Damn Vulnerable Blog (DVB) is a Flask-based blog web application intentionally designed to be vulnerable.
It provides common blogging features such as user registration, login, posting, commenting, changing passwords, and file uploads, but all implemented in insecure ways on purpose.
DVB is intentionally vulnerable to give you a hands-on learning experience in security testing. You can safely experiment with its flaws and study the source code to understand how vulnerabilities arise.
- This project is for educational and testing purposes only.
- I don't take any responsibility for misuse.
- Do NOT deploy it to production or expose it to the public internet.
- It is meant strictly for local or isolated environments such as VMs or containers.
This application includes these security flaws to explore and understand common web security issues:
- SQL Injection (SQLi):
- Union-based SQL Injection
- Authentication Bypass via SQL Injection
- Cross-Site Scripting (XSS):
- Reflected XSS
- Stored XSS
- DOM-based XSS
- Command Injection
- Server-Side Template Injection (SSTI)
- Path Traversal
- Insecure File Upload
- Cross-Site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- Vulnerable Authentication Mechanism
- Session Hijacking via Weak Secret Key
- Insecure Direct Object Reference (IDOR)
- Broken Access Control in Unprotected admin functionality
- Download the repository:
git clone https://github.com/Sec0gh/Damn-Vulnerable-Blog.git
cd Damn-Vulnerable-Blog- Install the requirements:
pip install -r requirements.txt- Run the application:
python3 app.py- Open the URL in your browser:
http://127.0.0.1:5000
All main settings are stored in config.py.
You can modify them if you want to change how the application runs.
For example, to change the IP address or Port, edit the following lines in config.py:
HOST = "127.0.0.1"
PORT = 5000