This project is a deliberately vulnerable FastAPI application created to demonstrate common web vulnerabilities and how to perform remediation to mitigate them. The goal is to provide a practical example of Data-Driven Development, where security audits and assessments guide the development process to improve application security.
- FastAPI application with endpoints vulnerable to common web attacks.
- Vulnerability analysis using tools such as pip-audit, Bandit, Trivy, and other security tools.
- Practical demonstration of vulnerabilities and their corresponding remediation.
- Use of shift-left security practices, involving developers in security efforts from the early stages of development.
This application intentionally includes the following vulnerabilities:
- Insecure dependencies: Use of libraries with known vulnerabilities.
- Hardcoded secrets: Credentials and API keys hardcoded into the code.
- Server-Side Template Injection (SSTI): Execution of malicious code via untrusted input in templates.
- Demonstrate vulnerabilities: Show how certain configurations or lack of validation can lead to real security risks.
- Security audits: Use static and dynamic analysis tools to detect and categorize vulnerabilities.
- Remediation: Show how to apply countermeasures to mitigate or eliminate vulnerabilities by following security best practices.
- Data-Driven development: Demonstrate how security audits can guide the development cycle, integrating fixes based on concrete data.
- Shift-Left in security: Integrate security in the early stages of the development and application lifecycle (DevSecOps).
-
FastAPI: Framework used to build the web application.
-
pip-audit: Scans Python dependencies for known vulnerabilities.
-
Bandit: Static code analysis for security vulnerabilities.
-
Aqasec Trivy: Scans for vulnerabilities in containers and dependencies.
-
Fuzzy Testing: Fuzzy testing to uncover bugs and vulnerabilities.
-
OWASP Zap API Scan: Testing tool for web vulnerabilities.
-
Pre-commit: Automates security checks before each commit.
- Python 3.9+
- Astral uv
- make
- Docker
- Docker Compose
- Clone the repository:
git clone https://github.com/trottomv/python-insecure-app- Copy the
.env_tempfile to.env
cp .env_temp .envAnd update the necessary environment variables into .env file, such as:
SUPER_SECRET_NAME='John Ripper'
SUPER_SECRET_TOKEN='5u93R53Cr3tT0k3n'- Create and activate a virtual environment:
make venv
source .venv/bin/activate- Install the development dependencies:
make install_devTo run the FastAPI application locally:
make rundevThe app will be available at http://127.0.0.1:1337
To build and run the Docker image of the application:
make buildSet the APP_IMAGE environment variable in the .env file:
APP_IMAGE=python-insecure-app:latestThen, run the application using Docker Compose:
docker compose up- Quick tests with coverage report
make quicktest- Check dependencies and common security issue
make auditIn this step, pip-audit and bandit will scan the project for known vulnerabilities in your Python dependencies and perform static code analysis to detect potential security flaws in your code. pip-audit checks for outdated or vulnerable packages, while bandit analyzes the codebase for common security issues such as hardcoded secrets, improper exception handling, and unsafe configurations.
make rundev
make fuzzytestIn this step, schemathesis will be used to perform fuzzy testing on your API endpoints. Schemathesis generates random, unexpected, and malformed inputs based on the OpenAPI specification of your application. This allows for the discovery of edge cases, bugs, and vulnerabilities that traditional unit tests might miss. By executing these tests, you can uncover issues such as improper input validation, crashes, or unhandled exceptions that could lead to security risks or degraded performance.
In this step, a Docker image of the application will be built, and Trivy will perform a vulnerability scan on the image. Trivy checks for known vulnerabilities in the base image, OS packages, application dependencies and Dockerfile misconfigurations. It identifies any critical, high, or medium security risks that could be present in your containerized application, such as outdated or insecure libraries, misconfigurations, or weak security settings. The results will help guide remediation efforts to secure the Docker environment and dependencies.
We have four different Dockerfiles:
Dockerfile: The default Dockerfile that uses python:debian base image.Dockerfile.alpine: A Dockerfile that uses python:alpine base image.Dockerfile.distroless: A Dockerfile that uses python:distroless base image.Dockerfile.wolfi: A Dockerfile that uses python:wolfi base image.
- Vulnerability Assessment for debian
make build
make vuln_assessment- Vulnerability Assessment for alpine
make build_alpine
make vuln_assessment tag=alpine- Vulnerability Assessment for distroless
make build_distroless
make vuln_assessment tag=distroless- Vulnerability Assessment for wolfi
make build_wolfi
make vuln_assessment tag=wolfimake verify_distroless_provenancemake rundev
make pentestIn this step, we use OWASP ZAP API Scan to conduct a penetration test on the running application. OWASP ZAP (Zed Attack Proxy) is a widely used open-source tool for finding vulnerabilities in web applications. By configuring ZAP to perform automated scanning and manual testing, you can identify security weaknesses such as cross-site scripting (XSS), SQL injection, and security misconfigurations. The results will provide insights into potential vulnerabilities that may need remediation, helping to strengthen the overall security posture of the application.
- Install pre-commit
pre-commit install- Run pre-commit
make precommit- Update pre-commit
make precommit_update