Deliberately vulnerable web application for CWES / OSCP / bug bounty practice. 11 vulnerability classes in a single Flask app, Dockerized for one-command setup.
Legal notice: Intentionally vulnerable. Run only in isolated Docker environments. Never expose to public networks.
| # | Vulnerability | Severity | Technique |
|---|---|---|---|
| 01 | SSTI | Critical | Jinja2 render_template_string RCE |
| 02 | SSRF | High | Internal metadata + service access |
| 03 | SQLi | Critical | Raw string query concatenation |
| 04 | IDOR | High | No ownership check on objects |
| 05 | JWT attacks | High | None algorithm + weak secret |
| 06 | File upload | High | No extension/MIME validation |
| 07 | Command injection | Critical | shell=True subprocess |
| 08 | XSS | Medium | Reflected + stored, safe filter |
| 09 | Broken auth | High | Hardcoded backdoor credential |
| 10 | XXE | High | External entity file read |
| 11 | Insecure deserialization | Critical | Pickle RCE |
git clone https://github.com/Jostif/tifsec.git
cd tifsec
docker-compose up --buildOpen http://localhost:5000
- Docker + Docker Compose
- Nothing else — all dependencies are containerized
tifsec/
├── docker-compose.yml
├── Dockerfile
├── requirements.txt
├── app/
│ ├── app.py # Flask app — all vulnerabilities
│ ├── templates/ # Jinja2 templates per vuln
│ └── uploads/ # file upload target (gitignored)
└── solutions/
└── walkthrough.md # full exploitation guide
CTF-style flags hidden throughout — format: TIFSEC{...}
See solutions/walkthrough.md for full exploitation guide.
- ad-attack-chain — AD attack chain automation
- nuclei-templates — custom Nuclei templates
- htb-writeups — HTB machine writeups
J0stif — penetration tester, bug bounty hunter PNPT · PWPA · CEH | OSCP (in progress) · HTB CPTS (in progress) · HTB CWES (in progress)
HTB Profile · Site · Twitter/X