Unsafe Code Lab is a hands-on security training ground for code reviewers and penetration testers. Learn to spot vulnerabilities in production-quality code by understanding why they happen: refactoring drift, framework design patterns, and subtle API misuse.

• AppSec students with CTF/bug bounty/pentesting experience who want to master secure code review
• Developers learning secure coding practices through realistic examples
• Senior security engineers needing quick reference material when reviewing code

• Real code patterns: See how refactoring and feature additions introduce vulnerabilities
• Focus on API Design: See firsthand how framework API design can create security traps
• Easy Setup: Execute exploits directly from VSCode using .http files—no Burp or ZAP required

Click through the READMEs to learn vulnerabilities, see code snippets, and read exploitation examples. Start here:

Flask Confusion Vulnerabilities — A progressive curriculum exploring how different parts of an application can "disagree" about the same data:

Each section contains multiple exercises with realistic vulnerable code, interactive .http demos, and fixed versions.

Clone the repo, start Docker Compose, and execute exploits from .http files directly in VSCode.

• Docker (Docker Desktop or Docker Engine with Compose v2)
• REST Client extension for VS Code

git clone https://github.com/Irench1k/unsafe-code
cd unsafe-code/flask-confusion
docker compose up -d

Open any .http file in VSCode and click "Send Request" to execute exploits.

• View logs: docker compose logs -f
• Stop: docker compose down

We welcome contributions! Development happens on the develop branch, which contains additional tooling for contributors. See CONTRIBUTING.md for how to get started.

This project is licensed under the terms in LICENSE.