A highly exploitable pet webstore using MongoDB for a Cyber Security exercise.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
backend
web
README.md

README.md

Petdora


A vulnerable Fedora wearing Pet Webstore for Fedora that will integrate with a NO-SQL Database for a Cyber Security exercise.

Installation


As of current, Petdora can be run by cloning the repository and then running:

Linux:

cd %HOME_DIR%\Petdora\web\
sudo apt-install php
php -S localhost:8080

Mac:

cd %HOME_DIR%\Petdora\web\
php -S localhost:8080

Current Features:


  • Integrated jQuery

    • For smooth transitions, fixed top nav-bar on scroll and other features to make this a fully fledged and cross-compatible website.
  • Static Content Management System that loads all files from a certain folder.

    • Made so that if an "Advanced Usability Testing" user were to somehow gain the ability to create a file in this folder on the server, they could manipulate the homepage.
  • Sign-in Page

    • Fully working PHP and jQuery based sign-in page that stores cookies to keep users signed in.
    • Exploitable by simply copying a cookie to sign in as a different user.
    • The encrypted "hash" is just a raw text combination of the username and password, which could be captured.
    • Checks based off of an unencrypted text file stored on the server that could later be edited to include new users.

Features Coming Soon:


  • Petdora Asteroids

    • An HTML5 Canvas fully working Asteroids game that allows you to store a name and your highscore if you get in the top 10. Nothing is escaped from the name however and jQuery injects it into its own html page.
  • Contact Form

    • A contact form that sends raw unescaped data to a Python CGI script to store the contact query in a "totally secure" folder on the server.
  • NOSQL Database

    • Products Page is going to be linked to a NO-SQL database vulnerable to NOSQL injections.