A comprehensive Flask web application demonstrating secure file upload and access controls with extensive security testing to identify and prevent common web application vulnerabilities.
⚠️ Educational Purpose: This application is designed for learning and security testing. Implement additional security measures for production environments.
- Overview
- Features
- Security Implementations
- Prerequisites
- Installation
- Usage
- API Endpoints
- Testing
- Project Structure
- Configuration
- Contributing
- License
- Resources
This Flask application serves as an educational platform for understanding web application security vulnerabilities and secure coding practices. It demonstrates proper implementation of:
- ✅ Authentication & Session Management
- ✅ Secure File Upload Handling
- ✅ Path Traversal Protection
- ✅ Input Validation & Sanitization
- ✅ Access Control Mechanisms
| Goal | Description |
|---|---|
| 🎓 Educational | Demonstrate common security vulnerabilities and their mitigation strategies |
| 🧪 Testing | Provide comprehensive security testing framework with real-world attack scenarios |
| 🏆 Best Practices | Showcase Flask security implementation patterns following OWASP guidelines |
| 📚 Documentation | Serve as a reference for secure web application development |
- 🔐 Secure Authentication System with session management
- 📤 File Upload with validation and sanitization
- 📁 File Management (view, download, list files)
- 🛡️ Security Headers implementation
- 🎨 Template-based UI using Jinja2
- ⚡ Flash Messaging system for user feedback
- ✅ Authentication Required for all file operations
- ✅ File Type Validation (configurable allowed extensions)
- ✅ File Size Limits (16MB default)
- ✅ Path Traversal Protection
- ✅ Filename Sanitization
- ✅ Security Headers (XSS, CSRF, Clickjacking protection)
- ✅ Input Validation and error handling
| Security Measure | Implementation | OWASP Category | Status |
|---|---|---|---|
| Authentication | Session-based login with login_required decorator |
A07:2021 - Auth Failures | ✅ Implemented |
| Path Traversal Protection | is_safe_path() validation |
A01:2021 - Broken Access | ✅ Implemented |
| File Type Validation | Extension whitelist (.txt, .pdf, .png, etc.) |
A03:2021 - Injection | ✅ Implemented |
| File Size Limits | 16MB maximum upload size | A04:2021 - Insecure Design | ✅ Implemented |
| Filename Sanitization | secure_filename() from Werkzeug |
A03:2021 - Injection | ✅ Implemented |
| Security Headers | X-Frame-Options, X-XSS-Protection, HSTS |
A05:2021 - Security Config | ✅ Implemented |
| Input Validation | Form data validation and error handling | A03:2021 - Injection | ✅ Implemented |
| Session Security | Cryptographic secret key with secrets.token_hex() |
A07:2021 - Auth Failures | ✅ Implemented |
Before you begin, ensure you have the following installed:
- Python: 3.8 or higher (Download Python)
- pip: Python package installer (included with Python 3.4+)
- Git: Version control system (Download Git)
python --version # Should show Python 3.8+
pip --version # Should show pip versiongit clone <repository_url>
cd flask_file_exposure_testingmacOS/Linux:
python3 -m venv venv
source venv/bin/activateWindows:
python -m venv venv
venv\Scripts\activatepip install -r requirements.txtOr install manually:
pip install flask werkzeugpython -c "import flask; print(f'Flask {flask.__version__} installed successfully')"Development Mode:
python app.pyThe application will be available at: http://localhost:5000
Production Mode (with Gunicorn):
pip install gunicorn
gunicorn -w 4 -b 0.0.0.0:5000 app:app| Field | Value |
|---|---|
| Username | admin |
| Password | secure_password_123 |
🔐 Security Note: Change default credentials before any production deployment.
graph LR
A[Access App] --> B[Login]
B --> C[Dashboard]
C --> D[Upload Files]
C --> E[List Files]
C --> F[View/Download]
C --> G[Logout]
- Login: Navigate to
http://localhost:5000/loginand enter credentials - Upload Files: Use the secure upload form with allowed file types
- Manage Files: View list of uploaded files at
/list-files - View Content: View text file content directly in browser
- Download: Download files securely via
/files/<filename> - Logout: Clear session and return to login page
# Start the application
python app.py
# In another terminal, test with curl
curl -c cookies.txt -X POST http://localhost:5000/login \
-d "username=admin&password=secure_password_123"
# Upload a file
curl -b cookies.txt -F "[email protected]" http://localhost:5000/upload
# List files
curl -b cookies.txt http://localhost:5000/list-filesThe project includes comprehensive security testing through app_test.py using Python's unittest framework.
Execute all security tests:
python app_test.pyRun specific test:
python -m unittest app_test.TestFlaskApp.test_path_traversal_vulnerabilityRun with verbose output:
python -m unittest app_test.TestFlaskApp -v| Test Suite | Description | Attack Vectors Tested |
|---|---|---|
| Authentication Tests | Validates login/logout functionality | Invalid credentials, session management, protected routes |
| Path Traversal Tests | Tests directory traversal prevention | ../, ../../etc/passwd, source code access |
| File Upload Tests | Tests malicious file upload prevention | .php, .exe, oversized files, invalid types |
| File Access Tests | Tests unauthorized file access | Direct URL access, system files, cross-user access |
| Protected File Tests | Comprehensive access control testing | Auth bypass, privilege escalation |
=== AUTHENTICATION SECURITY TEST ===
Invalid login test - Status: 200
✅ SECURE: Invalid credentials properly rejected
Valid login test - Status: 200
✅ SECURE: Valid credentials accepted
✅ SECURE: Protected routes accessible after authentication
=== PATH TRAVERSAL SECURITY TEST ===
✅ SECURE: Unauthenticated access properly blocked
✅ SECURE: System file ../app.py access blocked
✅ SECURE: System file ../../etc/passwd access blocked
✅ OVERALL: All system file access properly blocked
.....
----------------------------------------------------------------------
Ran 5 tests in 0.234s
OK
| Vulnerability Type | Status | Test Method |
|---|---|---|
| Authentication Bypass | ✅ Prevented | test_authentication_system |
| Path Traversal | ✅ Prevented | test_path_traversal_vulnerability |
| Malicious File Upload | ✅ Prevented | test_file_upload_vulnerability |
| Unauthorized File Access | ✅ Prevented | test_direct_file_access_vulnerability |
| Session Hijacking | ✅ Prevented | Session security validation |
| Directory Listing | ✅ Prevented | Access control tests |
Add to .github/workflows/security-tests.yml:
name: Security Tests
on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.8'
- name: Install dependencies
run: pip install flask werkzeug
- name: Run security tests
run: python app_test.py| Endpoint | Method | Auth Required | Description |
|---|---|---|---|
/ |
GET | ✅ Yes | Dashboard/home page |
/login |
GET, POST | ❌ No | User authentication |
/logout |
GET | ✅ Yes | User logout |
/upload |
POST | ✅ Yes | File upload handler |
/list-files |
GET | ✅ Yes | List uploaded files |
/files/<filename> |
GET | ✅ Yes | Download file |
/view/<filename> |
GET | ✅ Yes | View file content |
flask_file_exposure_testing/
├── 📄 app.py # Main Flask application with security implementations
├── 📄 app_test.py # Comprehensive security test suite
├── 📄 README.md # Project documentation (this file)
├── 📄 project_brief.md # Project overview and objectives
├── 📄 LICENSE # MIT License
├── 📄 .gitignore # Git ignore rules
├── 📁 templates/ # Jinja2 HTML templates
│ ├── 📄 login.html # Authentication page
│ ├── 📄 index.html # Dashboard with upload form
│ ├── 📄 list_files.html # File listing interface
│ ├── 📄 view_file.html # Text file viewer
│ ├── 📄 error.html # Generic error page
│ └── 📄 cannot_view_file.html # Non-text file error handler
├── 📁 uploaded_files/ # Secure storage for user uploads
├── 📁 files_to_upload/ # Sample files for testing
├── 📁 reports/ # Security assessment reports
│ ├── 📄 security_report.md # Initial security analysis
│ └── 📄 security_improvements_report.md
├── 📁 screenshots/ # Application screenshots
└── 📁 __pycache__/ # Python bytecode cache
Edit app.py to customize:
# File upload configuration
ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif', 'docx'}
MAX_FILE_SIZE = 16 * 1024 * 1024 # 16MB
# Upload directory
UPLOAD_FOLDER = './uploaded_files'
# Authentication (⚠️ Change in production!)
VALID_CREDENTIALS = {
'admin': 'secure_password_123'
}X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000# Development mode (enables debug, auto-reload)
export FLASK_ENV=development
export FLASK_APP=app.py
# Production mode
export FLASK_ENV=production
export FLASK_APP=app.pyTo allow additional file types, modify ALLOWED_EXTENSIONS in app.py:
ALLOWED_EXTENSIONS = {
'txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif', 'docx',
'csv', 'json', 'xml' # Add your extensions here
}The application uses Jinja2 templating:
| Template | Purpose | Key Features |
|---|---|---|
login.html |
User authentication | Flash messages, demo credentials display |
index.html |
Main dashboard | File upload form, security info panel |
list_files.html |
File management | Dynamic listing, download/view actions |
view_file.html |
Content viewer | Syntax-highlighted text display |
error.html |
Error handling | Customizable messages, navigation |
cannot_view_file.html |
File type errors | Non-text file handling |
Contributions are welcome! Please follow these guidelines:
-
Fork the repository
gh repo fork GH_USERNAME/flask_file_exposure_testing # or use the GitHub web interface -
Clone your fork
git clone https://github.com/GH_USERNAME/flask_file_exposure_testing.git cd flask_file_exposure_testing -
Create a feature branch
git checkout -b feature/your-feature-name # or: git checkout -b fix/bug-description -
Make your changes
- Write clean, documented code
- Add tests for new features
- Update documentation as needed
-
Test your changes
python app_test.py # Ensure all tests pass -
Commit with clear messages
git add . git commit -m "feat: add new security validation for file uploads" # Use conventional commits: feat, fix, docs, test, refactor
-
Push and create Pull Request
git push origin feature/your-feature-name # Then open a PR on GitHub
- ✅ Follow PEP 8 style guidelines
- ✅ Write security tests for new features
- ✅ Update documentation for API/feature changes
- ✅ Ensure all existing tests pass
- ✅ Add type hints where applicable
- ✅ Keep commits atomic and well-described
# Format code with black (optional)
pip install black
black app.py app_test.py
# Check with flake8 (optional)
pip install flake8
flake8 app.py --max-line-length=100When reporting bugs or security vulnerabilities:
- Search existing issues to avoid duplicates
- Provide detailed information: Python version, OS, error messages
- Include steps to reproduce the issue
- For security issues: Email privately to [email protected] (if applicable)
This project is licensed under the MIT License - see the LICENSE file for full details.
- 📘 Flask Security Documentation
- 📘 OWASP Top 10 Web Application Security Risks
- 📘 OWASP File Upload Cheat Sheet
- 📘 Werkzeug Security Utilities
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: Report vulnerabilities privately via GitHub Security Advisories
This application is designed for security education and testing. Always implement additional security measures (HTTPS, rate limiting, CAPTCHA, database authentication, etc.) for production environments.
Made with ❤️ for web security education