A Flask-based security testing project designed to demonstrate and identify access control vulnerabilities in web applications.
- Overview
- Security Testing Purposes
- Project Structure
- Vulnerability Demonstration
- Installation & Setup
- Running Tests
- Test Results
- Security Findings
- Remediation Guidelines
- Educational Value
- Contributing
- License
This project contains a deliberately vulnerable Flask web application with comprehensive security tests. It serves as an educational tool for understanding access control vulnerabilities and demonstrates how proper security testing can identify critical security flaws.
-
Demonstrate Broken Access Control (CWE-284)
- Show how insufficient authorization checks can lead to privilege escalation
- Illustrate the difference between authentication and authorization
- Provide real-world examples of access control failures
-
Security Test Development
- Build comprehensive test suites for authentication mechanisms
- Implement automated security vulnerability detection
- Create repeatable security testing workflows
-
Educational Security Training
- Teach developers about common access control mistakes
- Demonstrate proper security testing methodologies
- Show how to identify and fix authorization vulnerabilities
-
Authentication Testing
- Valid credential verification
- Invalid credential rejection
- Session management validation
-
Authorization Testing
- Role-based access control verification
- Privilege escalation detection
- Unauthorized access attempts
-
Session Security Testing
- Session persistence validation
- Logout functionality verification
- Session state management
access_control_testing/
βββ app.py # Flask application with vulnerability
βββ app_test.py # Comprehensive security test suite
βββ test_report.md # Detailed security analysis report
βββ README.md # Project documentation (this file)
βββ LICENSE # Project license
βββ __pycache__/ # Python bytecode cache
βββ app.cpython-312.pyc
βββ app.cpython-313.pyc
| File | Purpose | Key Features |
|---|---|---|
app.py |
Main Flask application | Authentication, session management, vulnerable admin endpoint |
app_test.py |
Security test suite | 7 comprehensive test cases, proper shutdown mechanism |
test_report.md |
Security analysis | Vulnerability documentation, remediation steps |
README.md |
Project documentation | Setup instructions, security context |
The application contains a Critical Access Control Vulnerability in the /admin endpoint:
@app.route('/admin')
def admin_panel():
# Vulnerable access control: no role check
if 'username' in session:
return 'Admin Panel - only for admins'
return redirect(url_for('index'))Problem: The code only checks if a user is authenticated ('username' in session) but fails to verify if the user has administrative privileges (session.get('role') == 'admin').
Impact: Any authenticated user can access administrative functionality, leading to privilege escalation.
- Python 3.7+
- pip package manager
-
Clone the repository:
git clone <repository-url> cd access_control_testing
-
Install dependencies:
pip install flask requests
-
Verify installation:
python app.py
# Run the complete test suite
python app_test.py
# Expected output: 6/7 tests pass, 1 security vulnerability detected- Automated Server Management: Tests start/stop Flask server automatically
- Session Persistence: Proper cookie handling for authentication testing
- Graceful Shutdown: No hanging processes after test completion
- Comprehensive Coverage: Authentication, authorization, and session management
| Test Case | Status | Security Implication |
|---|---|---|
test_login_admin |
β PASS | Authentication works correctly |
test_login_user |
β PASS | User authentication functions |
test_login_invalid_credentials |
β PASS | Brute force protection active |
test_access_admin_panel_as_admin |
β PASS | Admin access works as intended |
test_access_admin_panel_as_user |
β FAIL | π¨ SECURITY VULNERABILITY |
test_access_admin_panel_as_unauthenticated |
β PASS | Unauthenticated access blocked |
test_logout |
β PASS | Session clearing works properly |
Overall Result: 6/7 tests passed (85.7% pass rate)
- CVE Classification: CWE-284 (Improper Access Control)
- Severity: HIGH (CVSS 8.5)
- OWASP Category: A01:2021 β Broken Access Control
Root Cause: Missing role-based authorization check in admin endpoint
Proof of Concept:
- Regular user logs in with valid credentials
- User accesses
/adminendpoint - Application grants access based solely on authentication status
- User gains unauthorized access to administrative functions
- Confidentiality: Unauthorized access to sensitive admin data
- Integrity: Potential modification of system settings
- Availability: Risk of system disruption through admin functions
- Compliance: Violation of principle of least privilege
Replace the vulnerable admin endpoint with proper role checking:
@app.route('/admin')
def admin_panel():
if 'username' not in session:
return redirect(url_for('index'))
# Add proper role-based access control
if session.get('role') != 'admin':
return 'Access Denied: Admin privileges required', 403
return 'Admin Panel - only for admins'-
Implement Role-Based Access Control (RBAC)
- Always verify both authentication AND authorization
- Use decorator functions for consistent access control
- Implement principle of least privilege
-
Secure Session Management
- Use secure session configuration
- Implement session timeout mechanisms
- Validate session integrity on each request
-
Input Validation & Error Handling
- Sanitize all user inputs
- Return appropriate HTTP status codes
- Avoid information leakage in error messages
# Example: Decorator for role-based protection
def require_role(required_role):
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if 'username' not in session:
return redirect(url_for('login'))
if session.get('role') != required_role:
return 'Access Denied', 403
return f(*args, **kwargs)
return decorated_function
return decorator
# Usage
@app.route('/admin')
@require_role('admin')
def admin_panel():
return 'Admin Panel - only for admins'This project helps developers understand:
-
Common Security Vulnerabilities
- How access control flaws occur in real applications
- The difference between authentication and authorization
- Impact of insufficient security controls
-
Security Testing Methodologies
- Automated vulnerability detection techniques
- Comprehensive test case development
- Security-focused test design patterns
-
Secure Development Practices
- Implementation of proper access controls
- Security-by-design principles
- Code review for security vulnerabilities
- Security Training Programs: Hands-on vulnerability demonstration
- Code Review Training: Example of what to look for in security reviews
- Penetration Testing: Baseline vulnerable application for testing tools
- DevSecOps Integration: Template for security test automation
- Additional test cases for edge scenarios
- Integration with security scanning tools
- Documentation improvements
- Additional vulnerability examples
- All security tests must pass (except intentional vulnerability detection)
- New vulnerabilities should be clearly documented
- Include remediation examples for any new security flaws
- Update test report documentation
This project is licensed under the MIT License - see the LICENSE file for details.
This application is intentionally vulnerable and designed for portfolio purposes only.
- DO NOT deploy this application in production environments
- DO NOT use this code as a template for real applications without implementing proper security controls
- ALWAYS implement proper access control mechanisms in production code
- REVIEW all security implementations with qualified security professionals