SSRF.py
In this challenge we learn how to exploit and fix Server Side Request Forgery.
Cover the OWASP Top 10:2025 with hands-on Python secure coding challenges. Your developers find and fix real vulnerabilities in real Python apps — and you get evidence of capability, not just completion.
The OWASP Top 10 is the industry benchmark for web application security — the list your auditors, customers and security team measure against. Every challenge below is a real Python application with a real vulnerability: developers fix it without breaking functionality, and every verified fix becomes reportable evidence of secure coding capability.
Users acting outside their intended permissions — the most common web application risk. The 2025 edition folds Server-Side Request Forgery into this category.
Insecure default configurations, verbose errors, exposed secrets and unhardened services — now the #2 web application risk.
New in 2025: compromises across dependencies, build systems and distribution infrastructure, expanded from Vulnerable and Outdated Components.
Weak or missing cryptography that exposes sensitive data: predictable randomness, poor key handling, and broken token generation.
Untrusted data interpreted as code or commands — SQL injection, command injection, log injection, XSS and friends.
Security flaws baked into the design itself: missing rate limits, weak password policies, and logic that can be abused even when implemented "correctly".
Broken login, session and token handling that lets attackers assume other users’ identities.
Code and data accepted without integrity verification: insecure deserialization, prototype pollution, and unsafe update mechanisms.
Missing, forgeable or unmonitored logs that let breaches go undetected. Renamed in 2025 to emphasise alerting.
Assign these challenges to your team as learning pathways, track verified fixes, and report OWASP Top 10 coverage to auditors, customers and the board — with evidence, not attendance sheets.