standalone lab for insecure deserialization

Author: Garvita-k

insec_des_lab/.dockerignore

@@ -0,0 +1,9 @@
+__pycache__
+*.pyc
+*.pyo
+*.pyd
+.Python
+env/
+.venv/
+.env
+*.log

insec_des_lab/Dockerfile

@@ -0,0 +1,15 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+
+ENV FLASK_APP=main.py
+ENV FLASK_RUN_HOST=0.0.0.0
+
+EXPOSE 8080
+
+CMD ["flask", "run", "--debug", "--port=8080"]

insec_des_lab/docker-compose.yml

@@ -0,0 +1,10 @@
+services:
+  insec_des_lab:
+    build: .
+    ports:
+      - "8080:8080"
+    volumes:
+      - .:/app
+    environment:
+      - FLASK_ENV=development
+    restart: unless-stopped

insec_des_lab/main.py

@@ -0,0 +1,53 @@
+from flask import Flask, render_template, request, make_response
+import pickle
+import base64
+from dataclasses import dataclass
+
+app = Flask(__name__)
+
+@dataclass
+class User:
+    username: str 
+    is_admin: bool = False
+
+    def __reduce__(self):
+        # Intentionally vulnerable __reduce__ method to match PyGoat
+        return (User, (self.username, self.is_admin))
+
+@app.route('/')
+def index():
+    return render_template('index.html')
+
+@app.route('/serialize', methods=['POST'])
+def serialize_data():
+    username = request.form.get('username', 'guest')
+    # Create regular user with admin=False
+    user = User(username=username, is_admin=False)
+    # Match PyGoat's serialization format
+    serialized = base64.b64encode(pickle.dumps(user)).decode()
+    return render_template('result.html', serialized=serialized)
+
+@app.route('/deserialize', methods=['POST'])
+def deserialize_data():
+    try:
+        serialized_data = request.form.get('serialized_data', '')
+        decoded_data = base64.b64decode(serialized_data)
+        # Intentionally vulnerable deserialization, matching PyGoat
+        user = pickle.loads(decoded_data)
+        
+        if isinstance(user, User):
+            if user.is_admin:
+                message = f"Welcome Admin {user.username}! Here's the secret admin content: ADMIN_KEY_123"
+            else:
+                message = f"Welcome {user.username}. Only admins can see the secret content."
+        else:
+            message = "Invalid user data"
+        
+        return render_template('result.html', message=message)
+    except Exception as e:
+        return render_template('result.html', message=f"Error: {str(e)}")
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=8080)
+
+    

insec_des_lab/requirements.txt

@@ -0,0 +1,2 @@
+Flask==3.0.0
+Werkzeug==3.0.1

insec_des_lab/static/style.css

@@ -0,0 +1,244 @@
+/* Theme variables */
+:root {
+    --bg-color: #f8f9fa;
+    --card-bg: #fff;
+    --text-color: #212529;
+    --border-color: #dee2e6;
+    --card-shadow: 0 2px 4px rgba(0,0,0,0.1);
+    --code-bg: #2c3e50;
+    --code-color: #ecf0f1;
+    --button-bg: #3498db;
+    --button-hover: #2980b9;
+    --section-bg: #f8f9fa;
+    --input-bg: #ffffff;
+    --input-color: #2c3e50;
+    --input-border: #ddd;
+}
+
+/* Dark theme */
+[data-theme="dark"] {
+    --bg-color: #212529;
+    --card-bg: #343a40;
+    --text-color: #f8f9fa;
+    --border-color: #495057;
+    --card-shadow: 0 2px 4px rgba(0,0,0,0.3);
+    --code-bg: #1a1a1a;
+    --code-color: #ecf0f1;
+    --button-bg: #2980b9;
+    --button-hover: #3498db;
+    --section-bg: #2d3338;
+    --input-bg: #2d3338;
+    --input-color: #f8f9fa;
+    --input-border: #495057;
+}
+
+/* Reset margins and padding */
+* {
+    margin: 0;
+    padding: 0;
+    box-sizing: border-box;
+}
+
+html, body {
+    margin: 0;
+    padding: 0;
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif;
+    background: var(--bg-color);
+    color: var(--text-color);
+    line-height: 1.6;
+    font-size: 16px;
+    min-height: 100vh;
+    transition: all 0.3s ease;
+}
+
+.content {
+    max-width: 1200px;
+    margin: 0 auto;
+    padding: 0;
+}
+
+.box {
+    background: var(--card-bg);
+    border-radius: 8px;
+    padding: 25px;
+    margin: 20px 0;
+    box-shadow: var(--card-shadow);
+    border: 1px solid var(--border-color);
+}
+
+.container {
+    max-width: 800px;
+    margin: 0 auto;
+    background: var(--card-bg);
+    border-radius: 8px;
+    box-shadow: var(--card-shadow);
+    padding: 20px;
+}
+
+main {
+    padding: 0;
+}
+
+h1, h2, h3, h4 {
+    color: var(--text-color);
+}
+
+/* Updated heading styles */
+h1 { 
+    font-size: 2.75rem;
+    margin: 1rem 0;
+    color: var(--text-color);
+    text-align: center;
+    font-weight: 600;
+}
+
+h2 { 
+    font-size: 2.25rem;
+    margin: 0.875rem 0;
+    color: var(--text-color);
+    font-weight: 600;
+}
+
+h3 { 
+    font-size: 2rem;
+    margin: 2rem 0 1rem;
+    color: var(--text-color);
+    font-weight: 600;
+    border-bottom: 2px solid var(--border-color);
+    padding-bottom: 0.5rem;
+}
+
+h4 { 
+    font-size: 1.5rem;
+    margin: 1.5rem 0 1rem;
+    color: var(--text-color);
+    font-weight: 600;
+}
+
+.section {
+    background: var(--section-bg);
+    margin: 25px 0;
+    padding: 20px;
+    border-radius: 8px;
+    border: 1px solid var(--border-color);
+}
+
+.section h2 {
+    margin-top: 0;
+    color: var(--text-color);
+    font-size: 1.75rem;
+}
+
+input[type="text"], textarea {
+    width: 100%;
+    padding: 12px;
+    margin: 8px 0;
+    border: 1px solid var(--input-border);
+    border-radius: 4px;
+    background: var(--input-bg);
+    color: var(--input-color);
+    font-size: 1rem;
+    transition: all 0.3s ease;
+}
+
+button, .button {
+    background: var(--button-bg);
+    color: white;
+    padding: 12px 24px;
+    border: none;
+    border-radius: 4px;
+    cursor: pointer;
+    text-decoration: none;
+    display: inline-block;
+    margin: 5px 0;
+    font-size: 1rem;
+    transition: all 0.3s ease;
+}
+
+button:hover, .button:hover {
+    background: var(--button-hover);
+    transform: translateY(-1px);
+}
+
+.code-block {
+    background: var(--code-bg);
+    color: var(--code-color);
+    padding: 15px;
+    border-radius: 4px;
+    overflow-x: auto;
+    margin: 10px 0;
+    font-family: 'Consolas', 'Monaco', 'Courier New', monospace;
+    font-size: 0.95rem;
+    line-height: 1.4;
+}
+
+pre {
+    margin: 0;
+    white-space: pre-wrap;
+    font-size: 0.95rem;
+}
+
+.info {
+    background: var(--section-bg);
+    padding: 20px;
+    border-left: 4px solid var(--button-bg);
+    margin: 20px 0;
+    border-radius: 0 8px 8px 0;
+    font-size: 1.1rem;
+}
+
+.lab {
+    background: var(--section-bg);
+    border-left: 4px solid var(--button-bg);
+    padding: 20px;
+    margin: 20px 0;
+    border-radius: 0 8px 8px 0;
+    font-size: 1.1rem;
+}
+
+.lab .bp {
+    margin: 1rem 0;
+    font-weight: 500;
+}
+
+.bp {
+    font-size: 1.1rem;
+    line-height: 1.7;
+    margin: 1rem 0;
+    color: var(--text-color);
+}
+
+ul {
+    padding-left: 25px;
+}
+
+li {
+    margin: 10px 0;
+    line-height: 1.5;
+    font-size: 1.1rem;
+}
+
+.theme-toggle {
+    position: fixed;
+    top: 20px;
+    right: 20px;
+    z-index: 1000;
+    width: 40px;
+    height: 40px;
+    border-radius: 50%;
+    border: 2px solid var(--border-color);
+    background-color: var(--card-bg);
+    color: var(--text-color);
+    cursor: pointer;
+    transition: all 0.3s ease;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    padding: 0;
+    font-size: 1.2rem;
+}
+
+.theme-toggle:hover {
+    transform: scale(1.1);
+    opacity: 0.9;
+}

insec_des_lab/templates/base.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html data-theme="light">
+<head>
+    <meta charset="UTF-8">
+    {% block title %}{% endblock %}
+    <link rel="stylesheet" href="{{ url_for('static', filename='style.css') }}">
+</head>
+<body><button class="theme-toggle" onclick="toggleTheme()" aria-label="Toggle theme">🌙</button>{% block content %}{% endblock %}
+<script>
+        function toggleTheme() {
+            const html = document.documentElement;
+            const currentTheme = html.getAttribute('data-theme');
+            const newTheme = currentTheme === 'dark' ? 'light' : 'dark';
+            
+            requestAnimationFrame(() => {
+                html.setAttribute('data-theme', newTheme);
+                localStorage.setItem('theme', newTheme);
+                
+                const themeToggle = document.querySelector('.theme-toggle');
+                themeToggle.innerHTML = newTheme === 'dark' ? '☀️' : '🌙';
+            });
+        }
+
+        // Set theme on page load
+        document.addEventListener('DOMContentLoaded', () => {
+            const savedTheme = localStorage.getItem('theme') || 'light';
+            const html = document.documentElement;
+            
+            requestAnimationFrame(() => {
+                html.setAttribute('data-theme', savedTheme);
+                const themeToggle = document.querySelector('.theme-toggle');
+                themeToggle.innerHTML = savedTheme === 'dark' ? '☀️' : '🌙';
+            });
+        });
+    </script></body>
+</html>