ThreatByte is a vulnerable web application designed to demonstrate some Web Application and API Security risks. It provides a platform to explore and understand common security vulnerabilities in web applications and APIs.
- Python 3.x (where x is your specific Python version)
- SQLite
To run ThreatByte application locally, you can follow these steps:
-
Clone the repository:
git clone https://github.com/anotherik/ThreatByte.git
-
Navigate to the project directory:
cd threatbyte
-
Create a Virtual Environment:
python -m venv venv_threatbyte
-
Activate the Virtual Environment:
- On Windows:
venv_threatbyte\Scripts\activate
- On macOS and Linux:
source venv_threatbyte/bin/activate
- On Windows:
-
Install dependencies:
pip install -r requirements.txt
-
Initialize the database:
python db/create_db_tables.py
-
Run the application:
python run.py
-
Access the application in your web browser at
http://localhost:5000
. -
Deactivate the Virtual Environment: At the end of testing, deactivate the virtual environment:
deactivate
Alternatively, you can use Docker to run ThreatByte. Ensure you have Docker installed on your system.
-
Build the Docker image:
docker build -t threatbyte .
-
Run the Docker container:
docker run -p 5000:5000 threatbyte
-
Access the application in your web browser at
http://localhost:5000
.
The ThreatByte application aims to represent a simple online sharing platform. Currently it has the following features:
- User Authentication: Users can sign up, log in, and log out.
- Dashboard: Users have a personalized dashboard to view and manage their uploaded files.
- File Upload: Users can upload files to the application.
- Profile Management: Users can view and edit their profile information.
- Broken Authentication
- Brute-force attacks
- Session Management issues
- Insufficiently Protected Credentials
- Cryptographic Failures
- Injections:
- SQL Injection
- Cross-Site Scripting (XSS):
- Reflected
- DOM
- Stored
- Cross-Site Request Forgery
- Server-Side Request Forgery
- Unrestricted File Upload
- Broken Access Control
- Broken Object Level Authorization - BOLA
- Broken Object Property Level Authorization - BOPA
- Broken Function Level Authorization - BFLA
- Insecure configurations