Skip to content
No description, website, or topics provided.
PHP HTML JavaScript CSS TSQL Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

BuggyCart a customization of OpenCart


This repository contains the source code for BuggyCart that we used in our CCS'19 Security Certification in Payment Card Industry paper. BuggyCart is a customization of OpenCart (a free open source ecommerce platform for online merchants) with the following implanted vulnerabilities.

  1. Sql inject in admin login
  2. Sql inject in customer login
  3. Disable password retry limit
  4. Allow passwords with len <8
  5. Allow XSS in customer name edit page
  6. Store CVV in DB
  7. Show unmasked PAN
  8. Use hardcoded key for encrypting PAN
  9. Store plaintext PAN (Set ENCRYPT_PAN to false in the config.php)
  10. Store unsalted customer passwords
  11. Store plaintext passwords for admins

Install from docker

Download the docker image from this URL and run the following commands.

  1. sudo docker load --input buggycart.v1.tar (load the docker image)
  2. sudo docker run -it buggycart.v1:latest bash (run an instance with an interactive bash)
  3. /opt/lampp/xampp startapache (Start Apache with the buggycart installation)
  4. /opt/lampp/xampp startmysql (Start Mysql with the buggycart installation)
  5. cd pci-checker && ./ (run pci-checker on the installed instance)

Install from scratch

To install from scratch, please read the installation instructions included in the repository or download file.


GNU General Public License version 3 (GPLv3)


If you find this useful please cite the following paper.

     author    = {Sazzadur Rahaman and
           Gang Wang and
           Danfeng Daphne Yao},
     title     = {Security Certification in Payment Card Industry: Testbeds, Measurements,
           and Recommendations},
     booktitle = {Proceedings of the 2019 {ACM} {SIGSAC} Conference on Computer and
           Communications Security, {CCS} 2019, London, UK, November 11-15, 2019},
     pages     = {481--498},
     year      = {2019},
     url       = {},
     doi       = {10.1145/3319535.3363195},
     bibsource = {dblp computer science bibliography,}

If you have any questions or suggestions, please email to

You can’t perform that action at this time.