This project contains a vulnerable OAuth 2.0 server (gallery), a vulnerable OAuth 2.0 classic web application client (photoprint), and an attackers site exploiting it all (attacker).
To run the applications:
-
Execute docker compose
docker-compose up
-
Connect with VNC to port 5900 of localhost and a pwd of
secret, start firefox, and browse to http://photoprint:3000 .
-
Edit your hosts file to include photoprint and gallery (Windows, Linux, Mac OSX). If you want to check some of the attacks, also add attacker.
127.0.0.1 gallery photoprint attacker mongodb localhost
-
Import the mongodb database
cd gallery/mongodbdata mongorestore -d gallery2 gallery2/ -
Install the servers:
cd gallery npm install cd .. cd photoprint npm install cd .. cd attacker npm install
-
Start the servers:
cd gallery npm start & cd .. cd photoprint npm start & cd .. cd attacker npm start &
-
Go to http://photoprint:3000 to print photos hosted by gallery. Hint: username is koen and password is password. You can also browse the gallery by surfing to http://gallery:3005.
-
Test out various OAuth2-related attacks by surfing to http://attacker:1337.