Skip to content

A demo repository of simple OWASP Top 10 type of vulnerabilities in (mostly) Python. Includes an exploration of GHAS features.

License

Notifications You must be signed in to change notification settings

austimkelly/swiss-cheese

Repository files navigation

swiss-cheese

🧀🧀 A demo repository of small OWASP Top 10 vulnerabilities (and then some). Like swiss-cheese, this code is full of holes. Goes great with Github Advanced Security (GHAS) 🧀🧀

There are plenty of demo web apps with vulnerabilities, this is meant to to provide smaller interactive demonstrations so students can problem specific vulnerabilities atomically.

License Python 3 CodeQL tfsec Trivy IaC Scan

Github Advanced Security Walkthrough

For a walkthrough of the essential features of GHAS, see GHAS Walkthrouhg.

Purpose

The code samples here serve a couple of main purposes:

  1. An understanding of secure coding practices with some very basic python examples of OWASP Top 10 vulnerabilities.
  2. A training exercise for Github Advanced Security (GHAS) features.

Understanding of Secure Coding Practices

  1. Show specific hands on examples of OWASP Top 10 vulnerabilities with small "working" code samples.
  2. Demonstrate a specific vulnerability and discuss how a code review might have prevented it.
  3. Practice fixing vulnerabilities.
  4. Basic understanding of SAST tooling. Specifically using features in Github Advanced Security.
  5. Using an AI coding assistant such as Github Copilot to ask question about code and what security weaknesses may exist. Additionally, AI coding assistants can provide targeted recommendations for fixes. We can also experiment with threat modeling methodologies such as STRIDE and PASTA.

Github Advanced Security Exercises

This repository is also used as a training exercise for Github Advanced Security (GHAS) features. See GHAS Exercises for more details.

In short, you can fork this repository and practice enabling and tuning GHAS features on known vulnerable code and dependencies.

Code Authors

Unless otherwise sited in the code, the scripts herein are generated by a combination of Tim Kelly (human) and AI coding assistants (ChatGPT, Github Copilot).

Installation Guide

Follow these steps to install the necessary dependencies for the project:

  1. Clone the repository:

git clone git@github.com:austimkelly/swiss-cheese.git

  1. Navigate to the project directory:

cd swiss-cheese

  1. Install the dependencies from the requirements.txt file:

pip3 install -r requirements.txt

  1. Navigate to the directory for the demo you want to run and run the python file there (e.g. $cd idor then $python3 idor.py):

Demo Listing & References

Demo Link Description References
broken-auth Demonstrates a session management vulnerability if an attacker get ahold of an authentication session token. OWASP Session Management Cheat Sheet
idor Demonstrates broken access control for easily guessable IDs and no authentication. OWASP IDOR
sqli Demonstrates standard SQL Injection being able to dump a database from a form field. OWASP SQL Injection
command-injection Demonstrates a basic input to a python script that allows a user to send arbitrary shell commands through the terminal. OWASP Command Injection
ssrf Demonstrate a server-side request forgery tricking the app into making an HTTP request to a not-allowed 3rd party domain. OWASP Server Side Request Forgery
xss Demonstrates executing arbitrary javascript inside the application. OWASP Cross Site Scripting
secrets An example of leaking a secrets file or environment variable configuration. Github Secrets Push Protection, OWASP Secrets Management Cheat Sheet
supply-chain An example of a supply chain vulnerability in log4j. This one is to demonstrate dependency vulnerabilities and a security advisory. There are several OWASP Top 10 vulnerabilities here: security misconfiguration, using components with known vulnerabilities, insufficient logging and monitoring. OWASP Supply Chain Vulnerabilities
iac An example of a Terraform misconfiguration. OWASP Security Misconfiguration

References to other Python vulnerable web apps

  • Pygoat - This is a fork of an intentionally vulnerable web app built with Django and Python. The fork enables Github Advanced security (GHAS) features: CodeQL, Secrets Scanning & Dependabot.
  • Damn Vulnerable Python Web App - This is also a fork with GHAS enabled.

About

A demo repository of simple OWASP Top 10 type of vulnerabilities in (mostly) Python. Includes an exploration of GHAS features.

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published