With High Fidelity Comes Great Responsibility
We (the creators of Webrecorder and Perma.cc) want to demonstrate these risks and learn to improve our defenses against them. We want to share what we know and learn from you as well. That's why WARCgames exists.
This repository provides you with a local version of Webrecorder that has not been patched to fix known exploits, and a number of challenges for you learn how they might apply to web archives in general.
Install and Run
git clone https://github.com/harvard-lil/warcgames
Add the following to /etc/hosts:
127.0.0.1 warcgames.test 127.0.0.1 content.warcgames.test 127.0.0.1 warcgames-content.test 127.0.0.1 attacker.test
python warcgames.pyto see a list of challenges.
python warcgames.py same_domainto start the first challenge.
WARCgames currently offers the following challenges:
- content_switch: Show different content for archived and live web.
- csrf: Use cross-site request forgery to control an archive user's account.
- port_scan: Discover services running on the archive server.
- same_domain: Use cross-site scripting (XSS) to control an archive user's account.
- same_subdomain: Use top-level cookies to log out the current user.
(This is the output of
Tips and Hints
the web archive. You can speed up your experimentation by adding something like this to your
<form> <textarea id="run_js"></textarea> <input type="button" onclick="console.log(eval(document.getElementById('run_js').value))" value="eval"> </form>
Please file an issue tagged with "proposed challenge" if you would like WARCgames to support a new challenge.
Even better, send a pull request!
Each challenge is a subdirectory under
config.py: Python file that defines:
short_message: short text description of the challenge.
message: HTML description of the challenge to embed at https://warcgames.test:8089/
warcgames-content.test:8089): host to serve captured content.
include_wombat(optional, default false): if true, wombat.js will be included in the header of captured pages. This should be included only for challenges that require sub-assets to load correctly.
challenge.html: file for user to edit when attempting challenge.
sample_answer.html: sample version of
challenge.htmlthat correctly completes the challenge.
wsgi.py(optional): custom wsgi file, used to monkeypatch app server.
If you add a challenge, run
python support_files/dev_scripts.py update_files to update the list in the README.
If you discover a possible security issue in the underlying Webrecorder software while working on a challenge, please report it to firstname.lastname@example.org rather than filing an issue on this project.