🧀🧀 A demo repository of small OWASP Top 10 vulnerabilities (and then some). Like swiss-cheese, this code is full of holes. Goes great with Github Advanced Security (GHAS) 🧀🧀
There are plenty of demo web apps with vulnerabilities, this is meant to to provide smaller interactive demonstrations so students can problem specific vulnerabilities atomically.
For a walkthrough of the essential features of GHAS, see GHAS Walkthrouhg.
The code samples here serve a couple of main purposes:
- An understanding of secure coding practices with some very basic python examples of OWASP Top 10 vulnerabilities.
- A training exercise for Github Advanced Security (GHAS) features.
- Show specific hands on examples of OWASP Top 10 vulnerabilities with small "working" code samples.
- Demonstrate a specific vulnerability and discuss how a code review might have prevented it.
- Practice fixing vulnerabilities.
- Basic understanding of SAST tooling. Specifically using features in Github Advanced Security.
- Using an AI coding assistant such as Github Copilot to ask question about code and what security weaknesses may exist. Additionally, AI coding assistants can provide targeted recommendations for fixes. We can also experiment with threat modeling methodologies such as STRIDE and PASTA.
This repository is also used as a training exercise for Github Advanced Security (GHAS) features. See GHAS Exercises for more details.
In short, you can fork this repository and practice enabling and tuning GHAS features on known vulnerable code and dependencies.
Unless otherwise sited in the code, the scripts herein are generated by a combination of Tim Kelly (human) and AI coding assistants (ChatGPT, Github Copilot).
- The supply-chain example is based on source from https://github.com/kozmer/log4j-shell-poc
- The IaC Terraform misconfiguration is from https://github.com/aquasecurity/tfsec
Follow these steps to install the necessary dependencies for the project:
- Clone the repository:
git clone git@github.com:austimkelly/swiss-cheese.git
- Navigate to the project directory:
cd swiss-cheese
- Install the dependencies from the
requirements.txt
file:
pip3 install -r requirements.txt
- Navigate to the directory for the demo you want to run and run the python file there (e.g.
$cd idor
then$python3 idor.py
):
Demo Link | Description | References |
---|---|---|
broken-auth | Demonstrates a session management vulnerability if an attacker get ahold of an authentication session token. | OWASP Session Management Cheat Sheet |
idor | Demonstrates broken access control for easily guessable IDs and no authentication. | OWASP IDOR |
sqli | Demonstrates standard SQL Injection being able to dump a database from a form field. | OWASP SQL Injection |
command-injection | Demonstrates a basic input to a python script that allows a user to send arbitrary shell commands through the terminal. | OWASP Command Injection |
ssrf | Demonstrate a server-side request forgery tricking the app into making an HTTP request to a not-allowed 3rd party domain. | OWASP Server Side Request Forgery |
xss | Demonstrates executing arbitrary javascript inside the application. | OWASP Cross Site Scripting |
secrets | An example of leaking a secrets file or environment variable configuration. | Github Secrets Push Protection, OWASP Secrets Management Cheat Sheet |
supply-chain | An example of a supply chain vulnerability in log4j. This one is to demonstrate dependency vulnerabilities and a security advisory. There are several OWASP Top 10 vulnerabilities here: security misconfiguration, using components with known vulnerabilities, insufficient logging and monitoring. | OWASP Supply Chain Vulnerabilities |
iac | An example of a Terraform misconfiguration. | OWASP Security Misconfiguration |
- Pygoat - This is a fork of an intentionally vulnerable web app built with Django and Python. The fork enables Github Advanced security (GHAS) features: CodeQL, Secrets Scanning & Dependabot.
- Damn Vulnerable Python Web App - This is also a fork with GHAS enabled.