Running the Demos

Overview

The Auth Security Demo consists of two separate Flask applications that demonstrate the contrast between vulnerable and secure coding practices:

Vulnerable App: Port 5000 - Demonstrates common security flaws
Secure App: Port 5001 - Implements security best practices

Educational Use Only: These applications are designed for learning purposes. Never deploy the vulnerable version in production or on public networks.

Starting the Applications

Development Mode
Production Mode (Gunicorn)
Background Mode

Start the vulnerable application

Open a terminal and run:

cd vulnerable
python3 app.py

Expected output:

* Serving Flask app 'app'
* Debug mode: off
WARNING: This is a development server. Do not use it in production.
* Running on all addresses (0.0.0.0)
* Running on http://127.0.0.1:5000
* Running on http://192.168.x.x:5000

The vulnerable app runs on port 5000 with debug mode disabled for realistic testing.

Start the secure application

Open a new terminal (keep the first one running) and run:

cd secure
python3 app.py

Expected output:

* Serving Flask app 'app'
* Debug mode: off
* Running on all addresses (0.0.0.0)
* Running on http://127.0.0.1:5001

The secure app runs on port 5001 to avoid conflicts.

Verify both apps are running

Check that both servers are responding:

# Test vulnerable app
curl -I http://localhost:5000

# Test secure app
curl -I http://localhost:5001

Both should return HTTP 200 OK responses.

Start vulnerable app with Gunicorn

For a production-like environment:

cd vulnerable
gunicorn app:app --bind 0.0.0.0:5000

Expected output:

[INFO] Starting gunicorn 21.2.0
[INFO] Listening at: http://0.0.0.0:5000
[INFO] Using worker: sync
[INFO] Booting worker with pid: 12345

Start secure app with Gunicorn

In a new terminal:

cd secure
gunicorn app:app --bind 0.0.0.0:5001

Gunicorn provides better performance and is the recommended production server for Flask applications.

Run both apps in the background:

# Start vulnerable app in background
cd vulnerable && python3 app.py &> vulnerable.log &
echo $! > vulnerable.pid

# Start secure app in background
cd ../secure && python3 app.py &> secure.log &
echo $! > secure.pid

# View running processes
ps -p $(cat vulnerable/vulnerable.pid) $(cat secure/secure.pid)

To stop the apps:

kill $(cat vulnerable/vulnerable.pid)
kill $(cat secure/secure.pid)

Accessing the Applications

Vulnerable Application

Local Access:

http://localhost:5000

Default Credentials:

Admin: admin / admin123
User: usuario / password123

Secure Application

Local Access:

http://localhost:5001

Default Credentials:

Admin: admin / admin123
User: usuario / password123

Application Features

Both applications include the same features to allow direct comparison:

Authentication System

Login Page (/login): User authentication
Register Page (/register): New user registration
Logout (/logout): Session termination

Test accounts are pre-configured in both databases:

Username	Password	Role
admin	admin123	admin
usuario	password123	user

Protected Routes

Dashboard (/dashboard): Main landing page after login
Profile (/profile): User profile with query parameter ?id=X

These routes require active sessions and demonstrate authorization vulnerabilities.

Database Operations

Both apps use SQLite with the same schema:

CREATE TABLE users (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    username TEXT NOT NULL UNIQUE,
    password TEXT NOT NULL,
    email TEXT,
    role TEXT DEFAULT 'user',
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
)

Key Difference:

Vulnerable: Passwords stored in plain text
Secure: Passwords hashed with bcrypt

Configuration Details

app = Flask(__name__)
app.secret_key = 'clave_super_secreta_123'  # INSECURE: Hardcoded secret

Vulnerable App Configuration
Secure App Configuration

Insecure Practices:

Hardcoded secret key
No CSRF protection
No security headers
SQL injection vulnerable
XSS vulnerable
IDOR vulnerable

Port: 5000 (default Flask development port)

Network Access

Localhost Only (Default)
Restrict to Localhost
Remote Access (Lab Only)

By default, both apps listen on 0.0.0.0, making them accessible from:

http://localhost:5000 (or 5001)
http://127.0.0.1:5000 (or 5001)
http://<your-local-ip>:5000 (or 5001)

Other devices on your network can access via your local IP.

For added security during testing, bind only to localhost:

# Modify app.py
if __name__ == '__main__':
    app.run(host='127.0.0.1', port=5000, debug=False)

Or with Gunicorn:

gunicorn app:app --bind 127.0.0.1:5000

Only do this in isolated lab environments, never on production networks.

To make accessible from other machines:

Ensure firewall allows the ports
Apps are already listening on 0.0.0.0
Access via: http://<server-ip>:5000

Firewall example (Linux):

sudo ufw allow 5000/tcp
sudo ufw allow 5001/tcp

Monitoring and Logs

View real-time logs

When running in development mode, logs appear in the terminal:

# Watch vulnerable app logs
tail -f vulnerable.log

# Watch secure app logs
tail -f secure.log

The vulnerable app prints SQL queries to console for educational purposes.

Check for SQL queries (vulnerable app)

The vulnerable app logs raw SQL queries:

Query ejecutada: SELECT * FROM users WHERE username = 'admin' AND password = 'admin123'

This helps you see exactly how SQL injection works.

Monitor HTTP requests

Use browser developer tools (F12) to inspect:

Network requests
Response headers
Cookies and sessions
JavaScript errors (for XSS testing)

Stopping the Applications

Interactive Mode
Background Processes
Gunicorn

If running in a terminal, press:

Ctrl + C

This sends a SIGINT signal to gracefully stop the Flask server.

Find and kill the processes:

# Find Flask processes
ps aux | grep app.py

# Kill by PID
kill <PID>

# Or kill all Python Flask apps
pkill -f "python3 app.py"

Gracefully stop Gunicorn:

# Find Gunicorn master process
ps aux | grep gunicorn

# Graceful shutdown
kill -TERM <MASTER_PID>

# Or force stop
pkill -9 gunicorn

Quick Reference

Application	Port	URL	Purpose
Vulnerable	5000	http://localhost:5000	Demonstrate vulnerabilities
Secure	5001	http://localhost:5001	Show secure implementations

Common Commands:

# Start vulnerable
cd vulnerable && python3 app.py

# Start secure
cd secure && python3 app.py

# Check running apps
lsof -i :5000,5001

# View logs
tail -f *.log

Get Started

Vulnerabilities

Security Best Practices

Lab Setup

Overview

Starting the Applications

Accessing the Applications

Vulnerable Application

Secure Application

Application Features

Configuration Details

Network Access

Monitoring and Logs

Stopping the Applications

Quick Reference

Next Steps

Test Vulnerabilities

Troubleshooting

Build docs developers (and LLMs) love

Get Started

Vulnerabilities

Security Best Practices

Lab Setup

​Overview

​Starting the Applications

​Accessing the Applications

Vulnerable Application

Secure Application

​Application Features

​Configuration Details

​Network Access

​Monitoring and Logs

​Stopping the Applications

​Quick Reference

​Next Steps

Test Vulnerabilities

Troubleshooting

Build docs developers (and LLMs) love

Overview

Starting the Applications

Accessing the Applications

Application Features

Configuration Details

Network Access

Monitoring and Logs

Stopping the Applications

Quick Reference

Next Steps