Skip to main content
This guide will help you set up both the vulnerable and secure versions of the authentication demo on your local machine. Total setup time: 5 minutes.

Prerequisites

Before you begin, ensure you have:

Python 3.8+

Check version: python --version or python3 --version

pip Package Manager

Usually comes with Python. Check: pip --version

Git

For cloning the repository: git --version

Web Browser

Chrome, Firefox, Safari, or Edge for testing
Important: This project creates intentionally vulnerable applications. Only run them on your local machine, never expose them to the internet.

Installation

1

Clone the Repository

Open your terminal and clone the project:
git clone https://github.com/darkroot192-sudo/auth-security-project.git
cd auth-security-project
This downloads the complete project including both vulnerable and secure versions.
2

Set Up the Vulnerable Version

Navigate to the vulnerable directory and install dependencies:
cd vulnerable
pip install -r requirements.txt
Expected output:
Collecting Flask==3.0.0
Collecting python-dotenv==1.0.0
Collecting gunicorn==21.2.0
...
Successfully installed Flask-3.0.0 ...
On some systems, you may need to use pip3 instead of pip.
3

Initialize the Vulnerable Database

Create the SQLite database with default users:
python database.py
Expected output:
✓ Base de datos vulnerable configurada (SQLite)
This creates users.db with two default accounts:
  • admin / admin123 (admin role)
  • usuario / password123 (user role)
Passwords are stored in plaintext in this version - this is intentional for educational purposes.
4

Start the Vulnerable Application

Launch the Flask development server:
python app.py
Expected output:
* Serving Flask app 'app'
* Debug mode: off
WARNING: This is a development server.
* Running on http://0.0.0.0:5000
Open your browser and navigate to:
http://localhost:5000
You should see the vulnerable application’s home page.
5

Set Up the Secure Version

Open a new terminal window (keep the vulnerable version running), then:
cd /path/to/auth-security-project/secure
pip install -r requirements.txt
This installs additional security packages:
  • Werkzeug - For password hashing
  • Flask-WTF - For CSRF protection
6

Initialize the Secure Database

Create the secure database with hashed passwords:
python database.py
Expected output:
✓ Base de datos segura configurada (SQLite)
Same default users, but passwords are now bcrypt hashed.
7

Start the Secure Application

Launch the secure version on a different port:
python app.py
Expected output:
* Running on http://0.0.0.0:5001
Open another browser tab and navigate to:
http://localhost:5001
You should see the secure application’s home page.
Pro tip: Use separate browser windows or profiles for each version to avoid session conflicts.

Verify Installation

Now you should have both applications running:

Vulnerable Version

URL: http://localhost:5000Port: 5000Purpose: Testing vulnerabilities

Secure Version

URL: http://localhost:5001Port: 5001Purpose: Reference implementation

Quick Test

Test that both applications are working: 
curl -X POST http://localhost:5000/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin&password=admin123"
Both should redirect to a dashboard page.

Default Credentials

Both applications come with the same test accounts:
UsernamePasswordRoleUse Case
adminadmin123adminTesting admin functions and privilege escalation
usuariopassword123userTesting standard user access and IDOR
These credentials are intentionally weak for educational purposes. Never use simple credentials like these in real applications.

Your First Vulnerability Test

Let’s verify the vulnerable version has SQL injection:
1

Navigate to Vulnerable Login

Open http://localhost:5000/login in your browser
2

Try SQL Injection Payload

Enter these credentials:
  • Username: admin
  • Password: x' OR '1'='1
The password field contains a SQL injection payload that will bypass authentication.
3

Click Login

Click the login button. If successful, you’ll be logged in as admin without knowing the real password!Check the terminal where the vulnerable app is running - you’ll see the malformed SQL query:
Query ejecutada: SELECT * FROM users WHERE username = 'admin' AND password = 'x' OR '1'='1'
4

Try the Same on Secure Version

Now try the exact same payload on http://localhost:5001/loginResult: Login fails with “Credenciales incorrectas”The secure version uses parameterized queries, so the SQL injection is prevented.
Congratulations! You’ve just performed your first SQL injection in a safe, legal environment. Now explore the other vulnerabilities.

Application Features

Both versions include these pages:
Landing page with links to login and registration
Authentication page - vulnerable version has SQL injection
Create new user accounts
Protected page after login - vulnerable version has XSS
User profile page - vulnerable version has IDOR
End session and clear cookies

Project Structure

Understand the codebase layout: 
auth-security-project/
├── vulnerable/              # Insecure implementation
│   ├── app.py              # Main Flask application (175 lines)
│   ├── database.py         # Database setup - plaintext passwords
│   ├── users.db            # SQLite database (auto-generated)
│   ├── requirements.txt    # Python dependencies
│   └── templates/          # HTML templates
│       ├── index.html
│       ├── login.html
│       ├── register.html
│       ├── dashboard.html  # XSS vulnerable
│       └── profile.html    # IDOR vulnerable

├── secure/                 # Secure implementation
│   ├── app.py             # Main Flask application (191 lines)
│   ├── database.py        # Database setup - hashed passwords
│   ├── users.db           # SQLite database (auto-generated)
│   ├── requirements.txt   # Python dependencies + security libs
│   └── templates/         # HTML templates with encoding

└── README.md              # Project documentation

Key Files to Study

# VULNERABLE: SQL Injection
query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
cursor.execute(query)
The main differences between versions are in app.py (application logic) and database.py (password storage). Compare them side-by-side to learn.
For cleaner Python package management, use virtual environments:
1

Create Virtual Environment

python -m venv venv
2

Activate Virtual Environment

source venv/bin/activate
Your prompt should change to show (venv).
3

Install Dependencies

cd vulnerable
pip install -r requirements.txt
Packages are now isolated to this virtual environment.
4

Deactivate When Done

deactivate

Troubleshooting

Error: Address already in useSolution: Change the port in the code or kill the process:
# Find process using port 5000
lsof -i :5000

# Kill it
kill -9 <PID>

# Or run on different port
python app.py --port 5002
Error: ModuleNotFoundError: No module named 'flask'Solution: Install requirements:
pip install -r requirements.txt
Make sure you’re in the correct directory (vulnerable/ or secure/).
Error: sqlite3.OperationalError: database is lockedSolution: Close any other connections to the database:
# Stop the Flask app
# Delete the database
rm users.db

# Recreate it
python database.py
Error: Permission denied when running scriptsSolution: Check file permissions or use python3:
chmod +x app.py
# Or
python3 app.py

Next Steps

Now that you have both applications running:

SQL Injection

Start with the most critical vulnerability

Cross-Site Scripting

Learn about XSS attacks and prevention

IDOR

Test unauthorized data access

Password Storage

See why plaintext passwords are dangerous
Keep both applications running in separate terminal windows so you can quickly switch between them for comparison.

Running on Different Ports

If you need to change the default ports: 
if __name__ == '__main__':
    import os
    app.run(host='0.0.0.0', 
            port=int(os.environ.get('PORT', 5000)),
            debug=False)

Stopping the Applications

To stop the Flask servers:
  • Press Ctrl+C in each terminal window
  • Or close the terminal windows
The SQLite database files (users.db) persist after stopping. Delete them and re-run python database.py to reset to default state.

Using with Docker (Advanced)

For isolated container environments:
Dockerfile.vulnerable
FROM python:3.11-slim
WORKDIR /app
COPY vulnerable/requirements.txt .
RUN pip install -r requirements.txt
COPY vulnerable/ .
RUN python database.py
EXPOSE 5000
CMD ["python", "app.py"]
Build and Run
# Build image
docker build -f Dockerfile.vulnerable -t auth-vulnerable .

# Run container
docker run -p 5000:5000 auth-vulnerable
Docker setup is optional. The standard Python installation works great for learning.

Ready to Exploit?

You now have a complete lab environment. Time to learn by doing:
1

Study the Vulnerability

Read the documentation for each vulnerability type
2

Test on Vulnerable Version

Try the exploits on http://localhost:5000
3

Verify Fix on Secure Version

Confirm the same exploit fails on http://localhost:5001
4

Read the Code

Compare the source code to understand the differences

Start Learning

Begin with SQL Injection - the most critical web vulnerability

Build docs developers (and LLMs) love

Get started for freeTalk to us