A deliberately vulnerable web application designed for practicing web security testing and bug bounty hunting. This project includes multiple common web vulnerabilities, such as SQL Injection, IDOR, XSS, Open Redirects, and Insecure File Uploads.
⚠️ Note: Render uses Cloudflare security, which may block SQL injection attempts with an error: "Sorry, you have been blocked. This website is using a security service to protect itself from online attacks."
For unrestricted testing, it's recommended to run the project locally:
git clone https://github.com/adarsh-s-r/web-pentest-playground.git
cd web-pentest-playground
pip install -r requirements.txt
python app.pyThe application will be available at http://127.0.0.1:5000
- Users must register manually (no pre-existing admin account)
- Login form vulnerable to SQL Injection
- Comments section vulnerable to unsanitized JavaScript execution
- Redirect users to external sites via
/redirect?url=<target>
- Allows arbitrary file uploads including .php files
- Any registered user with the username admin has admin privileges
- Endpoint:
/login - Payload:
admin' -- - Effect: Logs in as admin without a valid password (if an admin user exists)
- Endpoint:
/view_users - Exploit: A normal user can access this page and then navigate to
/admin_dashboard
- Endpoint:
/comment - Payload:
<script>alert('Hacked!')</script>- Effect: The script will execute when viewing the comments
- Endpoint:
/redirect?url=https://evil.com - Effect: Redirects the user to an external malicious site
- Endpoint:
/upload - Exploit: Upload a malicious PHP file and execute it via
/uploads/malicious.php
- There is no pre-existing admin account. You must register an admin user manually (e.g., admin:admin123)
- The app is intentionally vulnerable, do NOT deploy it in a production environment
This project is for educational purposes only. Do NOT deploy this on a live server without proper security measures.
MIT License. Feel free to use, modify, and learn from it! 😊