Skip to content

UdayKumar5313/secure-blog-app

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
templates
templates
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
app.py
app.py
 
 

Repository files navigation

Secure Blog Application in Flask

Python Flask License

This project is a simple, database-driven blog application built with Python and the Flask web framework. It was developed as a portfolio piece to demonstrate secure coding practices and the remediation of a critical web vulnerability.

The application was intentionally built with an SQL Injection (SQLi) vulnerability for educational purposes. It was then patched to demonstrate the correct, secure way to handle database queries.

This application is the target for its companion project, the SQL Injection Vulnerability Scanner.

Project Purpose

The goal of this project is to showcase a full security lifecycle:

  1. Building a functional web application.
  2. Identifying a critical security flaw (SQLi).
  3. Remediating the flaw using industry-standard best practices.
  4. Verifying the fix.

Security Vulnerability & Fix

  • Vulnerability: The initial version of the application passed user input from a search form directly into an SQL query using an f-string. This allowed an attacker to inject malicious SQL syntax (like a single quote '), causing the database to error and proving the vulnerability.

  • Remediation: The vulnerability was patched by implementing Parameterized Queries (Prepared Statements). Instead of formatting the user input into the query string, the input is passed as a separate parameter to the database driver. The driver then safely handles the input, preventing any malicious characters from affecting the SQL command's structure.

    Vulnerable Code:

    query = f"SELECT * FROM post WHERE title LIKE '%{query_param}%'"
cursor.execute(query)

    Secure Code:

    query = "SELECT * FROM post WHERE title LIKE ?"
cursor.execute(query, (f'%{query_param}%',))

How to Run

  1. Clone the repository and cd into it.
  2. Create and activate a virtual environment (venv).
  3. Install dependencies: pip install -r requirements.txt (Note: You will need to create a requirements.txt file with the content Flask and Flask-SQLAlchemy.)
  4. Initialize the database: flask shell then db.create_all() and exit().
  5. Run the application: flask run. The app will be available at http://127.0.0.1:5000.

License

This project is licensed under the MIT License.

About

A Flask web application built to demonstrate and remediate a common SQL Injection vulnerability

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages