Demo app for presentation about web security
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
admin
config
css
dumps
include
lib
scripts
.gitignore
.htaccess
Dockerfile
LICENSE
PRESENTATION.pdf
README.md
composer.json
composer.lock
docker-compose.yml
favicon.png
index.php

README.md

Base website security demo

Presentation

Slides from presentation

Development

Installation

  1. Install Docker
  2. Install Docker Compose
  3. Clone this repository git clone https://github.com/intraworlds/zcu-security-demo.git or download ZIP file

Run

  1. run docker-compose up and you access the website

Note: It'll take a minute to build docker container - be patient.

Simulate attacks

SQL injection

CSRF

XSS (with CSRF)

❤️
<script>
fetch("/?path=create&receiver=1&amount=1&desc=❤️&submit=create");
</script>
  • observe that now everybody who visits list of transactions will send a coin to user #1 without consent

Directory traversal

try following URLs

Defense

Adjust apache configuration

# denied all files
<RequireAll>
    Require all denied
</RequireAll>

# whitelist only *.php and other files
<FilesMatch "((^$)|(^.+\.(php|css|map|js)$))">
    Require all granted
</FilesMatch>

Weak hash algorithm

try use hashcat

php scripts/crack_md5_hash.php 75b71aa6842e450f12aca00fdf54c51d

Docker tips

Show all running containers

docker-compose ps

See logs

docker-compose logs -f

Connect container

docker-compose exec apache bash -l

attacks

XSS (Cross-site Scripting)

HTTP Headers

SQL injection

CSFR (Cross-Site Request Forgery)

Path (Directory) Traversal

Others