Skip to content

Mario the game but you rescue the princess by hacking.


Notifications You must be signed in to change notification settings


Repository files navigation

L33T Mario

Mario the game but you rescue the princess by hacking.

L33T Mario

What's L33T Mario?

L33T Mario is a web game/application where you as Mario have to rescue the princess just like the classic but you play it by hacking. It's a vulnerable web game where you exploit several vulnerabilites to proceed through levels and eventually rescue the princess, each level getting harder and harder.

It's made for a YouTube video and to help beginners learn Web Application Security with a little nostalgia and fun.

The Code

It's written in one night and I haven't even bothered to document or clean the code, just pushed it to master when it finally worked 😂! I mean you still can understand what's going on but playing the game is the main point.

I will work on cleaning & documenting the code later on when I add more levels/vulnerabilities to the game.

How To Setup

Currently Linux is the only compatible operating system.

Apache Setup:

    $ cd /var/www/html/
    $ git clone
    $ cd l33tmario/
    $ ./

Using Docker:

    $ git clone
    $ cd l33tmario/
    $ docker-compose up -d
    $ curl -I # to test

Vulnerabilities Covered

  • IDOR (Insecure Direct Object Reference)
  • XSS (Cross-site Scripting)
  • Information Disclosure
  • Broken Access Control
  • Command Injection
  • LFI (Local File Inclusion)
  • SSTI (Server-side Template Injection)
  • SSRF (Server-side Request Forgery)
  • XXE (XML External Entity)
  • Open Redirect
  • SQL Injection
  • DOM Clobbering

More vulnerabilities and the pending ones will be covered in later levels/versions.


Ways to contribute

  • Suggest a level idea
  • Add a new level
  • Clean the code
  • Report any unintentional vulnerabilities
  • Fix something and open a pull request
  • Help me document the code
  • Spread the word


Licensed under the MIT License, see LICENSE for more information.


Mario the game but you rescue the princess by hacking.







No releases published


No packages published