🛡️ Web Vulnerability Lab — Learn, Simulate & Secure the Web

🔐 A safe and interactive sandbox to learn how common web vulnerabilities work — and how to defend against them. Built with Flask, PostgreSQL, and Bootstrap.

---

🧩 Overview

Web Vulnerability Lab is a security-focused educational platform that demonstrates real-world attack scenarios in a safe environment. Learn how malicious users exploit vulnerabilities like SQL Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), and explore secure coding strategies to prevent them.

---

🌟 Key Features

✅ SQL Injection (Vulnerable vs Secure Login)
✅ Cross-Site Scripting (XSS via form input)
✅ Cross-Site Request Forgery (Simulated Banking Transfer)
✅ Real-time form input, execution logs, and code comparisons
✅ One-click "Init Demo Data" setup for instant testing
✅ Clean UI with Bootstrap dark mode

---

🛠️ Tech Stack

Layer	Technology
Backend	Python Flask, SQLAlchemy ORM
Frontend	Jinja2 + Bootstrap 5 (Dark Theme)
Database	PostgreSQL (default), SQLite (fallback)
Security	CSRF Protection, Escaped Templates, Input Sanitization

---

📹 Demo Walkthrough

🎬 Watch Demo Video: Click to Watch on Google Drive

🖼️ Screenshots

Dashboard

SQL Injection

XSS Attack Demo

CSRF Protected Transfer

---

📁 Project Structure

WEB-VULNERABILITY-LAB/
├── app.py # Main Flask app
├── models.py # Database models
├── routes.py # All route logic
├── templates/ # HTML Templates (Jinja2)
├── static/ # CSS/JS files
├── screenshots/ # Screenshots for demo
├── requirements.txt # Dependencies
└── README.md

---

🚀 Getting Started Locally

1️⃣ Clone the Repository

git clone https://github.com/subuhana2303/web-vulnerability-lab.git cd web-vulnerability-lab

2️⃣ Install Dependencies

pip install -r requirements.txt

3️⃣ Run the Flask App

python app.py ➡️ Open your browser: http://localhost:9000 🧪 Click "Init Demo Data" to populate the app and begin exploring vulnerabilities.

---

🧠 Sample Payloads

🔓 SQL Injection

' OR '1'='1

admin'--

' UNION SELECT 1,2,3--

🦠 XSS

<script>alert('XSS')</script>

<img src=x onerror=alert(1)>

<svg onload=alert('XSS')>

🎯 CSRF

Transfer page tested with/without tokens

Secure form prevents unauthorized requests

---

🎓 Learning Outcomes

Understand the mechanism behind common vulnerabilities

Differentiate between insecure and secure coding practices

Get hands-on with Flask, HTML templating, and security defenses

Learn how CSRF tokens and HTML escaping protect users

💡 Motivation

This project was created to:

Help beginners and students learn web application security

Enable safe experimentation with real-world attacks

Support academic teaching and cybersecurity awareness

---

🙋🏻‍♀️ About Me

👩🏻 Subuhana B

📧 [email protected]

🌐 GitHub: @subuhana2303

---

🤝 Contributing

Pull requests and suggestions are welcome! If you'd like to contribute enhancements, please fork the repo and submit a PR. For feature ideas or bug reports, feel free to open an issue.

---

⚠️ Disclaimer

This project is for educational use only. Never use these techniques in unauthorized environments. Always test within legal, ethical, and permitted boundaries.

---

📄 License

This project is licensed under the MIT License. You are free to fork, use, and build on it with proper credit.

---