpenTracing spans
Go
22
star
39

vault

Admin webapp for Openstack's Keystone and Swift
Python
22
star
40

gsenha

GSenha is a password manager designed to avoid information leakage in the case of a compromise.
JavaScript
22
star
41

go-redis-prometheus

go-redis hook to export Prometheus metrics
Go
21
star
42

letrilizar

Transforme citaรงรตes em imagens e compartilhe!
JavaScript
21
star
43

gsh

GSH is an OpenID Connect-compatible authentication system for systems using OpenSSH servers
Go
21
star
44

galf

Go OAuth2 Client
Go
20
star
45

azkaban-cli

CLI for Azkaban 3 API access and flow upload.
Python
20
star
46

tornado-prometheus

HTTP metrics for a tornado application
Python
20
star
47

GloboNetworkAPI-WebUI

Web UI to GloboNetworkAPI
Python
20
star
48

gitlab-lint

An open source gitlab linting utility
Go
19
star
49

zabbix-scripts

A collection of scripts to ease Zabbix administration
Python
19
star
50

oauth2u

OAuth 2 server implementation
Python
18
star
51

view-port

Viewport-Android is a library that aims to track items from a Recycler View, which remain visible in a given region on the screen (view port), for a minimum time of 250 milliseconds.
Kotlin
18
star
52

mugshot

Ruby
18
star
53

gitlab-lint-react

An open source gitlab linting utility
JavaScript
17
star
54

tornado-alf

Tornado Oauth 2 client
Python
17
star
55

measures

Backstage Measure
Python
17
star
56

gcrypt

๐Ÿ” encryption for humans
JavaScript
17
star
57

pymigration

A generic tool for migrate in python
Python
17
star
58

rtmp2img

rtmp2img: Create images from rtmp urls
Python
17
star
59

gcloud-utils

Global package for Cloud Management in Python
Python
16
star
60

graylog-plugin-oauth2

Oauth2 plugin for graylog project
Java
16
star
61

stewie

System for anomaly detection in mass generic data
Clojure
16
star
62

GloboNetworkAPI-client-python

Python client for GloboNetworkAPI
Python
16
star
63

globomap-api

API abstract used to mapping of infrastructure, services and processes of Globo.com
Python
15
star
64

jquery-eventtracker

jquery.eventtracker is a jQuery plugin wrapper for Google Analytics custom event tracker
JavaScript
14
star
65

hacktoberfest

Globo Hacktoberfest project
TypeScript
14
star
66

go-openstack

Go packages for OpenStack APIs.
Go
14
star
67

simple-virtuoso-migrate

Ontology versioning and migration tool inspired by simple-db-migrate.
Python
14
star
68

stormdash

A unique dashboard to show simple alerts
JavaScript
14
star
69

iprange

IPRange - Redis as a storage for IP range
Lua
14
star
70

dash_timeline_validator

It parses and validate a given MPD about its errors of the timeline.
Ruby
14
star
71

functions-sandbox

Sandbox for Backstage Functions
JavaScript
13
star
72

megadraft-table-plugin

Table Plugin - Megadraft Plugin
JavaScript
13
star
73

docker-openvswitch

Docker image of Open vSwitch with ssh enabled running over supervisord
13
star
74

zookeeper-centos-6

zookeeper RPM package for CentOS 6.
13
star
75

httpclient

A HTTP client in Golang.
Go
13
star
76

enforcement

Project focused on the implementation of policies in Kubernetes clusters through GitOps.
Python
13
star
77

reliable-request

A golang opinionated library to provide reliable request using hystrix-go, go-cache, and go-resiliency.
Go
13
star
78

tdi

Test Driven Infrastructure. Automates validation of deployed servers.
Ruby
12
star
79

configurable-http-proxy-redis-backend

Redis Backend for Jupyter's Configurable Proxy
JavaScript
12
star
80

dojo.globo

Dojo na Globo.com
Python
12
star
81

lig4

Lig4 is a board game brought to the web
JavaScript
11
star
82

globomap-ui

Web Interface to explore Globomap API
JavaScript
11
star
83

benchmark-python-wsgi

Benchmark of Python WSGI Servers
Python
10
star
84

container-broker

Run any Docker-based task in a simple and distributed way
Ruby
10
star
85

megadraft-related-articles-plugin

Related articles plugin for Megadraft text editor
JavaScript
10
star
86

alchemetrics_web

Collect and report key metrics for a typical web application based on Phoenix and Ecto.
Elixir
10
star
87

generator-megadraft-plugin

Plugin generator for the Megadraft Editor
JavaScript
10
star
88

auror-core

Azkaban Auror core for flow creation
Python
10
star
89

dbaas-cloudstack

A cloudstack adapter to DBaaS
Python
10
star
90

gsenha-api

GSenha-API is a password manager. Its architecture was designed to avoid information leakage in the case of a compromise
Python
9
star
91

url-pinger

URL healthcheck
Python
9
star
92

generic_cache

A Python utility / library to facilitate caching functions results'
Python
9
star
93

alchemetrics_tesla

Tesla middleware to report external call metrics.
Elixir
9
star
94

Globo-Live-Cache

Configuraรงรฃo de caching de vรญdeos ao vivo da Globo.com
Shell
9
star
95

mongo-go-prometheus

Monitors that export Prometheus metrics for the MongoDB Go driver
Go
9
star
96

directional-navigation

Directional navigation that filters elements via frustum and ranks by distance
JavaScript
8
star
97

zabbix2odbc

Zabbix macro sync for ODBC configuration with support MySQL and Oracle databases.
Python
8
star
98

memcachedapi

memcached service API for tsuru.
Python
8
star
99

dbaas-credentials

A credential manager for dbaas integrations
Python
8
star
100

tornado-stale-client

An async http client for tornado with stale cache support
Python
7
star