A comprehensive Flask web application designed to demonstrate secure file upload and access controls, with extensive security testing to identify and prevent common web application vulnerabilities.
- Project Overview
- Features
- Security Implementations
- Project Structure
- Installation & Setup
- Usage
- Testing Implementation
- Security Tests
- API Endpoints
- Templates
- Configuration
- Contributing
- License
This Flask application serves as an educational platform for understanding web application security vulnerabilities and secure coding practices. It demonstrates proper implementation of:
- Authentication & Session Management
- Secure File Upload Handling
- Path Traversal Protection
- Input Validation & Sanitization
- Access Control Mechanisms
- Educational: Demonstrate common security vulnerabilities and their mitigation
- Testing: Provide comprehensive security testing framework
- Best Practices: Showcase Flask security implementation patterns
- Documentation: Serve as a reference for secure web development
- 🔐 Secure Authentication System with session management
- 📤 File Upload with validation and sanitization
- 📁 File Management (view, download, list files)
- 🛡️ Security Headers implementation
- 🎨 Template-based UI using Jinja2
- ⚡ Flash Messaging system for user feedback
- ✅ Authentication Required for all file operations
- ✅ File Type Validation (configurable allowed extensions)
- ✅ File Size Limits (16MB default)
- ✅ Path Traversal Protection
- ✅ Filename Sanitization
- ✅ Security Headers (XSS, CSRF, Clickjacking protection)
- ✅ Input Validation and error handling
| Security Measure | Implementation | Status |
|---|---|---|
| Authentication | Session-based login system | ✅ Implemented |
| Path Traversal Protection | is_safe_path() validation |
✅ Implemented |
| File Type Validation | Extension whitelist | ✅ Implemented |
| File Size Limits | 16MB upload limit | ✅ Implemented |
| Filename Sanitization | secure_filename() usage |
✅ Implemented |
| Security Headers | XSS, CSRF, Clickjacking | ✅ Implemented |
| Input Validation | Form data validation | ✅ Implemented |
| Error Handling | Graceful error pages | ✅ Implemented |
flask_file_exposure_testing/
├── 📄 app.py # Main Flask application
├── 📄 app_test.py # Comprehensive security tests
├── 📄 README.md # Project documentation
├── 📄 project_brief.md # Project overview
├── 📄 .gitignore # Git ignore rules
├── 📁 templates/ # HTML templates
│ ├── 📄 login.html # Login page template
│ ├── 📄 index.html # Dashboard template
│ ├── 📄 list_files.html # File listing template
│ ├── 📄 view_file.html # File viewer template
│ ├── 📄 error.html # Error page template
│ └── 📄 cannot_view_file.html # File type error template
├── 📁 uploaded_files/ # User uploaded files storage
├── 📁 files_to_upload/ # Sample files for testing
├── 📁 reports/ # Security reports and documentation
└── 📁 __pycache__/ # Python cache files
- Python 3.8+
- Flask 2.0+
- Werkzeug (included with Flask)
-
Clone the repository
git clone <repository-url> cd flask_file_exposure_testing
-
Install dependencies
pip install flask werkzeug
-
Run the application
python app.py
-
Access the application
- Open browser to
http://localhost:5000 - Use demo credentials:
admin/secure_password_123
- Open browser to
python app.py- Username:
admin - Password:
secure_password_123
- Login using demo credentials
- Upload Files through the secure upload form
- View Files in the file management section
- Download/View uploaded files
- Logout when finished
The project includes comprehensive security testing through app_test.py using Python's unittest framework.
def test_authentication_system(self):
"""Test the authentication system security"""
- Invalid credentials rejection
- Valid credentials acceptance
- Protected route access controldef test_path_traversal_vulnerability(self):
"""Test path traversal attack prevention"""
- Unauthenticated access blocking
- Authenticated path traversal prevention
- System file access protectiondef test_file_upload_vulnerability(self):
"""Test file upload security measures"""
- Unauthenticated upload blocking
- Malicious file type rejection
- Valid file upload processingdef test_direct_file_access_vulnerability(self):
"""Test file access control mechanisms"""
- Protected file access control
- System file protection
- Authenticated vs unauthenticated accessExecute all security tests:
python app_test.pyRun specific test:
python -m unittest app_test.TestFlaskApp.test_path_traversal_vulnerability=== AUTHENTICATION SECURITY TEST ===
Invalid login test - Status: 200
✅ SECURE: Invalid credentials properly rejected
Valid login test - Status: 200
✅ SECURE: Valid credentials accepted
✅ SECURE: Protected routes accessible after authentication
=== COMPREHENSIVE SECURITY TEST ===
Unauthenticated access to protected file - Status: 302
✅ SECURE: Unauthenticated access properly blocked
✅ SECURE: System file ../app.py access blocked
✅ SECURE: System file ../../etc/passwd access blocked
✅ OVERALL: All system file access properly blocked
| Test Name | Description | Expected Result |
|---|---|---|
test_authentication_system |
Validates login/logout functionality | ✅ Pass |
test_path_traversal_vulnerability |
Tests directory traversal attacks | ✅ Pass |
test_file_upload_vulnerability |
Tests malicious file upload prevention | ✅ Pass |
test_direct_file_access_vulnerability |
Tests unauthorized file access | ✅ Pass |
test_access_to_protected_files |
Comprehensive file access testing | ✅ Pass |
- Authentication Bypass: ❌ Prevented
- Path Traversal: ❌ Prevented
- File Type Validation: ✅ Enforced
- Size Limit Enforcement: ✅ Enforced
- Unauthorized Access: ❌ Prevented
- Session Management: ✅ Secure
| Endpoint | Method | Auth Required | Description |
|---|---|---|---|
/ |
GET | ✅ Yes | Dashboard/home page |
/login |
GET, POST | ❌ No | User authentication |
/logout |
GET | ✅ Yes | User logout |
/upload |
POST | ✅ Yes | File upload handler |
/list-files |
GET | ✅ Yes | List uploaded files |
/files/<filename> |
GET | ✅ Yes | Download file |
/view/<filename> |
GET | ✅ Yes | View file content |
The application uses Jinja2 templating with the following structure:
| Template | Purpose | Features |
|---|---|---|
login.html |
User authentication | Demo credentials display, flash messages |
index.html |
Main dashboard | File upload form, security info |
list_files.html |
File listing | Dynamic file list, download/view links |
view_file.html |
File content viewer | Text file content display |
error.html |
Generic error page | Customizable error messages |
cannot_view_file.html |
File type error | Non-text file handling |
# File upload settings
ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif', 'docx'}
MAX_FILE_SIZE = 16 * 1024 * 1024 # 16MB
# Authentication credentials
VALID_CREDENTIALS = {
'admin': 'secure_password_123'
}
# Security headers
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000FLASK_ENV: Set todevelopmentfor debug modeFLASK_APP: Set toapp.py
- Fork the repository
- Create a feature branch (
git checkout -b feature/security-improvement) - Commit your changes (
git commit -am 'Add new security feature') - Push to the branch (
git push origin feature/security-improvement) - Create a Pull Request
- Follow PEP 8 style guidelines
- Add security tests for new features
- Update documentation for API changes
- Ensure all security tests pass
This project is licensed under the MIT License - see the LICENSE file for details.
Copyright (c) 2025 mattsebash