Skip to main content
SECURITY DISCLAIMERThis progressive web app has been designed with a range of security vulnerabilities. The app has been specifically designed for students studying the NESA HSC Software Engineering Course. The app is NOT secure and should only be used in a sandbox environment.

Welcome to Normo Unsecure PWA

Your client, “Normo Unsecure PWA Company”, has engaged you as a software engineering security specialist to provide expert advice on the security and privacy of their application. This progressive web app is currently in the testing and debugging phase of the software development lifecycle.

Your Mission

Run a range of security tests and scans along with white/grey/black box analysis of the application and source code to identify as many security and privacy vulnerabilities as possible.

Quick Start

Get the app running in a sandbox environment

Vulnerabilities

Explore documented security vulnerabilities

Testing Approaches

Learn security testing methodologies

Mitigation Guides

Implement security fixes and patches

Learning Objectives

1

Security Analysis

Conduct comprehensive security testing using white-box, grey-box, and black-box approaches to identify vulnerabilities in the application.
2

Vulnerability Assessment

Document discovered security and privacy vulnerabilities with impact assessments and exploitation techniques.
3

Secure Development

Design and implement security patches using HTML, CSS, JavaScript, Python, SQL, and JSON to remediate identified vulnerabilities.
4

Professional Reporting

Prepare professionally written security reports that include technical analysis, out-of-scope issues, and recommendations for security-by-design approaches.

Key Features

16+ Vulnerabilities

Intentionally vulnerable Flask PWA with documented security flaws including SQL injection, XSS, CSRF, and more

Educational Resources

Comprehensive student resources aligned with NESA HSC Software Engineering curriculum

Testing Tools

Support for SAST, DAST, network scanning, and penetration testing in safe sandbox environments

Mitigation Examples

Real-world code examples showing both vulnerable and secure implementations

What You’ll Learn

This platform provides hands-on experience with:
  • Injection Attacks: SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF)
  • Authentication Flaws: Broken authentication, weak session management, password encryption issues
  • Data Protection: Defensive data handling, SSL/TLS encryption, two-factor authentication
  • Advanced Attacks: Cross-frame scripting (XFS), race conditions, file attacks, invalid redirects
  • Security Policies: Content Security Policy (CSP), secure form attributes

Required Report Components

When you complete your security analysis, your report should include:
  1. Technical Approach: Overview of your security testing methodology
  2. Out-of-Scope Issues: Privacy and security issues that cannot be mitigated through technical engineering solutions or must be tested in production
  3. Vulnerability Documentation: All discovered security or privacy vulnerabilities with impact assessments
  4. Recommendations: Security and privacy by design approach recommendations
  5. Implementation: Code patches and web content changes to remediate each vulnerability
The Secure Architecture Sandbox Testing Environment has been specifically designed for sandbox testing in an authentic multi-layer isolation and containerised architecture that produces SAST, DAST, Network and Penetration Testing reports.

Next Steps

Deploy the App

Set up the vulnerable app in a safe sandbox environment

Understand the Architecture

Learn how the Flask PWA is structured

Build docs developers (and LLMs) love

Get started for freeTalk to us