Unsafe Code Lab is a hands-on security training ground for code reviewers and penetration testers. Learn to spot vulnerabilities in production-quality code by understanding why they happen: refactoring drift, framework design patterns, and subtle API misuse in modern web frameworks like Flask, Django, FastAPI, and Express.js.
- AppSec students with CTF/bug bounty/pentesting experience who want to master secure code review of real-world web frameworks
- Senior security engineers needing quick reference material when reviewing code in unfamiliar languages or frameworks
To get an idea of what this project is all about, we recommend to start with the Confusion vulnerabilities in Flask:
- Source Precedence — Different components pull the "same" logical parameter from different places (path vs. query vs. body vs. headers vs. cookies), leading to precedence conflicts, merging issues, or source pollution.
- Cross-Component Parse — Middleware, decorators, or framework helpers parse or reshape inputs in ways that differ from what the view sees.
- Authorization Binding — Authorization checks identity or value X, but the handler acts on identity or value Y.
- HTTP Semantics — Wrong assumptions about HTTP methods or content types (e.g., GET with body, form vs. JSON) cause components to read different sources.
- Multi-Value Semantics — One component treats a parameter as a list while another grabs only the first value, or
.get()vs.getlist()disagreements create different effective values. - Normalization & Canonicalization — Case folding, whitespace stripping, URL decoding, or path normalization makes "equal" values diverge when checked versus used.
- Real code patterns: See how refactoring and feature additions introduce vulnerabilities.
- Focus on API Design: See firsthand how framework API design can either create security traps or completely prevent mistakes that are common elsewhere.
- Easy Setup: Execute exploits directly from VSCode using .http files with no Burp or ZAP required.
Flask is our model framework with complete vulnerability coverage.
We're actively expanding coverage to include:
| Language | Planned Frameworks |
|---|---|
| Python | Django, Django REST Framework, FastAPI, CherryPy, Bottle |
| JavaScript | Express.js, Koa, Meteor.js, Nest.js |
Want to help? We're looking for contributors to help build vulnerability examples for these frameworks. Each framework needs runnable applications demonstrating security pitfalls in production-quality code. Check out the Flask examples to see what we're aiming for, then see CONTRIBUTING.md for details on how to contribute!
Click through the auto-generated READMEs to learn vulnerabilities, see code snippets, and read exploitation examples. The entire lab works as a self-contained wiki.
Not sure where to start? Go here.
Clone the repo, start Docker Compose, and execute exploits from .http files directly in VSCode using the REST Client extension. No pentesting tools required.
- Install Docker (Docker Desktop or Docker Engine with Compose v2)
- Install REST Client extension for VS Code to execute exploit examples (like
exploit-19.http) found in/http/directories - Clone this repository:
git clone https://github.com/Irench1k/unsafe-code
cd unsafe-codeContributors: See CONTRIBUTING.md for additional setup including uv and the documentation generator.
You can easily play around with the examples using these commands:
cd vulnerabilities/python/flask/confusion
docker compose up -d Open any .http file in VSCode (with REST Client extension) and click "Send Request" to execute exploits.
- View logs:
docker compose logs -f - Stop:
docker compose down