Skip to content
NightVision Docs

Python

Django

Section titled “Django”

Django is a widely-used server-side web framework written in Python.

Popularity: According to StackOverflow’s 2022 Developer Survey, Django is the #1 most popular Python framework that can be used to build web applications or APIs.

Vulnerable Polls App

Section titled “Vulnerable Polls App”
  • Description: A vulnerable Django app that is based on the Django Polls tutorial. It contains a few XSS/SQLi issues and turns off the built in protections to prevent that.
  • Source Code: https://github.com/vulnerable-apps/vuln_django_play
  • Credentials: None
Terminal window
git clone https://github.com/vulnerable-apps/vuln_django_play.git
cd vuln_django_play
docker compose up --build


# Create App and Target
URL=http://127.0.0.1:8020
APP="dvpwa"
nightvision target create $APP $URL --type web


# Run the scan
nightvision scan $APP

Flask

Section titled “Flask”

Flask is a microframework for building web applications and APIs with Python.

Popularity: According to StackOverflow’s 2022 Developer Survey, Flask is the second most popular Python framework that can be used to build web applications or APIs.

remediation-demo

Section titled “remediation-demo”
Terminal window
git clone https://github.com/vulnerable-apps/Remediation-Demo
cd remediation-demo


# Run the application
docker-compose up -d


# Run a scan
nightvision target create remediation-demo http://127.0.0.1:5000 --type api
nightvision swagger extract . -t remediation-demo --lang python
nightvision scan remediation-demo

Note you can run the check-endpoint.sh script to see a demonstration of the vulnerabilities.

To see a remediation change with most vulnerabilities resolved, checkout to the fix branch and run a new scan:

Terminal window
git checkout fix
nightvision scan remediation-demo

Damn Vulnerable Python Web App (DVPWA)

Section titled “Damn Vulnerable Python Web App (DVPWA)”
  • Description: “Damn Vulnerable Python Web App” - A Flask application that is vulnerable by design. It contains Cross-Site Scripting and SQL Injection.
  • Source Code: https://github.com/vulnerable-apps/dvpwa.git
  • Credentials:
    • Username: superadmin
    • Password: superadmin
Terminal window
git clone https://github.com/vulnerable-apps/dvpwa.git
cd dvpwa


# Start the app
docker-compose up -d


# Record authentication
# After executing this command, simply close the browser windows
# that were opened automatically
URL="http://127.0.0.1:8080"
APP="dpwa"
nightvision target create $APP $URL --type api
nightvision auth playwright create $APP $URL


# Run the scan
nightvision scan $APP --auth $APP