diff --git a/docker-compose.yml b/docker-compose.yml
index 3d39f83..f08a550 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,6 +9,9 @@ services:
       - POSTGRES_DB=postgres
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=postgres
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
   web:
     build: .
     image: pygoat/pygoat
@@ -20,6 +23,9 @@ services:
     depends_on:
       - migration
       - db
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
   migration:
     image: pygoat/pygoat
     command: python pygoat/manage.py migrate --noinput
@@ -27,3 +33,6 @@ services:
       - .:/app
     depends_on:
       - db
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
diff --git a/introduction/apis.py b/introduction/apis.py
index 7926708..c0c61e8 100644
--- a/introduction/apis.py
+++ b/introduction/apis.py
@@ -12,14 +12,6 @@
 
 from .utility import *
 from .views import authentication_decorator
-
-
-# steps --> 
-# 1. covert input code to corrosponding code and write in file
-# 2. extract inputs form 2nd code 
-# 3. Run the code 
-# 4. get the result
-@csrf_exempt
 def ssrf_code_checker(request):
     if request.user.is_authenticated:
         if request.method == 'POST':
@@ -52,17 +44,15 @@ def ssrf_code_checker(request):
             return JsonResponse({'message':'method not allowed'},status = 405)
     else:
         return JsonResponse({'message':'UnAuthenticated User'},status = 401)
+from django.utils.html import escape
 
-# Insufficient Logging & Monitoring
-
-
-@csrf_exempt
+# @csrf_exempt
 # @authentication_decorator
 def log_function_checker(request):
     if request.method == 'POST':
         csrf_token = request.POST.get("csrfmiddlewaretoken")
-        log_code = request.POST.get('log_code')
-        api_code = request.POST.get('api_code')
+        log_code = escape(request.POST.get('log_code'))
+        api_code = escape(request.POST.get('api_code'))
         dirname = os.path.dirname(__file__)
         log_filename = os.path.join(dirname, "playground/A9/main.py")
         api_filename = os.path.join(dirname, "playground/A9/api.py")
@@ -88,9 +78,10 @@ def log_function_checker(request):
         return JsonResponse({"message":"success", "logs": lines},status = 200)
     else:
         return JsonResponse({"message":"method not allowed"},status = 405)
-
 #a7 codechecking api
-@csrf_exempt
+from django.views.decorators.csrf import csrf_protect
+
+@csrf_protect
 def A7_disscussion_api(request):
     if request.method != 'POST':
         return JsonResponse({"message":"method not allowed"},status = 405)
@@ -107,9 +98,7 @@ def A7_disscussion_api(request):
         return JsonResponse({"message":"success"},status = 200)
 
     return JsonResponse({"message":"failure"},status = 400)
-
 #a6 codechecking api
-@csrf_exempt
 def A6_disscussion_api(request):
     test_bench = ["Pillow==8.0.0","PyJWT==2.4.0","requests==2.28.0","Django==4.0.4"]
     
@@ -121,13 +110,16 @@ def A6_disscussion_api(request):
         return JsonResponse({"message":"failure"},status = 400)
     except Exception as e:
         return JsonResponse({"message":"failure"},status = 400)
+from django.views.decorators.csrf import csrf_protect
+import html
 
-@csrf_exempt
+@csrf_protect
 def A6_disscussion_api_2(request):
     if request.method != 'POST':
         return JsonResponse({"message":"method not allowed"},status = 405)
     try:
         code = request.POST.get('code')
+        code = html.escape(code)
         dirname = os.path.dirname(__file__)
         filename = os.path.join(dirname, "playground/A6/utility.py")
         f = open(filename,"w")
@@ -135,4 +127,4 @@ def A6_disscussion_api_2(request):
         f.close()
     except:
         return JsonResponse({"message":"missing code"},status = 400)
-    return JsonResponse({"message":"success"},status = 200)
\ No newline at end of file
+    return JsonResponse({"message":"success"},status = 200)
diff --git a/introduction/mitre.py b/introduction/mitre.py
index c899c21..e522597 100644
--- a/introduction/mitre.py
+++ b/introduction/mitre.py
@@ -150,6 +150,8 @@ def mitre_top24(request):
 def mitre_top25(request):
     if request.method == 'GET':
         return render(request, 'mitre/mitre_top25.html')
+import os
+from django.http import JsonResponse
 
 @authentication_decorator
 def csrf_lab_login(request):
@@ -158,23 +160,24 @@ def csrf_lab_login(request):
     elif request.method == 'POST':
         password = request.POST.get('password')
         username = request.POST.get('username')
-        password = md5(password.encode()).hexdigest()
+
+        password = hashlib.scrypt(password.encode(), salt=os.urandom(16), n=16384, r=8, p=1).hex()
         User = CSRF_user_tbl.objects.filter(username=username, password=password)
         if User:
+            secret = os.environ.get('JWT_SECRET_KEY', 'default_key')
             payload ={
                 'username': username,
                 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=300),
                 'iat': datetime.datetime.utcnow()
             }
-            cookie = jwt.encode(payload, 'csrf_vulneribility', algorithm='HS256')
+            cookie = jwt.encode(payload, secret, algorithm='HS256')
             response = redirect("/mitre/9/lab/transaction")
-            response.set_cookie('auth_cookiee', cookie)
+            response.set_cookie('auth_cookiee', cookie, secure=True, httponly=True, samesite='Lax')
             return response
         else :
             return redirect('/mitre/9/lab/login')
 
 @authentication_decorator
-@csrf_exempt
 def csrf_transfer_monei(request):
     if request.method == 'GET':
         try:
@@ -208,14 +211,16 @@ def csrf_transfer_monei_api(request,recipent,amount):
         return redirect('/mitre/9/lab/transaction') 
     else:
         return redirect ('/mitre/9/lab/transaction')
+from ast import literal_eval
 
-
-# @authentication_decorator
-@csrf_exempt
+@authentication_decorator
 def mitre_lab_25_api(request):
     if request.method == "POST":
         expression = request.POST.get('expression')
-        result = eval(expression)
+        try:
+            result = literal_eval(expression)
+        except (SyntaxError, ValueError):
+            return JsonResponse({'error': 'Invalid expression'})
         return JsonResponse({'result': result})
     else:
         return redirect('/mitre/25/lab/')
@@ -228,13 +233,10 @@ def mitre_lab_25(request):
 @authentication_decorator
 def mitre_lab_17(request):
     return render(request, 'mitre/mitre_lab_17.html')
-
 def command_out(command):
-    process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    command = command.split()
+    process = subprocess.Popen(command, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     return process.communicate()
-    
-
-@csrf_exempt
 def mitre_lab_17_api(request):
     if request.method == "POST":
         ip = request.POST.get('ip')
@@ -244,4 +246,4 @@ def mitre_lab_17_api(request):
         err = err.decode()
         pattern = "STATE SERVICE.*\\n\\n"
         ports = re.findall(pattern, res,re.DOTALL)[0][14:-2].split('\n')
-        return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports})
\ No newline at end of file
+        return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports})
diff --git a/introduction/playground/A9/api.py b/introduction/playground/A9/api.py
index 35e1bd2..156280a 100644
--- a/introduction/playground/A9/api.py
+++ b/introduction/playground/A9/api.py
@@ -1,33 +1,29 @@
 from django.http import JsonResponse
-from django.views.decorators.csrf import csrf_exempt
-
 from .main import Log
 
-
-@csrf_exempt
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":
         L.info("GET request")
-        return JsonResponse({"message":"normal get request", "method":"get"},status = 200)
+        return JsonResponse({"message":"normal get request", "method":"get"}, status=200)
     if request.method == "POST":
         username = request.POST['username']
         password = request.POST['password']
         L.info(f"POST request with username {username} and password {password}")
         if username == "admin" and password == "admin":
-            return JsonResponse({"message":"Loged in successfully", "method":"post"},status = 200)
-        return JsonResponse({"message":"Invalid credentials", "method":"post"},status = 401)
+            return JsonResponse({"message":"Loged in successfully", "method":"post"}, status=200)
+        return JsonResponse({"message":"Invalid credentials", "method":"post"}, status=401)
     if request.method == "PUT":
         L.info("PUT request")
-        return JsonResponse({"message":"success", "method":"put"},status = 200)
+        return JsonResponse({"message":"success", "method":"put"}, status=200)
     if request.method == "DELETE":
         if request.user.is_authenticated:
-            return JsonResponse({"message":"User is authenticated", "method":"delete"},status = 200)
+            return JsonResponse({"message":"User is authenticated", "method":"delete"}, status=200)
         L.error("DELETE request")
-        return JsonResponse({"message":"permission denied", "method":"delete"},status = 200)
+        return JsonResponse({"message":"permission denied", "method":"delete"}, status=200)
     if request.method == "PATCH":
         L.info("PATCH request")
-        return JsonResponse({"message":"success", "method":"patch"},status = 200)
+        return JsonResponse({"message":"success", "method":"patch"}, status=200)
     if request.method == "UPDATE":
-        return JsonResponse({"message":"success", "method":"update"},status = 200)
-    return JsonResponse({"message":"method not allowed"},status = 403)
\ No newline at end of file
+        return JsonResponse({"message":"success", "method":"update"}, status=200)
+    return JsonResponse({"message":"method not allowed"}, status=403)
diff --git a/introduction/playground/A9/archive.py b/introduction/playground/A9/archive.py
index c9db8fc..d6f4be7 100644
--- a/introduction/playground/A9/archive.py
+++ b/introduction/playground/A9/archive.py
@@ -1,10 +1,7 @@
 from django.http import JsonResponse
-from django.views.decorators.csrf import csrf_exempt
-
 from .main import Log
 
 
-@csrf_exempt
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":
@@ -33,12 +30,6 @@ def log_function_target(request):
     return JsonResponse({"message":"method not allowed"},status = 403)
 
 
-# ======================================
-
-import datetime
-
-
-# f = open('test.log', 'a') --> use this file to log
 class Log:
     def __init__(self,request):
         self.request = request
diff --git a/introduction/static/js/a9.js b/introduction/static/js/a9.js
index 9c58b8a..738109d 100644
--- a/introduction/static/js/a9.js
+++ b/introduction/static/js/a9.js
@@ -37,9 +37,9 @@ event3 = function(){
         document.getElementById("a9_d3").style.display = 'flex';
         for (var i = 0; i < data.logs.length; i++) {
             var li = document.createElement("li");
-            li.innerHTML = data.logs[i];
+            li.textContent = data.logs[i];
             document.getElementById("a9_d3").appendChild(li);
         }
     })
     .catch(error => console.log('error', error));
-    }
\ No newline at end of file
+    }
diff --git a/introduction/templates/Lab/A9/a9_lab.html b/introduction/templates/Lab/A9/a9_lab.html
index 5a70b46..7145c34 100644
--- a/introduction/templates/Lab/A9/a9_lab.html
+++ b/introduction/templates/Lab/A9/a9_lab.html
@@ -8,6 +8,7 @@
 <div class="jumbotron">
     <h4 style="text-align:center"> Yaml To Json Converter</h4>
     <form enctype="multipart/form-data" method="post" action="/a9_lab">
+        {% csrf_token %}
         <input type="file" name="file"><br>
         <br>
         <button class="btn btn-info" type="submit">Upload</button>
@@ -34,4 +35,4 @@ <h5>Here is your output:</h5><br>
 
 </p>
 
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/introduction/templates/Lab/A9/a9_lab2.html b/introduction/templates/Lab/A9/a9_lab2.html
index cace076..33b3a91 100644
--- a/introduction/templates/Lab/A9/a9_lab2.html
+++ b/introduction/templates/Lab/A9/a9_lab2.html
@@ -19,6 +19,7 @@ <h4>Some Example</h4>
     </ul>
     
     <form enctype="multipart/form-data" id="a9_form2" method="POST" style="display: flex;flex-direction: column;align-items: center;margin-bottom: 50px;">
+        {% csrf_token %}
         <input type="file" name="file" id="a9_file" />
         <input type="text" name="function" id="a9_function" placeholder="function"/>
         <button type="submit" id="a9_submit" >Submit</button>
@@ -88,7 +89,11 @@ <h4>Some Example</h4>
         form.submit();
     }
     {% if error %}
-    alert("{{ data }}");
+    <span id="data">{{ data }}</span>
+    <script>
+        var data = document.getElementById('data').textContent;
+        alert(data);
+    </script>
     {% endif %}
 
 </script>
diff --git a/introduction/templates/Lab/BrokenAccess/ba_lab.html b/introduction/templates/Lab/BrokenAccess/ba_lab.html
index d45da9b..d8f3ae9 100644
--- a/introduction/templates/Lab/BrokenAccess/ba_lab.html
+++ b/introduction/templates/Lab/BrokenAccess/ba_lab.html
@@ -9,7 +9,7 @@
     <h4 style="text-align:center"> Admins Have the Secretkey</h4>
     <div class="login">
         <form method="post" action="/ba_lab">
-
+            {% csrf_token %}
             <input id="input" type="text" name="name" placeholder="User Name"><br>
             <input id="input" type="password" name="pass" placeholder="Password"><br>
             <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
@@ -43,4 +43,4 @@ <h2>Please Provide Credentials</h2>
 
 </p>
 
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/introduction/templates/Lab/BrokenAuth/otp.html b/introduction/templates/Lab/BrokenAuth/otp.html
index 3d12cda..9bab238 100644
--- a/introduction/templates/Lab/BrokenAuth/otp.html
+++ b/introduction/templates/Lab/BrokenAuth/otp.html
@@ -7,6 +7,7 @@
     <div class="container">
         <h5 align="center">Login Through Otp</h5><br>
         <form method="get" action="/otp">
+            {% csrf_token %}
             <input name="email" type="email" placeholder="yourid@mail.com">
             <button class="btn btn-info" type="submit"> Send OTP</button>
 
@@ -16,6 +17,7 @@ <h5 align="center">Login Through Otp</h5><br>
 </div>
 <div class="container">
     <form method="post" action="/otp">
+        {% csrf_token %}
         <label for='enter'>Enter Your OTP:</label>
         <input id="enter" type="number" maxlength="3" name="otp"><br><br>
         <button class="btn btn-info" type="submit">Log in</button>
@@ -30,8 +32,6 @@ <h3 align="center">Your 3 Digit Verification Code:<code>{{otp}}</code></h3>
     <h3 align="center">Login Successful as user : <code>{{email}}</code></h3>
     {% endif %}
 
-
-
 </div>
 <!-- In case any issue with the code please mail the administrator through this mail id : "admin@pygoat.com" -->
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/introduction/templates/Lab/CMD/cmd_lab.html b/introduction/templates/Lab/CMD/cmd_lab.html
index 2998cd3..6175ff5 100644
--- a/introduction/templates/Lab/CMD/cmd_lab.html
+++ b/introduction/templates/Lab/CMD/cmd_lab.html
@@ -7,6 +7,7 @@
     <div class="container">
         <h3 align="center">Name Server Lookup </h3>
         <form method="post" action="/cmd_lab">
+            {% csrf_token %}
             <input type="text" name="domain" placeholder="Enter Domain Here"><br><br>
             <input type="radio" id="linux" name="os" value="linux">
             <label for="linux">Linux</label>
@@ -33,4 +34,4 @@ <h6><b>Output</b></h6><br>
 </p>
 
 
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/introduction/templates/Lab/CMD/cmd_lab2.html b/introduction/templates/Lab/CMD/cmd_lab2.html
index a71a605..7319130 100644
--- a/introduction/templates/Lab/CMD/cmd_lab2.html
+++ b/introduction/templates/Lab/CMD/cmd_lab2.html
@@ -7,6 +7,7 @@
     <div class="container">
         <h3 align="center">Evaluate any expression!</h3>
         <form method="post" action="/cmd_lab2">
+            {% csrf_token %}
             <input type="text" name="val" placeholder="eg. 7*7"><br><br>
             <center><button class="btn btn-info" type="submit">GO</button></center>
         </form>
@@ -29,4 +30,4 @@ <h6><b>Output</b></h6><br>
 </p>
 
 
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/introduction/templates/Lab/XSS/xss_lab_3.html b/introduction/templates/Lab/XSS/xss_lab_3.html
index a550b9a..7f9770d 100644
--- a/introduction/templates/Lab/XSS/xss_lab_3.html
+++ b/introduction/templates/Lab/XSS/xss_lab_3.html
@@ -17,9 +17,11 @@ <h1>Welcome to XSS Challenge</h1>
 </form>
 <br>
 <p>{{code}}</p>
+{% json_script "safe_code" code %}
 <script>
     // LAB 3 JS CODE
-    {{code}}
+    var safeCode = document.getElementById('safe_code').textContent;
+    eval(safeCode);
 </script>
 <br>
 <div align="right">
diff --git a/introduction/templates/Lab/ssrf/ssrf_discussion.html b/introduction/templates/Lab/ssrf/ssrf_discussion.html
index 7dc6678..2eb5868 100644
--- a/introduction/templates/Lab/ssrf/ssrf_discussion.html
+++ b/introduction/templates/Lab/ssrf/ssrf_discussion.html
@@ -123,22 +123,22 @@ <h6>ssrf_lab.html</h6>
                     <textarea id="html">
 <div style="display:flex;flex-direction:row;align-items:center;margin:15px">
     <form method="post" action="/ssrf_lab">
-        {&#37; csrf_token &#37;}
+        {% csrf_token %}
         <input type="hidden" name="blog" value="templates/Lab/ssrf/blogs/blog1.txt">
         <button type="submit" class="btn btn-info"> Blog1 </button>
     </form>
     <form method="post" action="/ssrf_lab">
-        {&#37; csrf_token &#37;}
+        {% csrf_token %}
         <input type="hidden" name="blog" value="templates/Lab/ssrf/blogs/blog2.txt">
         <button type="submit" class="btn btn-info"> Blog2 </button>
     </form>
     <form method="post" action="/ssrf_lab">
-        {&#37; csrf_token &#37;}
+        {% csrf_token %}
         <input type="hidden" name="blog" value="templates/Lab/ssrf/blogs/blog3.txt">
         <button type="submit" class="btn btn-info"> Blog3 </button>
     </form>
     <form method="post" action="/ssrf_lab">
-        {&#37; csrf_token &#37;}
+        {% csrf_token %}
         <input type="hidden" name="blog" value="templates/Lab/ssrf/blogs/blog4.txt">
         <button type="submit" class="btn btn-info"> Blog4 </button>
     </form>
diff --git a/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html
index 1fa4c91..e7dc04e 100644
--- a/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html
+++ b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html
@@ -9,7 +9,7 @@
     <h4 style="text-align:center"> Admins Have the Secretkey</h4>
     <div class="login">
         <form method="post" action="/broken_access_lab_1">
-
+            {% csrf_token %}
             <input id="input" type="text" name="name" placeholder="User Name"><br>
             <input id="input" type="password" name="pass" placeholder="Password"><br>
             <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
@@ -43,4 +43,4 @@ <h2>Please Provide Credentials</h2>
 
 </p>
 
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html
index cce8b6e..7940ed9 100644
--- a/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html
+++ b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html
@@ -9,12 +9,10 @@
     <h4 style="text-align:center"> Can you log in as an admin and get the secretkey?</h4>
     <div class="login">
         <form method="post" action="/broken_access_lab_2">
-
+            {% csrf_token %}
             <input id="input" type="text" name="name" placeholder="User Name"><br>
             <input id="input" type="password" name="pass" placeholder="Password"><br>
             <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
-
-
         </form>
     </div>
 </div>
@@ -50,4 +48,4 @@ <h2>Please Provide Credentials</h2>
 <!--Admins don't use Browsers like Google Chrome or Firefox etc-->
 <!--Admins only use pygoat_admin browser-->
 
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/introduction/views.py b/introduction/views.py
index 0f550c4..4b77ec0 100644
--- a/introduction/views.py
+++ b/introduction/views.py
@@ -142,46 +142,33 @@ def sql(request):
         return  render(request,'Lab/SQL/sql.html')
     else:
         return redirect('login')
-
 def sql_lab(request):
     if request.user.is_authenticated:
-
-        name=request.POST.get('name')
-
-        password=request.POST.get('pass')
-
+        name = request.POST.get('name')
+        password = request.POST.get('pass')
         if name:
-
             if login.objects.filter(user=name):
-
-                sql_query = "SELECT * FROM introduction_login WHERE user='"+name+"'AND password='"+password+"'"
-                print(sql_query)
                 try:
                     print("\nin try\n")
-                    val=login.objects.raw(sql_query)
+                    val = login.objects.raw("SELECT * FROM introduction_login WHERE user=%s AND password=%s", [name, password])
                 except:
                     print("\nin except\n")
-                    return render(
-                        request, 
-                        'Lab/SQL/sql_lab.html',
-                        {
-                            "wrongpass":password,
-                            "sql_error":sql_query
-                        })
-
+                    return render(request, 'Lab/SQL/sql_lab.html',
+                                  {
+                                      "wrongpass": password
+                                  })
                 if val:
-                    user=val[0].user
-                    return render(request, 'Lab/SQL/sql_lab.html',{"user1":user})
+                    user = val[0].user
+                    return render(request, 'Lab/SQL/sql_lab.html', {"user1": user})
                 else:
                     return render(
-                        request, 
+                        request,
                         'Lab/SQL/sql_lab.html',
                         {
-                            "wrongpass":password,
-                            "sql_error":sql_query
+                            "wrongpass": password
                         })
             else:
-                return render(request, 'Lab/SQL/sql_lab.html',{"no": "User not found"})
+                return render(request, 'Lab/SQL/sql_lab.html', {"no": "User not found"})
         else:
             return render(request, 'Lab/SQL/sql_lab.html')
     else:
@@ -200,21 +187,22 @@ class TestUser:
     admin: int = 0
 pickled_user = pickle.dumps(TestUser())
 encoded_user = base64.b64encode(pickled_user)
+import json
+import base64
 
 def insec_des_lab(request):
     if request.user.is_authenticated:
-        response = render(request,'Lab/insec_des/insec_des_lab.html', {"message":"Only Admins can see this page"})
+        response = render(request, 'Lab/insec_des/insec_des_lab.html', {"message": "Only Admins can see this page"})
         token = request.COOKIES.get('token')
-        if token == None:
-            token = encoded_user
-            response.set_cookie(key='token',value=token.decode('utf-8'))
+        if token is None:
+            token = base64.b64encode(json.dumps(encoded_user).encode('utf-8')).decode('utf-8')
+            response.set_cookie(key='token', value=token, secure=True, httponly=True, samesite='Lax')
         else:
-            token = base64.b64decode(token)
-            admin = pickle.loads(token)
-            if admin.admin == 1:
-                response = render(request,'Lab/insec_des/insec_des_lab.html', {"message":"Welcome Admin, SECRETKEY:ADMIN123"})
-                return response
-
+            token = base64.b64decode(token).decode('utf-8')
+            admin = json.loads(token)
+            if admin['admin'] == 1:
+              response = render(request, 'Lab/insec_des/insec_des_lab.html', {"message": "Welcome Admin, SECRETKEY:ADMIN123"})
+              return response
         return response
     else:
         return redirect('login')
@@ -234,8 +222,6 @@ def xxe_lab(request):
         return render(request,'Lab/XXE/xxe_lab.html')
     else:
         return redirect('login')
-
-@csrf_exempt
 def xxe_see(request):
     if request.user.is_authenticated:
 
@@ -245,8 +231,6 @@ def xxe_see(request):
     else:
         return redirect('login')
 
-
-@csrf_exempt
 def xxe_parse(request):
 
     parser = make_parser()
@@ -269,7 +253,6 @@ def auth_home(request):
 
 def auth_lab(request):
     return render(request,'Lab/AUTH/auth_lab.html')
-
 def auth_lab_signup(request):
     if request.method == 'GET':
         return render(request,'Lab/AUTH/auth_lab_signup.html')
@@ -280,23 +263,26 @@ def auth_lab_signup(request):
             passwd  = request.POST['pass']
             obj = authLogin.objects.create(name=name,username=user_name,password=passwd)
             try:
-                rendered = render_to_string('Lab/AUTH/auth_success.html', {'username': obj.username,'userid':obj.userid,'name':obj.name,'err_msg':'Cookie Set'})
-                response = HttpResponse(rendered)
-                response.set_cookie('userid', obj.userid, max_age=31449600, samesite=None, secure=False)
+                response = render(request, 'Lab/AUTH/auth_success.html', {
+                    'username': obj.username,
+                    'userid': obj.userid,
+                    'name':obj.name,
+                    'err_msg':'Cookie Set'
+                })
+                response.set_cookie('userid', obj.userid, max_age=31449600, samesite='Lax', secure=True, httponly=True)
                 print('Setting cookie successful')
                 return response
             except:
-                render(request,'Lab/AUTH/auth_lab_signup.html',{'err_msg':'Cookie cannot be set'})
+                return render(request,'Lab/AUTH/auth_lab_signup.html',{'err_msg':'Cookie cannot be set'})
         except:
             return render(request,'Lab/AUTH/auth_lab_signup.html',{'err_msg':'Username already exists'})
-
 def auth_lab_login(request):
     if request.method == 'GET':
         try:
             obj = authLogin.objects.filter(userid=request.COOKIES['userid'])[0]
-            rendered = render_to_string('Lab/AUTH/auth_success.html', {'username': obj.username,'userid':obj.userid,'name':obj.name, 'err_msg':'Login Successful'})
-            response = HttpResponse(rendered)
-            response.set_cookie('userid', obj.userid, max_age=31449600, samesite=None, secure=False)
+            context = {'username': obj.username,'userid':obj.userid,'name':obj.name, 'err_msg':'Login Successful'}
+            response = render(request, 'Lab/AUTH/auth_success.html', context)
+            response.set_cookie('userid', obj.userid, max_age=31449600, samesite='Lax', secure=True, httponly=True)
             print('Login successful')
             return response
         except:
@@ -308,9 +294,9 @@ def auth_lab_login(request):
             print(user_name,passwd)
             obj = authLogin.objects.filter(username=user_name,password=passwd)[0]
             try:
-                rendered = render_to_string('Lab/AUTH/auth_success.html', {'username': obj.username,'userid':obj.userid,'name':obj.name, 'err_msg':'Login Successful'})
-                response = HttpResponse(rendered)
-                response.set_cookie('userid', obj.userid, max_age=31449600, samesite=None, secure=False)
+                context = {'username': obj.username,'userid':obj.userid,'name':obj.name, 'err_msg':'Login Successful'}
+                response = render(request, 'Lab/AUTH/auth_success.html', context)
+                response.set_cookie('userid', obj.userid, max_age=31449600, samesite='Lax', secure=True, httponly=True)
                 print('Login successful')
                 return response
             except:
@@ -318,21 +304,18 @@ def auth_lab_login(request):
         except:
             return render(request,'Lab/AUTH/auth_lab_login.html',{'err_msg':'Check your credentials'})
 
+from django.shortcuts import render
+
 def auth_lab_logout(request):
-    rendered = render_to_string('Lab/AUTH/auth_lab.html',context={'err_msg':'Logout successful'})
-    response = HttpResponse(rendered)    
+    response = render(request, 'Lab/AUTH/auth_lab.html', context={'err_msg':'Logout successful'})
     response.delete_cookie('userid')
     return response
-
-#***************************************************************Broken Access Control************************************************************#
-
-@csrf_exempt
 def ba(request):
-    if request.user.is_authenticated:
-        return render(request,"Lab/BrokenAccess/ba.html")
-    else:
-        return redirect('login')
-@csrf_exempt
+    if request.method == 'POST':
+        if request.user.is_authenticated:
+            return render(request, "Lab/BrokenAccess/ba.html")
+        else:
+            return redirect('login')
 def ba_lab(request):
     if request.user.is_authenticated:
         name = request.POST.get('name')
@@ -405,31 +388,31 @@ def cmd(request):
         return render(request,'Lab/CMD/cmd.html')
     else:
         return redirect('login')
-@csrf_exempt
+from django.views.decorators.csrf import csrf_protect
+import shlex
+
+@csrf_protect
 def cmd_lab(request):
     if request.user.is_authenticated:
         if(request.method=="POST"):
             domain=request.POST.get('domain')
-            domain=domain.replace("https://www.",'')
+            domain=shlex.quote(domain.replace("https://www.",''))
             os=request.POST.get('os')
             print(os)
             if(os=='win'):
-                command="nslookup {}".format(domain)
+                command=[shlex.split("nslookup {}".format(domain))]
             else:
-                command = "dig {}".format(domain)
+                command = [shlex.split("dig {}".format(domain))]
             
             try:
-                # output=subprocess.check_output(command,shell=True,encoding="UTF-8")
                 process = subprocess.Popen(
                     command,
-                    shell=True,
+                    shell=False,
                     stdout=subprocess.PIPE, 
                     stderr=subprocess.PIPE)
                 stdout, stderr = process.communicate()
                 data = stdout.decode('utf-8')
                 stderr = stderr.decode('utf-8')
-                # res = json.loads(data)
-                # print("Stdout\n" + data)
                 output = data + stderr
                 print(data + stderr)
             except:
@@ -441,21 +424,23 @@ def cmd_lab(request):
             return render(request, 'Lab/CMD/cmd_lab.html')
     else:
         return redirect('login')
-
-@csrf_exempt
 def cmd_lab2(request):
     if request.user.is_authenticated:
-        if (request.method=="POST"):
-            val=request.POST.get('val')
-            
-            print(val)
+        if request.method == "POST":
+            val = request.POST.get('val')
+
+            output = None
             try:
-                output = eval(val)
+                if val.isdigit():
+                    # Assuming 'val' is used for mathematical computations
+                    # Only permitting integer operations in this secured implementation
+                    output = int(val)
+                else:
+                    output = "Invalid input"
             except:
                 output = "Something went wrong"
-                return render(request,'Lab/CMD/cmd_lab2.html',{"output":output})
-            print("Output = ", output)
-            return render(request,'Lab/CMD/cmd_lab2.html',{"output":output})
+
+            return render(request, 'Lab/CMD/cmd_lab2.html', {"output": output})
         else:
             return render(request, 'Lab/CMD/cmd_lab2.html')
     else:
@@ -481,11 +466,12 @@ def bau_lab(request):
 
 def login_otp(request):
     return render(request,"Lab/BrokenAuth/otp.html")
-
-@csrf_exempt
 def Otp(request):
-    if request.method=="GET":
-        email=request.GET.get('email')
+    if request.method=="POST":
+        csrf_token = request.POST.get('csrfmiddlewaretoken')
+        if not csrf_token:
+            return render(request,"Lab/BrokenAuth/otp.html",{"otp":"Invalid CSRF Token"})
+        email=request.POST.get('email')
         otpN=randint(100,999)
         if email and otpN:
             if email=="admin@pygoat.com":
@@ -540,17 +526,19 @@ def a9(request):
         return render(request,"Lab/A9/a9.html")
     else:
         return redirect('login')
-@csrf_exempt
+from django.views.decorators.csrf import csrf_protect
+
+@csrf_protect
 def a9_lab(request):
     if request.user.is_authenticated:
         if request.method=="GET":
             return render(request,"Lab/A9/a9_lab.html")
         else:
-
             try :
                 file=request.FILES["file"]
                 try :
-                    data = yaml.load(file,yaml.Loader)
+                    # using safe_load to prevent insecure deserialization attack
+                    data = yaml.safe_load(file)
                     
                     return render(request,"Lab/A9/a9_lab.html",{"data":data})
                 except:
@@ -562,8 +550,6 @@ def a9_lab(request):
         return redirect('login')
 def get_version(request):
       return render(request,"Lab/A9/a9_lab.html",{"version":"pyyaml v5.1"})
-
-@csrf_exempt
 def a9_lab2(request):
     if not request.user.is_authenticated:
         return redirect('login')
@@ -577,10 +563,8 @@ def a9_lab2(request):
             img  = Image.open(file)
             img = img.convert("RGB")
             r,g,b  = img.split()
-            # function_str = "convert(r+g, '1')"
             output = ImageMath.eval(function_str,img = img, b=b, r=r, g=g)
 
-            # saving the image 
             buffered = BytesIO()
             output.save(buffered, format="JPEG")
             img_str = base64.b64encode(buffered.getvalue()).decode("utf-8")
@@ -721,22 +705,16 @@ def insec_desgine_lab(request):
             pass
     else:
         return redirect('login')
-
-
 #-------------------------------------------------------------------------------------------------------------------------
 #-------------------------------------------------------------------------------------------------------------------------
 
 ###################################################### 2021 A1: Broken Access
 
-@csrf_exempt
 def a1_broken_access(request):
     if not request.user.is_authenticated:
         return redirect('login')
     
     return render(request,"Lab_2021/A1_BrokenAccessControl/broken_access.html")
-
-
-@csrf_exempt
 def a1_broken_access_lab_1(request):
     if request.user.is_authenticated:
         pass
@@ -771,8 +749,6 @@ def a1_broken_access_lab_1(request):
 
     else:
         return render(request,'Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html',{"no_creds":True})
-
-@csrf_exempt
 def a1_broken_access_lab_2(request):
     if request.user.is_authenticated:
         pass
@@ -783,8 +759,6 @@ def a1_broken_access_lab_2(request):
     password = request.POST.get('pass')
     user_agent = request.META['HTTP_USER_AGENT']
 
-    # print(name)
-    # print(password)
     print(user_agent)
     if name :  
         if (user_agent == "pygoat_admin"):
@@ -832,19 +806,15 @@ def a1_broken_access_lab3_secret(request):
         return redirect('login')
     # no checking applied here
     return render(request, 'Lab_2021/A1_BrokenAccessControl/secret.html')
-
-
-###################################################### 2021 A3: Injection
-
-@csrf_exempt
 def injection(request):
     if not request.user.is_authenticated:
         return redirect('login')
     
     return render(request,"Lab_2021/A3_Injection/injection.html")
+from django.shortcuts import render, redirect
+from django.views.decorator.csrf import uses_csrf_token
 
-
-@csrf_exempt
+@uses_csrf_token
 def injection_sql_lab(request):
     if request.user.is_authenticated:
 
@@ -854,8 +824,6 @@ def injection_sql_lab(request):
         print(password)
 
         if name:
-            sql_query = "SELECT * FROM introduction_sql_lab_table WHERE id='"+name+"'AND password='"+password+"'"
-
             sql_instance = sql_lab_table(id="admin", password="65079b006e85a7e798abecb99e47c154")
             sql_instance.save()
             sql_instance = sql_lab_table(id="jack", password="jack")
@@ -865,12 +833,9 @@ def injection_sql_lab(request):
             sql_instance = sql_lab_table(id="bloke", password="f8d1ce191319ea8f4d1d26e65e130dd5")
             sql_instance.save()
 
-            print(sql_query)
-
             try:
-                user = sql_lab_table.objects.raw(sql_query)
-                user = user[0].id
-                print(user)
+                user = sql_lab_table.objects.get(id=name, password=password)
+                print(user.id)
 
             except:
                 return render(
@@ -878,18 +843,16 @@ def injection_sql_lab(request):
                     'Lab_2021/A3_Injection/sql_lab.html',
                     {
                         "wrongpass":password,
-                        "sql_error":sql_query
                     })
 
             if user:
-                return render(request, 'Lab_2021/A3_Injection/sql_lab.html',{"user1":user})
+                return render(request, 'Lab_2021/A3_Injection/sql_lab.html',{"user1":user.id})
             else:
                 return render(
                     request, 
                     'Lab_2021/A3_Injection/sql_lab.html',
                     {
                         "wrongpass":password,
-                        "sql_error":sql_query
                     })
         else:
             return render(request, 'Lab_2021/A3_Injection/sql_lab.html')
@@ -916,6 +879,9 @@ def ssrf_lab(request):
             file=request.POST["blog"]
             try :
                 dirname = os.path.dirname(__file__)
+                abs_path = os.path.abspath(file)
+                if not abs_path.startswith(dirname):
+                    raise ValueError("Invalid path")
                 filename = os.path.join(dirname, file)
                 file = open(filename,"r")
                 data = file.read()
@@ -925,6 +891,7 @@ def ssrf_lab(request):
     else:
         return redirect('login')
 
+
 def ssrf_discussion(request):
     if request.user.is_authenticated:
         return render(request,"Lab/ssrf/ssrf_discussion.html")
@@ -944,19 +911,27 @@ def ssrf_target(request):
         return render(request,"Lab/ssrf/ssrf_target.html")
     else:
         return render(request,"Lab/ssrf/ssrf_target.html",{"access_denied":True})
+ALLOWED_HOSTS = ['www.example.com']
+ALLOWED_SCHEMES = ['http', 'https']
 
 @authentication_decorator
 def ssrf_lab2(request):
     if request.method == "GET":
         return render(request, "Lab/ssrf/ssrf_lab2.html")
-
+    
     elif request.method == "POST":
         url = request.POST["url"]
+        parsed_url = urlparse(url)
+
+        if not parsed_url.scheme in ALLOWED_SCHEMES or not parsed_url.netloc in ALLOWED_HOSTS:
+            return render(request, "Lab/ssrf/ssrf_lab2.html", {"error": "URL not allowed"})
+
         try:
             response = requests.get(url)
-            return render(request, "Lab/ssrf/ssrf_lab2.html", {"response": response.content.decode()})
-        except:
+        except Exception:
             return render(request, "Lab/ssrf/ssrf_lab2.html", {"error": "Invalid URL"})
+
+        return render(request, "Lab/ssrf/ssrf_lab2.html")
 #--------------------------------------- Server-side template injection --------------------------------------#
 
 def ssti(request):
@@ -964,6 +939,7 @@ def ssti(request):
         return render(request,"Lab_2021/A3_Injection/ssti.html")
     else:
         return redirect('login')
+from django.utils.html import escape
 
 def ssti_lab(request):
     if request.user.is_authenticated:
@@ -974,20 +950,19 @@ def ssti_lab(request):
             blog = request.POST["blog"]
             id = str(uuid.uuid4()).split('-')[-1]
 
-            blog = filter_blog(blog)
-            prepend_code = "{% extends 'introduction/base.html' %}\
-                {% block content %}{% block title %}\
-                <title>SSTI-Blogs</title>\
-                {% endblock %}"
-            
-            blog = prepend_code + blog + "{% endblock %}"
+            blog = filter_blog(escape(blog))  # sanitizing the blog string
+
             new_blog = Blogs.objects.create(author = request.user, blog_id = id)
             new_blog.save() 
-            dirname = os.path.dirname(__file__)
-            filename = os.path.join(dirname, f"templates/Lab_2021/A3_Injection/Blogs/{id}.html")
-            file = open(filename, "w+") 
-            file.write(blog)
-            file.close()
+
+            context = {'blog': blog}
+
+            # Removed the manual generation of HTML string
+            filename = os.path.join("Lab_2021", "A3_Injection", "Blogs", f'{id}.html')
+            with open(filename, "w+") as file:
+                content = render(request, filename, context)
+                file.write(str(content.content))
+                
             return redirect(f'blog/{id}')
     else:
         return redirect('login')
@@ -1007,6 +982,8 @@ def crypto_failure(request):
         return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure.html",{"success":False,"failure":False})
     else:
         redirect('login')
+import hashlib
+import binascii
 
 def crypto_failure_lab(request):
     if request.user.is_authenticated:
@@ -1016,7 +993,8 @@ def crypto_failure_lab(request):
             username = request.POST["username"]
             password = request.POST["password"]
             try:
-                password = md5(password.encode()).hexdigest()
+                password = hashlib.scrypt(password.encode(), salt=b'salt', n=16384, r=8, p=1)
+                password = binascii.hexlify(password).decode()
                 user = CF_user.objects.get(username=username,password=password)
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab.html",{"user":user, "success":True,"failure":False})
             except:
@@ -1037,8 +1015,6 @@ def crypto_failure_lab2(request):
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html",{"user":user, "success":True,"failure":False})
             except:
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html",{"success":False, "failure":True})
-
-# based on CWE-319
 def crypto_failure_lab3(request):
     if request.user.is_authenticated:
         if request.method == "GET":
@@ -1066,20 +1042,18 @@ def crypto_failure_lab3(request):
                     expire = datetime.datetime.now() + datetime.timedelta(minutes=60)
                     cookie = f"{username}|{expire}"
                     response = render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html",{"success":True, "failure":False , "admin":False})
-                    response.set_cookie("cookie", cookie)
+                    response.set_cookie("cookie", cookie, secure=True, httponly=True, samesite='Lax')
                     response.status_code = 200
                     return response
                 else:
                     response = render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html",{"success":False, "failure":True})
-                    response.set_cookie("cookie", None)
+                    response.delete_cookie("cookie")
                     return response
             except:
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html",{"success":False, "failure":True})
 
 #-----------------------------------------------SECURITY MISCONFIGURATION -------------------
 from pygoat.settings import SECRET_COOKIE_KEY
-
-
 def sec_misconfig_lab3(request):
     if not request.user.is_authenticated:
         return redirect('login')
@@ -1098,8 +1072,8 @@ def sec_misconfig_lab3(request):
         }
 
         cookie = jwt.encode(payload, SECRET_COOKIE_KEY, algorithm='HS256')
-        response = render(request,"Lab/sec_mis/sec_mis_lab3.html", {"admin":False} )
-        response.set_cookie(key = "auth_cookie", value = cookie)
+        response = render(request,"Lab/sec_mis/sec_mis_lab3.html", {"admin":False})
+        response.set_cookie(key="auth_cookie", value=cookie, secure=True, httponly=True, samesite='Lax')
         return response
 
 # - ------------------------Identification and Authentication Failures--------------------------------
@@ -1159,7 +1133,6 @@ def auth_failure_lab2(request):
     "User3":{"userid":"3", "username":"User3", "password": "5a91a66f0c86b5435fe748706b99c17e6e54a17e03c2a3ef8d0dfa918db41cf6"},
     "User4":{"userid":"4", "username":"User4", "password": "6046bc3337728a60967a151ee584e4fd7c53740a49485ebdc38cac42a255f266"}
 }
-
 # USER_A7_LAB3 = {
 #     "User1":{"userid":"1", "username":"User1", "password": "Hash1"},
 #     "User2":{"userid":"2", "username":"User2", "password": "Hash2"},
@@ -1168,7 +1141,6 @@ def auth_failure_lab2(request):
 # }
 
 @authentication_decorator
-@csrf_exempt
 def auth_failure_lab3(request):
     if request.method == "GET":
         try:
@@ -1187,14 +1159,14 @@ def auth_failure_lab3(request):
             password = hashlib.sha256(password.encode()).hexdigest()
         except:
             response = render(request, "Lab_2021/A7_auth_failure/lab3.html")
-            response.set_cookie("session_id", None)
+            response.set_cookie("session_id", None, secure=True, httponly=True, samesite='Lax')
             return response
 
         if USER_A7_LAB3[username]['password'] == password:
             session_data = AF_session_id.objects.create(session_id=token, user=USER_A7_LAB3[username]['username'])
             session_data.save()
             response = render(request, "Lab_2021/A7_auth_failure/lab3.html", {"success":True, "failure":False, "username":username})
-            response.set_cookie("session_id", token)
+            response.set_cookie("session_id", token, secure=True, httponly=True, samesite='Lax')
             return response
 
 #-- coding playground for lab2