Skip to main content
READ THIS CAREFULLY BEFORE PROCEEDINGThis project contains intentionally vulnerable code for educational purposes only. Misuse of the techniques demonstrated here can result in serious legal consequences.

Educational Purpose Only

The Auth Security Demo project is designed exclusively for:

Learning Environments

Personal study and skill development in controlled settings

Authorized Testing

Security testing on systems you own or have explicit written permission to test

CTF Competitions

Legitimate Capture The Flag events and security challenges

Academic Research

University courses and authorized security research programs

Prohibited Uses

NEVER use these techniques on:
  • Production systems or live websites without explicit authorization
  • Systems owned by third parties without written permission
  • Any system where you don’t have legal authority to test
  • School, university, or employer networks without IT department approval
  • Any system to cause harm, steal data, or disrupt services

Why This Matters

Unauthorized access to computer systems is illegal under laws including:
  • United States: Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. § 1030
  • European Union: Network and Information Security Directive (NIS)
  • United Kingdom: Computer Misuse Act 1990
  • International: Council of Europe Convention on Cybercrime (Budapest Convention)
Even “just looking” or “harmless testing” without authorization is illegal in most jurisdictions. The law doesn’t distinguish between malicious intent and curiosity.
Unauthorized use of security exploitation techniques can result in:

Criminal Penalties

Under the Computer Fraud and Abuse Act (CFAA), unauthorized access can result in:
  • First offense: Up to 1 year imprisonment and fines
  • Repeat offense: Up to 10 years imprisonment
  • With intent to defraud: Up to 5-10 years per count
  • Causing damage: Up to 20 years imprisonment
Victims can sue for damages including:
  • Economic losses from downtime or data breaches
  • Cost of incident response and forensics
  • Punitive damages for intentional acts
  • Legal fees and court costs
Civil damages can reach millions of dollars in serious cases.
Beyond legal penalties:
  • Permanent criminal record
  • Loss of security clearances
  • Termination from employment
  • Expulsion from educational institutions
  • Difficulty finding future employment in technology

Real-World Examples

These are real cases where individuals faced legal consequences for unauthorized security testing:
Case 1: Andrew Auernheimer (“weev”)
  • Discovered AT&T iPad security flaw
  • Accessed publicly available data
  • Convicted under CFAA (later overturned on jurisdictional grounds)
  • Served 1 year in federal prison
Case 2: Aaron Swartz
  • Downloaded academic articles from JSTOR
  • Faced 13 felony counts and up to 35 years in prison
  • Tragic case highlighting prosecutorial overreach
Case 3: David Nosal
  • Former employee accessed old employer’s systems
  • Convicted under CFAA
  • Sentenced to 1 year in prison plus restitution
Even if you discover a vulnerability accidentally, how you proceed matters. Report it responsibly through proper channels, never exploit it further.

Responsible Disclosure

If you discover a real vulnerability in a production system:
1

Stop Testing Immediately

Do not exploit the vulnerability further or access additional data
2

Document What You Found

Take notes on the vulnerability but don’t include sensitive data
3

Report Through Proper Channels

  • Look for a security.txt file or bug bounty program
  • Contact the organization’s security team directly
  • Use platforms like HackerOne or Bugcrowd if available
4

Give Reasonable Time to Fix

Allow 90 days for remediation before public disclosure (industry standard)

Responsible Disclosure Resources

Authorized Testing Guidelines

If you want to practice security testing legally:

Use This Project

The safest option: This project is specifically designed for you to exploit. Run it locally and test freely.
# Run the vulnerable version locally
cd vulnerable
python database.py  # Set up the database
python app.py      # Start the server

# Now test all vulnerabilities safely on http://localhost:5000

HackTheBox

Legal penetration testing labs and challenges

TryHackMe

Guided cybersecurity training rooms

OWASP WebGoat

Deliberately insecure application for learning

PentesterLab

Hands-on penetration testing exercises

Getting Written Authorization

If you want to test a real system, you need: 
1. Written permission from the legal owner/operator
2. Clearly defined scope of testing
3. Specific time window for testing
4. Contact information for emergencies
5. Agreement on findings disclosure
Consult a lawyer to create proper authorization documents. This example is not legal advice.

Ethical Hacking Principles

If you pursue a career in security, follow these ethical principles:

The Hacker’s Code of Ethics

  1. Respect privacy - Only access data necessary for testing
  2. Minimize harm - Don’t destroy, modify, or steal data
  3. Report responsibly - Disclose vulnerabilities to help fix them
  4. Obtain authorization - Always get permission before testing
  5. Improve security - Use your skills to make systems safer
  6. Continuous learning - Stay updated on both attacks and defenses
  7. Share knowledge - Educate others about security (legally)
Many cybersecurity professionals hold certifications like CEH (Certified Ethical Hacker), OSCP (Offensive Security Certified Professional), or GPEN (GIAC Penetration Tester) that require adherence to ethical codes.

Project Liability Disclaimer

DISCLAIMER OF LIABILITY
The creators and contributors of this project:
  • Provide this code “as is” for educational purposes only
  • Make no warranties about completeness, reliability, or accuracy
  • Are not responsible for any damages resulting from use or misuse
  • Do not endorse or encourage illegal activities
  • Assume no liability for actions taken by users of this project
By using this project, you agree:
  • To use it only for lawful educational purposes
  • To comply with all applicable laws and regulations
  • That you are solely responsible for your actions
  • To indemnify the project creators against any claims arising from your use
This project is licensed under the MIT License. See the LICENSE file for full legal terms.

For Educators

If you’re using this project in an educational setting:

Recommendations

1

Review Legal Requirements

Ensure your institution’s policies allow security training tools
2

Use Isolated Networks

Run demonstrations on segregated lab networks, not production infrastructure
3

Emphasize Ethics First

Start with legal and ethical training before technical content
4

Monitor Student Activity

Ensure students only test on the provided lab environment
5

Document Everything

Keep records of training materials and student acknowledgments

Sample Student Agreement

Consider having students sign an acceptable use policy before accessing security training materials.

Questions About Legality?

If you’re unsure whether a particular activity is legal:

DON'T DO IT

When in doubt, don’t test on the system

ASK FIRST

Seek legal advice or explicit authorization

USE THIS PROJECT

Practice safely on this intentionally vulnerable application

REPORT RESPONSIBLY

If you find something, report it through proper channels
“I was just testing” or “I was trying to help” are not valid legal defenses. Always obtain explicit authorization before security testing.

Acknowledgment

By proceeding with this project, you acknowledge that:
  • You have read and understood this legal notice
  • You will use this project only for lawful educational purposes
  • You understand the legal and ethical responsibilities of security testing
  • You will not use these techniques on unauthorized systems
  • You accept full responsibility for your actions

Ready to proceed?

Continue to the Quick Start guide to set up your local lab environment

Build docs developers (and LLMs) love

Get started for freeTalk to us