This repository contains the source code for BuggyCart that we used in our CCS'19 Security Certification in Payment Card Industry paper. BuggyCart is a customization of OpenCart (a free open source ecommerce platform for online merchants) with the following implanted vulnerabilities.
- Sql inject in admin login
- Sql inject in customer login
- Disable password retry limit
- Allow passwords with len <8
- Allow XSS in customer name edit page
- Store CVV in DB
- Show unmasked PAN
- Use hardcoded key for encrypting PAN
- Store plaintext PAN (Set ENCRYPT_PAN to false in the config.php)
- Store unsalted customer passwords
- Store plaintext passwords for admins
Download the docker image from this URL and run the following commands.
sudo docker load --input buggycart.v1.tar
(load the docker image)sudo docker run -it buggycart.v1:latest bash
(run an instance with an interactive bash)/opt/lampp/xampp startapache
(Start Apache with the buggycart installation)/opt/lampp/xampp startmysql
(Start Mysql with the buggycart installation)cd pci-checker && ./run.sh
(run pci-checker on the installed instance)
To install from scratch, please read the installation instructions included in the repository or download file.
GNU General Public License version 3 (GPLv3)
If you find this useful please cite the following paper.
@inproceedings{DBLP:conf/ccs/RahamanWY19,
author = {Sazzadur Rahaman and
Gang Wang and
Danfeng Daphne Yao},
title = {Security Certification in Payment Card Industry: Testbeds, Measurements,
and Recommendations},
booktitle = {Proceedings of the 2019 {ACM} {SIGSAC} Conference on Computer and
Communications Security, {CCS} 2019, London, UK, November 11-15, 2019},
pages = {481--498},
year = {2019},
url = {https://doi.org/10.1145/3319535.3363195},
doi = {10.1145/3319535.3363195},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
If you have any questions or suggestions, please email to sazzad114@gmail.com.