Vulnerable Agentic Agent: Educational OWASP Top 10 Platform

Overview

The Vulnerable Agentic Agent is an intentionally insecure educational platform designed to demonstrate OWASP Top 10 2021 security vulnerabilities. This project serves as a comprehensive learning tool for understanding web application security, penetration testing methodologies, and secure coding practices in a controlled environment.

⚠️ WARNING: This application is intentionally vulnerable for educational purposes. DO NOT use with real data or in production environments.

Learning Objectives

Understand Common Vulnerabilities: Learn how OWASP Top 10 vulnerabilities are introduced and exploited
Practice Exploitation: Test various attack vectors in a safe, controlled environment
Learn Secure Coding: See examples of secure alternatives and best practices
Develop Security Mindset: Think like a security researcher and understand attack methodologies

Quick Start

Prerequisites

Python 3.7+
pip (Python package manager)
Web browser
Terminal/Command Prompt

Installation & Setup

Clone the Project

git clone https://github.com/not2cleverdotme/Agent_OWASP.git
cd Agent_OWASP

Create Virtual Environment

python3 -m venv venv
source venv/bin/activate  # On macOS/Linux
# or venv\Scripts\activate on Windows

Install Dependencies
```
pip install -r requirements.txt
```
Run the Application
```
python app.py
```
Access the Application
- Open your browser to http://localhost:8080
- Navigate through the interactive tabs to test vulnerabilities

Implemented Vulnerabilities

A01:2021 - Broken Access Control

Status: ✅ Implemented Location: Multiple endpoints Vulnerability: No proper authorization checks Exploitation:

# Access debug information without authentication
curl "http://localhost:8080/api/debug"

# Access user data without authentication
curl "http://localhost:8080/api/user_data?user_id=1"

A02:2021 - Cryptographic Failures

Status: ✅ Implemented Location: weak_encrypt(), weak_decrypt(), password hashing Vulnerability: Weak encryption and hashing algorithms Issues:

Base64 encoding instead of proper encryption
MD5 password hashing (easily crackable)
Weak JWT secret

A03:2021 - Injection

Status: ✅ Implemented Location: /api/user_data, /api/execute Vulnerability: SQL and Command Injection

SQL Injection Examples

# Basic SQL injection
curl "http://localhost:8080/api/user_data?user_id=1%20OR%201=1"

# Union attack
curl "http://localhost:8080/api/user_data?user_id=1%20UNION%20SELECT%20*%20FROM%20users%20--"

# Drop table attack
curl "http://localhost:8080/api/user_data?user_id=1;%20DROP%20TABLE%20users;%20--"

Command Injection Examples

# Basic command execution
curl -X POST http://localhost:8080/api/execute \
  -H "Content-Type: application/json" \
  -d '{"command": "whoami"}'

# Multiple commands
curl -X POST http://localhost:8080/api/execute \
  -H "Content-Type: application/json" \
  -d '{"command": "ls -la; cat /etc/passwd"}'

A05:2021 - Security Misconfiguration

Status: ✅ Implemented Location: /api/debug, app configuration Vulnerability: Debug mode enabled, exposed secrets Exposed Information:

Database path
Admin credentials
JWT secret
Secret key
Environment variables
Server information

A07:2021 - Authentication Failures

Status: ✅ Implemented Location: /login, session management Vulnerability: Weak authentication mechanisms Issues:

Weak password (admin123)
No rate limiting
No session timeout
Hardcoded credentials

A10:2021 - Server-Side Request Forgery (SSRF)

Status: ✅ Implemented Location: /api/fetch_url Vulnerability: Unvalidated URL fetching Exploitation:

# Access internal services
curl -X POST http://localhost:8080/api/fetch_url \
  -H "Content-Type: application/json" \
  -d '{"url": "http://localhost:8080/api/debug"}'

# Port scanning attempt
curl -X POST http://localhost:8080/api/fetch_url \
  -H "Content-Type: application/json" \
  -d '{"url": "http://127.0.0.1:22"}'

Vulnerability Walkthrough

1. SQL Injection Walkthrough

Objective: Extract sensitive data from the database

Steps:

Go to the “Vulnerability Tests” tab
In the SQL Injection section, try these payloads:
- 1 OR 1=1 - Get all data
- 1 UNION SELECT * FROM users -- - Get user table
- 1; DROP TABLE users; -- - Drop table (destructive)

What to Learn:

How SQL injection works
Why parameterized queries are important
Impact of unauthorized data access

2. Command Injection Walkthrough

Objective: Execute system commands

Steps:

Go to the “Vulnerability Tests” tab
In the Command Injection section, try these commands:
- whoami - Check current user
- ls -la - List files
- ls -la; cat /etc/passwd - Multiple commands

What to Learn:

How command injection works
Importance of input validation
Dangers of shell=True

3. SSRF Walkthrough

Objective: Access internal services

Steps:

Go to the “Vulnerability Tests” tab
In the SSRF section, try these URLs:
- http://localhost:8080/api/debug - Internal debug info
- http://127.0.0.1:22 - Port scanning
- file:///etc/passwd - File reading

What to Learn:

How SSRF works
Importance of URL validation
Internal service exposure risks

4. Weak Authentication Walkthrough

Objective: Bypass authentication

Steps:

Go to the “Login” tab
Try these credentials:
- Username: admin, Password: admin123 (should work)
- Username: admin, Password: wrong (should fail)

What to Learn:

Weak password policies
Importance of strong authentication
Session management issues

Secure Alternatives

SQL Injection Prevention

# VULNERABLE
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

# SECURE
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))

Command Injection Prevention

# VULNERABLE
subprocess.check_output(command, shell=True)

# SECURE
subprocess.check_output(['ls', '-la'], shell=False)

Authentication Security

# VULNERABLE
if password == "admin123":

# SECURE
if bcrypt.verify(password, hashed_password):

Input Validation

# VULNERABLE
def weak_encrypt(data):
    return base64.b64encode(data.encode()).decode()

# SECURE
from cryptography.fernet import Fernet
def secure_encrypt(data):
    key = Fernet.generate_key()
    f = Fernet(key)
    return f.encrypt(data.encode())

Educational Value

For Developers

Understand Common Vulnerabilities: Learn how vulnerabilities are introduced
Secure Coding Practices: See examples of secure alternatives
Input Validation: Importance of validating all inputs
Authentication Security: Proper authentication implementation
Encryption: Strong encryption algorithms and practices

For Security Researchers

Exploitation Techniques: Practice various attack methods
Vulnerability Assessment: Identify and categorize vulnerabilities
Penetration Testing: Learn systematic testing approaches
Security Tools: Use various tools for vulnerability discovery

For Students

OWASP Top 10: Understand the most critical web vulnerabilities
Real-world Examples: See vulnerabilities in action
Defense Strategies: Learn how to prevent vulnerabilities
Security Mindset: Develop security-conscious thinking

Testing Tools

1. Basic Functionality Test

python test_app.py

2. Exploitation Demonstration

python exploit_demo.py

3. Manual Testing via Web Interface

Open http://localhost:8080 in browser
Use the interactive tabs to test vulnerabilities
Try different payloads in the input fields

Vulnerability Impact Assessment

Vulnerability	Impact	Difficulty	Exploitability
SQL Injection	High	Low	Easy
Command Injection	Critical	Low	Easy
SSRF	Medium	Medium	Moderate
Weak Authentication	High	Low	Easy
Debug Exposure	Medium	Low	Easy
File Upload	High	Medium	Moderate

Safety Guidelines

Important Reminders

Educational Purpose Only
- This application is intentionally vulnerable
- Use only for learning and testing
- Never use with real data
Isolated Environment
- Run in controlled, isolated environments
- Don’t connect to real services
- Use only test data
Responsible Usage
- Don’t use for malicious purposes
- Respect ethical boundaries
- Learn to build secure applications
Regular Updates
- Keep dependencies updated in real applications
- Follow security best practices
- Stay informed about new vulnerabilities

Additional Resources

OWASP Resources

Similar Projects

Learning Resources

Remember: This application is intentionally vulnerable. Use it only for educational purposes in controlled environments. The knowledge gained should be used to build more secure applications.

GitHub Repository: Agent_OWASP