Skip to main content
Critical Security NoticeThis application has been designed with intentional security vulnerabilities for educational purposes. It MUST ONLY be deployed in isolated sandbox environments. Never expose this application to production networks or the public internet.

Why Sandbox Environments?

Sandboxing creates a safe, isolated environment to run potentially dangerous code without exposing your system, network, or data to risk. When testing security vulnerabilities, a sandbox:
  • Isolates malicious code from your host machine and network
  • Prevents unintended damage to your operating system
  • Enables safe testing of exploits and attack vectors
  • Contains security breaches within the test environment
The Normo Unsecure PWA contains vulnerabilities including SQL injection, XSS, CSRF, open redirects, insecure authentication, and more. These require isolated testing environments.

SAST Environment

Purpose-built multi-layer isolation environment specifically designed for the Normo Unsecure PWA
The Secure Architecture Sandbox Testing Environment is the recommended option, featuring:
  • Multi-layer isolation: Containerized architecture with network isolation
  • Automated security reports: SAST, DAST, network, and penetration testing
  • Pre-installed sample apps: Ready-to-use vulnerable applications
  • Custom app upload: Test your own Flask applications
  • Ethical penetration testing: Tools designed for educational contexts
  • Authentic architecture: Mirrors real-world security testing environments
1

Clone the SAST Environment

git clone https://github.com/TempeHS/Secure_Architecture_Sandbox_Testing_Environment.git
cd Secure_Architecture_Sandbox_Testing_Environment
2

Follow Setup Instructions

Refer to the repository’s README for detailed setup instructions including Docker configuration and environment initialization.
3

Deploy the Normo Unsecure PWA

Use the environment’s upload feature or deploy directly within the containerized architecture.
4

Run Security Tests

Execute SAST, DAST, and penetration tests using the built-in tools and generate comprehensive security reports.

Alternative Sandbox Options

Depending on your resources and requirements, consider these alternatives:

GitHub Codespaces

Pros: Cloud-based, no local setup, instant deploymentCons: Requires GitHub account, limited free hoursSetup: Fork the repository and launch Codespaces from GitHub

CodeSandbox.io

Pros: Browser-based, easy to use, collaborativeCons: May require account, limited for advanced testingSetup: Import repository via URL

Docker Containers

Pros: Full isolation, reproducible, portableCons: Requires Docker knowledge, local resourcesSetup: Create Dockerfile and docker-compose.yml

Virtual Machine

Pros: Complete isolation, OS-level separationCons: Resource intensive, requires VM softwareSetup: Install VirtualBox/VMware, create Linux VM

Ubuntu Live USB

Pros: Portable, no installation, hardware isolationCons: Limited persistence, manual setup each bootSetup: Create bootable Ubuntu USB, install Python

Qubes OS

Pros: Security-focused OS, domain isolationCons: Steep learning curve, requires dedicated hardwareSetup: Install Qubes OS in VM, create isolated domain

Deployment Methods

Method 1: Standard Local Deployment

For basic sandbox environments with Python installed:
1

Clone and Navigate

git clone https://github.com/NBHS-Software-Engineering/Normo_Unsecure_PWA.git
cd Normo_Unsecure_PWA
2

Install Dependencies

pip install flask
# Or install all packages
pip install -r requirements.txt
3

Run the Application

python main.py
The app will start on http://0.0.0.0:5000 listening on all interfaces.

Method 2: GitHub Codespaces Deployment

1

Fork Repository

Navigate to the Normo Unsecure PWA repository and fork it to your account.
2

Launch Codespace

Click CodeCodespacesCreate codespace on main
3

Install and Run

Once the Codespace loads:
pip install flask
python main.py
4

Access via Port Forward

Codespaces automatically forwards port 5000. Click the Ports tab and open the forwarded URL.
CORS Configuration: The app has CORS(app) enabled specifically for Codespaces CSRF demonstrations. This allows cross-origin requests needed for certain vulnerability testing.

Method 3: Docker Container Deployment

Create a Dockerfile in the project root:
Dockerfile
FROM python:3.11-slim

WORKDIR /app

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY . .

EXPOSE 5000

CMD ["python", "main.py"]
Then build and run: 
docker build -t normo-unsecure-pwa .
docker run -p 5000:5000 normo-unsecure-pwa

Method 4: Virtual Machine Deployment

1

Install VM Software

Download and install VirtualBox, VMware Workstation, or Hyper-V.
2

Create Ubuntu VM

  • Download Ubuntu Server/Desktop ISO
  • Create a new VM with at least 2GB RAM
  • Install Ubuntu in the VM
3

Install Prerequisites

Inside the VM:
sudo apt update
sudo apt install python3 python3-pip git -y
4

Deploy Application

Follow the standard deployment steps inside the VM.

Network Access Configuration

Local Testing Only

By default, the application runs on host="0.0.0.0", making it accessible on all network interfaces. For strict local-only testing:
main.py (line 73)
app.run(debug=True, host="127.0.0.1", port=5000)  # Localhost only

Network Testing (Teacher-Hosted Scenario)

If a teacher is hosting the app for students to perform black-box testing:
  1. Find your LAN IP address: 
    ipconfig
  2. Ensure firewall allows port 5000:
    Linux
    sudo ufw allow 5000/tcp
  3. Students access via: http://{teacher-ip}:5000
Network Isolation: Even when sharing on a local network for educational purposes, ensure the network is completely isolated from the internet and production systems. Use a dedicated VLAN or isolated lab network.

Updating Student Resources for Remote URLs

Many examples in .student_resources/ assume local testing with http://127.0.0.1:5000. If using a remote server, update HTML/JavaScript examples:
Example Update
// Change from:
fetch('http://127.0.0.1:5000/success.html', {...})

// To:
fetch('http://teacher-ip:5000/success.html', {...})

Application Configuration

The Flask application is configured in main.py with these settings:
main.py (lines 70-73)
if __name__ == "__main__":
    app.config["TEMPLATES_AUTO_RELOAD"] = True  # Auto-reload templates
    app.config["SEND_FILE_MAX_AGE_DEFAULT"] = 0  # Disable caching
    app.run(debug=True, host="0.0.0.0", port=5000)

Configuration Breakdown

SettingValuePurpose
debugTrueEnables debug mode with detailed error pages (vulnerability)
host0.0.0.0Listens on all network interfaces
port5000Default Flask development port
TEMPLATES_AUTO_RELOADTrueAutomatically reloads templates on change
SEND_FILE_MAX_AGE_DEFAULT0Disables browser caching
CORSEnabledAllows cross-origin requests for CSRF demos
Debug Mode: Running with debug=True exposes sensitive information in error messages and enables the Werkzeug debugger. This is intentional for learning about debug mode vulnerabilities.

Database Setup

The application uses SQLite with the database located at database_files/database.db. The database is accessed via user_management.py:
user_management.py (example)
con = sql.connect("database_files/database.db")

Database Schema

users table:
  • username (TEXT)
  • password (TEXT) - stored in plain text (vulnerability)
  • dateOfBirth (TEXT)
feedback table:
  • id (INTEGER PRIMARY KEY)
  • feedback (TEXT)
The database operations use string formatting in SQL queries, creating SQL injection vulnerabilities. This is intentional for security analysis training.

Security Testing in Sandboxes

Once deployed in a sandbox, students should:

1. White Box Analysis

Review the source code to identify vulnerabilities:
  • main.py: Open redirects, CORS configuration, debug mode
  • user_management.py: SQL injection, plain text passwords, timing attacks
  • templates: XSS vulnerabilities in rendered content

2. Grey Box Analysis

Combine code review with active testing:
  • Test identified vulnerabilities with payloads
  • Verify assumptions from code review
  • Map application flow and attack surface

3. Black Box Analysis

Test without source code access (if teacher-hosted):
  • Penetration testing with tools like ZAP Proxy
  • Manual vulnerability discovery
  • Network traffic analysis

4. Automated Scanning

Use security tools available in the sandbox:
  • OWASP ZAP: Automated vulnerability scanning
  • Bandit: Python security linter
  • Safety: Dependency vulnerability checker

OWASP WSTG

Comprehensive web security testing guide

ZAP Proxy

Open source penetration testing tool

Next Steps

1

Set Up Sandbox

Choose and configure your preferred sandbox environment from the options above.
2

Deploy Application

Follow the deployment method appropriate for your sandbox choice.
3

Begin Security Analysis

Start identifying vulnerabilities using white/grey/black box approaches.
4

Document Findings

Prepare your security assessment report with discovered vulnerabilities and impact analysis.
5

Implement Patches

Use resources in .student_resources/ to develop and test security patches.

Troubleshooting

Cannot Access Application on Network

  • Verify firewall settings allow port 5000
  • Check host="0.0.0.0" in main.py
  • Ensure devices are on the same network
  • Test with curl http://server-ip:5000 from another machine

Database Errors

  • Ensure database_files/database.db exists
  • Check file permissions in the sandbox
  • Verify SQLite3 is available in the environment

Import Errors in Sandbox

  • Reinstall requirements: pip install -r requirements.txt
  • Use virtual environment for dependency isolation
  • Check Python version compatibility (3.x required)

Port Conflicts

If port 5000 is in use: 
app.run(debug=True, host="0.0.0.0", port=5001)  # Use different port

Build docs developers (and LLMs) love

Get started for freeTalk to us