feat: add 7 new security labs + OWASP 2025 alignment#2
Open
statick88 wants to merge 7 commits into
Open
Conversation
- Add labs: Supply Chain (A03:2025), BOLA (API1:2023), Mass Assignment (API3:2023), Exceptional Conditions (A10:2025), GraphQL (API8:2023), LLM Excessive Agency (LLM06:2025), API Broken Authentication (API2:2023) - Update all existing OWASP lab titles to use 2025 year codes (A01:2025–A10:2025) - Update README.md to reflect 50+ labs covering OWASP Top 10 2025 + API Security + LLM Top 10 - Add path_to_lab mappings for new lab routes - Add route handlers with vulnerable implementations for educational purposes
- Add OWASP API Security Top 10 section (BOLA, Broken Auth, Mass Assignment, GraphQL) - Add OWASP LLM Top 10 2025 section (Excessive Agency) - Add Supply Chain and Exceptional Conditions to OWASP Top 10 2025 table - Add API Hunter achievement - Update AI Breaker achievement to include LLM Top 10
Covers all new labs with unit tests verifying: - Template rendering and OWASP codes - Vulnerable behavior (BOLA, mass assignment, JWT none, etc.) - Flag presence in each lab - Path mappings for sidebar navigation - Lab list integrity and category assignments
…ty findings - Stage 1: API Security (6) — Prototype Pollution, Data Exposure, Rate Limit Bypass, Business Flow Abuse, BFLA, Unsafe API Consumption - Stage 2: Cloud/Advanced (4) — Cloud Metadata SSRF, Advanced SSRF DNS Rebinding, HTTP Smuggling, GraphQL Advanced - Stage 3: Breach-Driven (5) — Supply Chain v2, Exceptional v2, DOM XSS Advanced, Mass Assignment v2, UUID IDOR - Stage 4: AI/Emerging (3) — MCP Tool Poisoning, RAG Injection, Device Code Phishing 153 tests passing, 68 total labs (was 50)
- Replace hardcoded headers with {% include '_lab_header.html' %}
- Migrate raw Tailwind (bg-gray-800) to shared CSS classes (hl-card, hl-input, btn-primary)
- Add data-i18n attributes for i18n readiness
- Add try/catch error handling to all fetch() calls
- Normalize max-w-4xl to max-w-3xl for consistency
- Update 18 Flask routes to pass lab context to templates
- 153/153 tests passing
- Add conftest.py with app/client fixtures - Split monolithic test_new_labs.py (563 lines) into 5 staged files: - test_stage0_owasp.py: 7 OWASP labs + integrity checks (42 tests) - test_stage1_api.py: 6 API security labs (29 tests) - test_stage2_cloud.py: 4 cloud/advanced labs (10 tests) - test_stage3_breach.py: 5 breach-driven labs (11 tests) - test_stage4_ai.py: 3 AI/emerging labs (9 tests) - 101 pytest tests, all passing - Vertical slice pattern: one test per behavior - pytest fixtures instead of global test client - Proper test isolation per lab
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds 7 new security labs and aligns all existing labs with OWASP 2025 standards.
New Labs
Changes
Testing
All 14 smoke tests passed. Each lab includes:
Total labs: 50+ (43 original + 7 new)