Skip to main content
CRITICAL SECURITY NOTICEThis application contains intentional security vulnerabilities for educational purposes. Never deploy this application in a production environment or on a publicly accessible server. Always use a properly isolated sandbox environment.

Prerequisites

Before you begin, ensure you have the following installed:

Python 3.x

Required to run the Flask application

Git

Version 2.x or higher for cloning the repository

VS Code

Recommended code editor for development

Modern Browser

Chromium or Edge for testing
MacOS Users: You may have pip3 instead of pip. Run pip show pip and pip3 show pip to check which command is configured on your system.

Installation

1

Clone the Repository

Clone from GitHub
git clone https://github.com/NBHS-Software-Engineering/Normo_Unsecure_PWA.git
cd Normo_Unsecure_PWA
2

Install Dependencies

Install Python packages
pip install -r requirements.txt
This installs all required packages including:
  • Flask - Web framework
  • Flask-CORS - Cross-origin resource sharing (intentionally permissive)
  • Flask-CSP - Content Security Policy headers (not implemented in base app)
  • Flask-WTF - CSRF protection (not implemented in base app)
  • Flask-Limiter - Rate limiting (not implemented in base app)
  • bcrypt - Password hashing (not implemented in base app)
  • pyotp - Two-factor authentication (not implemented in base app)
  • qrcode - QR code generation for 2FA (not implemented in base app)
Many security libraries are included in requirements.txt but are not used in the vulnerable base application. Part of your learning is to implement these security features.
3

Run the Application

Start Flask server
python main.py
You should see output similar to:
 * Serving Flask app 'main'
 * Debug mode: on
WARNING: This is a development server. Do not use it in a production deployment.
 * Running on all addresses (0.0.0.0)
 * Running on http://127.0.0.1:5000
 * Running on http://192.168.1.x:5000
4

Access the Application

Open your browser and navigate to one of these URLs:
If your teacher is hosting the app, you’ll access it via their LAN IP address instead of localhost.

Application Structure

Once running, you’ll see a simple progressive web app with the following pages:
Application Pages
├── /                    # Login page (index.html)
├── /signup.html         # User registration
└── /success.html        # User dashboard with feedback

Key Routes

The Flask application (main.py) defines these routes:
main.py:46-67
@app.route("/", methods=["POST", "GET"])
@app.route("/index.html", methods=["POST", "GET", "PUT", "PATCH", "DELETE"])
def home():
    # Login functionality
    if request.method == "POST":
        username = request.form["username"]
        password = request.form["password"]
        isLoggedIn = dbHandler.retrieveUsers(username, password)
        if isLoggedIn:
            return render_template("/success.html", value=username, state=isLoggedIn)
Notice that routes accept multiple HTTP methods (GET, POST, PUT, PATCH, DELETE) and there’s no input validation. These are security vulnerabilities you’ll be testing.

Database Structure

The application uses SQLite with two tables: 
CREATE TABLE users (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    username TEXT NOT NULL,
    password TEXT NOT NULL,     -- ⚠️ Plaintext storage!
    dateOfBirth TEXT
);
Vulnerabilities:
  • Passwords stored in plaintext
  • No password complexity requirements
  • No unique constraints

Testing the Application

Create a Test Account

1

Navigate to Signup

Click the Sign Up link on the login page or go to http://127.0.0.1:5000/signup.html
2

Register a User

Example test credentials
Username: testuser
Password: testpass123
Date of Birth: 2000-01-01
The date of birth field is collected but never used - this is a privacy issue (unnecessary data collection).
3

Login

Return to the login page and use your test credentials to authenticate.
4

Submit Feedback

On the success/dashboard page, try submitting feedback like “This is a test message”

Begin Security Testing

Now that the app is running, you can start testing for vulnerabilities:

SQL Injection

Try ' OR '1'='1 in the username field

XSS Attack

Submit <script>alert('XSS')</script> in the feedback form

CSRF Attack

Create a malicious form that submits to the app

Open Redirect

Test /?url=https://evil.com in the URL

Configuration Details

The app runs with these (insecure) configurations:
main.py:70-73
app.config["TEMPLATES_AUTO_RELOAD"] = True
app.config["SEND_FILE_MAX_AGE_DEFAULT"] = 0
app.run(debug=True, host="0.0.0.0", port=5000)
Security Issues:
  • debug=True - Exposes detailed error messages and interactive debugger
  • host="0.0.0.0" - Binds to all network interfaces (should use 127.0.0.1 for local dev)
  • No secret key configured
  • No HTTPS/SSL
  • No rate limiting

Troubleshooting

Error message
OSError: [Errno 48] Address already in use
Solution:
  • Stop any other Flask applications running
  • Or modify main.py line 73 to use a different port: app.run(debug=True, host="0.0.0.0", port=5001)
Error message
ModuleNotFoundError: No module named 'flask'
Solution:
  • Ensure you ran pip install -r requirements.txt
  • Check you’re using the correct Python environment
  • Try pip3 install -r requirements.txt on MacOS/Linux
Error message
sqlite3.OperationalError: no such table: users
Solution:
  • The database should be created automatically in database_files/database.db
  • Check that the database_files/ directory exists
  • If needed, create the tables manually using the schema in the Architecture documentation
Issue: You’re trying to access the app from another device on your network but it’s not working.Solution:
  • Ensure Flask is running with host="0.0.0.0" (default in this app)
  • Find your local IP: ipconfig (Windows) or ifconfig (Mac/Linux)
  • Access via http://{YOUR_IP}:5000
  • Check firewall settings allow incoming connections on port 5000

Next Steps

Deployment Guide

Set up proper sandbox environments for secure testing

Architecture Overview

Understand the application structure and components

Testing Approaches

Learn white-box, grey-box, and black-box testing

Vulnerabilities

Start exploring specific security flaws

Build docs developers (and LLMs) love

Get started for freeTalk to us