An Application Security Challenge Platform for Texas State University's 2025 BokoHacks
This project is a deliberately vulnerable web application designed to help students learn about common web security vulnerabilities through hands-on practice. It includes various challenges focusing on SQL injection, XSS (Cross-Site Scripting), access control vulnerabilities, and authentication bypass techniques.
- Python 3.8 or higher → Download Python
- Pip (Python package installer)
- SQLite → Download SQLite (Optional if you want binaries otherwise; dependencies should install automatically)
- Modern web browser (Chrome/Firefox recommended)
- Text editor or IDE VS Code recommended → VS Code Setup
- Clone the repository:
git clone https://github.com/Nick4453/Boko-Hacks-2025.git
cd boko-hacks-2025- Git Setup (For Beginners)
- Install Git
- Download and install Git from git-scm.com
- After installation, verify Git is installed by running command prompt:
git --version
- Configure Git (Required for First-Time Users) Run the following commands to set your username and email (needed for commits):
git config --global user.name "Your Name"
git config --global user.email "[email protected]"
To check your Git settings:
git config --list
- Using Git with HTTPS (Easiest for Beginners)
- Clone repositories using HTTPS (no extra setup required):
git clone https://github.com/Nick4453/Boko-Hacks-2025.git
- If prompted for credentials frequently, enable credential manager:
git config --global credential.helper cache
- Setting Up Git in VS Code
- Open VS Code and install the Git Extension (built-in for most versions).
- Open terminal in VS Code and check Git is recognized:
git --version
- Set VS Code as your default Git editor:
get config --global core.editor "code --wait"
- Create and activate a virtual environment (recommended): (You can also do this through VS Code)
# Windows
python -m venv .venv
.venv\Scripts\activate
# Mac/Linux
python3 -m venv .venv
source .venv/bin/activateVS Code Setup ---> https://code.visualstudio.com/docs/python/environments
- Install dependencies:
pip install -r requirements.txt- Initialize the database: (You may not need to do this step; if it doesn't work, check that your env path is correct)
python -c "from app import app, setup_database; app.app_context().push(); setup_database()"- Start the application:
python app.py-
Open http://localhost:5000 in your browser
-
Shut Down the Application To stop the application, press Ctrl + C in the terminal where the application is running. This will terminate the Flask server.
If you're new to web application security testing, here are some resources to help you understand the vulnerabilities you might encounter:
- OWASP Top 10 - The standard awareness document for web application security
- PortSwigger Web Security Academy - Free, online web security training
- SQL Injection Cheat Sheet
- XSS Cheat Sheet
- PayloadsAllTheThings - A list of useful payloads for bypassing security controls
- The application uses Flask for the backend
- SQLite databases store application data
- Frontend uses vanilla JavaScript and CSS
- All vulnerabilities are intentional for educational purposes
This application contains intentional security vulnerabilities for educational purposes. DO NOT:
- Use real credentials or sensitive information while testing
- Deploy this application on a public network or server
- Use techniques learned here against real websites without explicit permission NOTE: IF YOU USE REAL CREDENTIALS, IE: PASSWORDS YOU ACTUALLY USE, WHEN YOU UPLOAD YOUR REPO, THE DATABASE WILL BE PUBLIC. THIS DATABASE CAN BE CONVERTED EASILY ONLINE UNLESS ENCRYPTED
MIT License - See LICENSE file for details