This is a simple Python Flask web application that can be used for the demonstration of Application Security testing tools (include SAST, DAST and SCA). The application has a few basic features to demonstrate some common vulnerabilities such as:
- SQL Injection
- Cross Site Scripting (XSS)
- Insecure Deserialization
- Security Misconfiguration
- Sensitive Data Exposure
- Path Manipulation
- Using Components with Known Vulnerabilities
The application is not intended to be used in production and is provided for educational purposes only.
- Python 3.12 or later
- Pip package manager
- w64devkit or CygWin - if running on Windows
- Docker installation (optional)
You can the run the application locally using the following:
Windows:
make build
make run
The application should then be available at the URL http://localhost:5000. If it fails to start,
make sure you have no other applications running on port 5000.
You also can build a Docker image for the application using the following:
docker build -t demoapp:latest .
Then run the container using a command similar to the following:
docker run -dp 8080:8000 demoapp:latest
The application will then be available at the URL http://localhost:8080. If it fails to start,
make sure you have no other applications running on port 8080.
Most of the application functionality is available as a guest user, however some features require
you to login. The application has a basic 2FA implementation using the pyotp package.
You can login using the following credentials:
- user1@localhost.com/password
- admin@localhost.com/password
For the OTP code, the secret is hard coded to base32secret3232.
You can use an app or online tool such as TOTP Token Generator to generate the code.
To carry out a basic security scan with bandit, run the following:
make bandit-scan
firefox bandit-report.html
To carry out an OpenText Static Code Analyzer local scan, run the following:
sourceanalyzer -b iwa -clean
sourceanalyzer -b iwa -python-path ".venv\\Lib\\site-packages" iwa
sourceanalyzer -b iwa -scan
or you can use the Makefile target:
make sast-scan
To carry out a OpenText ScanCentral SAST scan, run the following:
fcli ssc session login
scancentral package -o package.zip -bt none --python-version 3 --python-requirements requirements.txt
fcli sast-scan start --release "_YOURAPP_:_YOURREL_" -f package.zip --store curScan
fcli sast-scan wait-for ::curScan::
fcli ssc action run appversion-summary --av "_YOURAPP_:_YOURREL_" -fs "Security Auditor View" -f summary.md
To carry out an OpenText Application Security Core scan, run the following:
fcli fod session login
scancentral package -o package.zip -bt none --python-version 3 --python-requirements requirements.txt
fcli fod sast-scan start --release "_YOURAPP_:_YOURREL_" -f package.zip --store curScan
fcli fod sast-scan wait-for ::curScan::
fcli fod action run release-summary --rel "_YOURAPP_:_YOURREL_" -f summary.md
Kevin A. Lee (kadraman) - klee2@opentext.com