TIWAP
Totally Insecure Web Application Project
Due to vast evolvement of web technologies and design methodologies, the developers thought of creating a web security lab which is highly vulnerable to most of the common attack methods. TIWAP is a web application designed for beginners in web application security who want to learn and explore this field, thus made for educational purposes only. It focuses on 20 vulnerabilities, each having 3 levels of difficulty.
These vulnerabilities are found on most of the modern web applications which arise due to lack of secure coding practices and common methods being ignored by the developers.
The Tech Stack
Most of the web applications these days are using stacks like MERN, MEAN, LAMP, etc. But to stick with the basics the developers aimed to use Flask with HTML/CSS to create this application. Since the application is made for learning purposes, no modern technologies can be seen in the development of this application.
The complete tech stack is:
Front-End: HTML, CSS and JavaScript
Back-End: Flask
Databases: SQLite3 and MongoDB
Deployment: Docker
Though the stack is simple, the users can expect some modernization in the upcoming version which might be focusing on vulnerabilities in various web frameworks/libraries.
Setup and Installation
Most of the labs require a lot of things to be installed and set up as a prerequisite for installing the main lab. To keep things simple, we have used docker and docker-compose so that all you need is run a single command and your lab is up and running.
As for the initial release, the lab works on Linux based Operating Systems only. Support for Windows will be released soon.
To install docker and docker compose refer the links below:
Docker: https://docs.docker.com/engine/install/
Docker-Compose: https://docs.docker.com/compose/install/
Once you have these two installed, all you need is to run the commands below:
git clone https://github.com/tombstoneghost/TIWAP
cd TIWAP
docker-compose up
Vulnerabilities
So much to exploit in a single application? Yes, indeed. As mentioned before, this application has 20 vulnerabilities and each has 3 levels of difficulty. The developers had an aim for the users to learn as much as they want and therefore they have released the first version with the most common and known vulnerabilities.
The complete list of vulnerabilities is below.
You might have heard or read about these vulnerabilities, but now you have a complete lab to learn how these vulnerabilities are generated and exploited.
Walk Around the Lab
As we are now in the lab, there are a few more things which could be useful while working on the same.
Dashboard
The dashboard is the main page you’ll see once you are logged in. This page contains all the vulnerabilities available. All you need is to just click the tile and you are redirected to the web page.
Settings Page
The settings page is the one which will be used a lot by the users while working as they might need to reset the complete databases or even change the difficulty levels.
The very first thing you’ll see in the settings page is the description of all difficulty levels. Each level of difficulty is well-defined so that the user can easily understand each level.
As per requirement, the user can change the level from the given drop down menu. There are a few vulnerabilities in which the UI changes when you change the difficulty level, eg. SQL Injection
Moving further, you have the ResetDB button. This feature has been designed to reset the complete database back to its original form as there are vulnerabilities in which you are interacting with the database.
Final Words
As mentioned before, this application was made for beginners to start learning about web application security and with the same aim, the developers have developed it. It provides a very user-friendly environment so that one doesn’t need to hazel around while working on the same.
We hope you love this lab and in case you would like to contribute, this project is open-source and open to contribute. You can check the Read Me file available on the GitHub repository if you want to contribute.
Looking for a Walkthrough?
After working on the application, I started working on it’s walkthrough which took me a lot of time and even many bugs were found while solving the labs. Most of the bugs have been fixed by now and some are still under review.
You can find the solution to all the labs including the fixed ones on my personal portfolio, direct URLs to the walkthroughs are given below.
Link to project: GitHub
Happy Hacking :)
Liked this Article?
