- Create the .env file
You can Rename the existing .env-sample to .env and modify the default settings if needed. - Run
docker-compose up
- App will be serving at port 8087
- MongoDb will be opening port 27017
Following test accounts are created by default (username/password:(role)):
- jsmith/asdasd:(admin)
- jford/asdasd:(normal user)
- Session fixation
- CSRF everywhere
- Reflected XSS in Users & Room listing
- DOM-based XSS in room-sharing function
- Vulnerable database query in room search
- Username enumeration in login function
- Login function is vulnerable to Brute Force attack
Turn on the following switches in your .env
SESSION_FIXATION_FIXED=1
REFLECTED_XSS_FIXED=1
DOM_BASED_XSS_FIXED=1
CSRF_FIXED=1
MONGO_QUERY_FIXED=1
USERNAME_ENUMERATION_FIXED=1
LOGIN_BRUTE_FORCE_FIXED=1