Skip to main content

What is Auth Security Demo?

Auth Security Demo is an educational web application designed to teach developers and security professionals about common authentication and authorization vulnerabilities found in real-world applications. The project provides two parallel implementations:

Vulnerable Version

Intentionally insecure implementation demonstrating 8 OWASP Top 10 vulnerabilities

Secure Version

Properly secured implementation with industry-standard security controls

Why This Project Exists

Web authentication is one of the most critical security components of any application, yet it’s also one of the most commonly exploited attack surfaces. Many developers learn security concepts theoretically without seeing real-world code examples or understanding the practical impact of vulnerabilities. This project bridges that gap by providing:
  • Real working code that you can run, test, and modify
  • Side-by-side comparisons of vulnerable vs. secure implementations
  • Hands-on exploitation opportunities in a safe, controlled environment
  • Clear documentation explaining both the vulnerabilities and the fixes
This project is inspired by OWASP WebGoat and similar educational security tools, but focuses specifically on authentication and session management vulnerabilities common in Flask applications.

What You’ll Learn

Through this project, you’ll gain hands-on experience with:

Critical Vulnerabilities

SQL Injection

Learn how attackers bypass authentication by manipulating SQL queries

Cross-Site Scripting (XSS)

Understand how malicious scripts can be injected into web pages

Insecure Direct Object Reference

Discover how improper access controls allow unauthorized data access

Password Storage Flaws

See the dangers of storing passwords in plaintext or weak hashes

Security Best Practices

For each vulnerability, you’ll learn:
  • How it works - The technical details of the vulnerability
  • How to exploit it - Practical attack scenarios you can test
  • Why it’s dangerous - Real-world impact and consequences
  • How to fix it - Proper secure coding practices
  • How to prevent it - Architecture and design patterns that eliminate the vulnerability class

Who This Is For

Learn secure coding practices and understand common pitfalls in authentication implementation. Perfect for developers working with Flask, Django, or similar web frameworks.
Use this as a training tool for security awareness programs or as a hands-on lab environment for penetration testing practice.
Excellent resource for cybersecurity courses, computer science programs, or self-directed learning about web security.
Practice identifying and exploiting vulnerabilities in a legal, controlled environment before competing in Capture The Flag events.

Project Architecture

The project consists of two Flask applications with identical functionality but vastly different security postures: 
auth-security-demo/
├── vulnerable/          # Insecure implementation
│   ├── app.py          # Flask app with vulnerabilities
│   ├── database.py     # Database setup (plaintext passwords)
│   └── templates/      # HTML templates
└── secure/             # Secure implementation
    ├── app.py          # Flask app with security controls
    ├── database.py     # Database setup (hashed passwords)
    └── templates/      # HTML templates with output encoding

Key Features Demonstrated

Vulnerable Version (/vulnerable):
  • Direct SQL query concatenation (SQL Injection)
  • No output encoding (XSS)
  • Plaintext password storage
  • Missing access controls (IDOR)
  • Weak session management
  • No CSRF protection
  • Exposed error messages
  • Missing security headers
Secure Version (/secure):
  • Parameterized SQL queries
  • Automatic output encoding with escape()
  • Bcrypt password hashing
  • Role-based access control
  • Secure session configuration
  • CSRF token validation
  • Generic error messages
  • Security HTTP headers
The best way to learn is by comparing the code side-by-side. Each vulnerability page includes detailed code comparisons showing exactly what changes were needed to secure the application.

Technology Stack

This project uses modern Python web development tools: 
Flask==3.0.0
python-dotenv==1.0.0
gunicorn==21.2.0
  • Flask 3.0 - Lightweight Python web framework
  • SQLite - Embedded database for easy setup
  • Werkzeug - Password hashing utilities (secure version)
  • Flask-WTF - CSRF protection (secure version)
  • MarkupSafe - HTML escaping (secure version)

Learning Path

We recommend following this learning path:
1

Read the Legal Notice

Understand the ethical and legal boundaries before proceeding
2

Set Up Your Environment

Install both versions locally so you can experiment safely
3

Start with SQL Injection

Begin with the most critical vulnerability and learn the fundamentals
4

Work Through Each Vulnerability

Follow the vulnerability pages in order, testing each exploit
5

Study the Secure Implementation

Compare the code and understand how each fix works
6

Apply to Your Projects

Use the security best practices in your own applications

Community and Support

This is an open-source educational project:
  • GitHub Repository: auth-security-project
  • Live Demos: Try the vulnerable and secure versions online
  • Contributions: Pull requests and improvements are welcome
  • Issues: Report bugs or suggest new vulnerabilities to demonstrate
The vulnerable version is intentionally insecure. Never use code from the vulnerable version in production applications. Always reference the secure version for real-world implementations.

Ready to Get Started?

Legal Notice

Read the important legal and ethical guidelines

Quick Start

Get both demos running in 5 minutes

Build docs developers (and LLMs) love

Get started for freeTalk to us