by globocom

globocom / secDevLabs

A laboratory for learning secure web and mobile development in a practical manner.

502 Stars 167 Forks Last release: Not found BSD 3-Clause "New" or "Revised" License 645 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

A laboratory for learning secure web and mobile development in a practical manner.

Build your lab

By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. πŸ‘©β€πŸ’»

How do I start?

After forking this repository, you will find multiple intended vulnerable apps based on real-life scenarios in various languages such as Golang, Python and PHP. A good start would be installing the ones you are most familiar with. You can find instructions to do this on each of the apps. πŸ’‘

Each of them has an

Attack Narrative
section that describes how an attacker would exploit the corresponding vulnerability. Before reading any code, it may be a good idea following these steps so you can better understand the attack itself. πŸ’‰

Now it's time to shield the application up! Imagine that this is your application and you need to fix these flaws! Your mission is writing new codes that mitigate them and sending a new Pull Request to deploy a secure app! πŸ”

How secure is my new code?

After mitigating a vulnerability, you can send a Pull Request to gently ask the secDevLabs community to review your new secure codes. If you're feeling a bit lost, try having a look at this mitigation solution, it might help! πŸš€

OWASP Top 10 (2017) apps: πŸ’»

Disclaimer: You are about to install vulnerable apps in your machine! πŸ”₯

| Vulnerability | Language | Application | | --- | --- | --- | | A1 - Injection | Golang | CopyNPaste API | | A1 - Injection | NodeJS | Mongection | | A1 - Injection | Python | SSType | | A2 - Broken Authentication | Python | Saidajaula Monster Fit | | A2 - Broken Authentication | Golang | Insecure go project | | A3 - Sensitive Data Exposure | Golang | SnakePro| | A4 - XML External Entities (XXE) | PHP | ViniJr Blog | | A5 - Broken Access Control | Golang | Vulnerable Ecommerce API | | A5 - Broken Access Control | NodeJS | Tic-Tac-Toe | | A6 - Security Misconfiguration | PHP | Vulnerable Wordpress Misconfig | | A6 - Security Misconfiguration | NodeJS | Stegonography | | A7 - Cross-Site Scripting (XSS) | Python | Gossip World | | A8 - Insecure Deserialization | Python | Amarelo Designs | | A9 - Using Components With Known Vulnerabilities | PHP | Cimentech | | A10 - Insufficient Logging & Monitoring | Python | |

OWASP Top 10 (2016) Mobile apps: πŸ“²

Disclaimer: You are about to install vulnerable mobile apps in your machine! πŸ”₯

| Vulnerability | Language | Application | | --- | --- | --- | | M2 - Insecure Data Storage | Dart/Flutter | Cool Games | | M4 - Insecure Authentication | Dart/Flutter | Note Box | | M5 - Insufficient Cryptography | Dart/Flutter | Panda Zap |


We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! πŸŽ‰


This project is licensed under the BSD 3-Clause "New" or "Revised" License - read file for details. πŸ“–

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.