Totally Insecure Web Application Project

Index Page

Due to vast evolvement of web technologies and design methodologies, the developers thought of creating a web security lab which is highly vulnerable to most of the common attack methods. TIWAP is a web application designed for beginners in web application security who want to learn and explore this field, thus made for educational purposes only. It focuses on 20 vulnerabilities, each having 3 levels of difficulty.

These vulnerabilities are found on most of the modern web applications which arise due to lack of secure coding practices and common methods being ignored by the developers.

The Tech Stack

Most of the web applications these days are using stacks like MERN, MEAN, LAMP, etc. But to stick with the basics the developers aimed to use Flask with HTML/CSS to create this application. Since the application is made for learning purposes, no modern technologies can be seen in the development of this application.

The complete tech stack is:

Front-End: HTML, CSS and JavaScript

Back-End: Flask

Databases: SQLite3 and MongoDB

Deployment: Docker

Though the stack is simple, the users can expect some modernization in the upcoming version which might be focusing on vulnerabilities in various web frameworks/libraries.

Setup and Installation

Most of the labs require a lot of things to be installed and set up as a prerequisite for installing the main lab. To keep things simple, we have used docker and docker-compose so that all you need is run a single command and your lab is up and running.

As for the initial release, the lab works on Linux based Operating Systems only. Support for Windows will be released soon.

To install docker and docker compose refer the links below:

Docker: https://docs.docker.com/engine/install/

Docker-Compose: https://docs.docker.com/compose/install/

Once you have these two installed, all you need is to run the commands below:

git clone https://github.com/tombstoneghost/TIWAP


docker-compose up

Output: docker-compose up



So much to exploit in a single application? Yes, indeed. As mentioned before, this application has 20 vulnerabilities and each has 3 levels of difficulty. The developers had an aim for the users to learn as much as they want and therefore they have released the first version with the most common and known vulnerabilities.

The complete list of vulnerabilities is below.


You might have heard or read about these vulnerabilities, but now you have a complete lab to learn how these vulnerabilities are generated and exploited.

Walk Around the Lab

As we are now in the lab, there are a few more things which could be useful while working on the same.

The dashboard is the main page you’ll see once you are logged in. This page contains all the vulnerabilities available. All you need is to just click the tile and you are redirected to the web page.


The settings page is the one which will be used a lot by the users while working as they might need to reset the complete databases or even change the difficulty levels.


The very first thing you’ll see in the settings page is the description of all difficulty levels. Each level of difficulty is well-defined so that the user can easily understand each level.

As per requirement, the user can change the level from the given drop down menu. There are a few vulnerabilities in which the UI changes when you change the difficulty level, eg. SQL Injection

Moving further, you have the ResetDB button. This feature has been designed to reset the complete database back to its original form as there are vulnerabilities in which you are interacting with the database.

Final Words

As mentioned before, this application was made for beginners to start learning about web application security and with the same aim, the developers have developed it. It provides a very user-friendly environment so that one doesn’t need to hazel around while working on the same.

We hope you love this lab and in case you would like to contribute, this project is open-source and open to contribute. You can check the Read Me file available on the GitHub repository if you want to contribute.

Link to project: GitHub

Happy Hacking :)

Student | Cyber Security Enthusiast | CTF Player | Full Stack Developer