A buggy and vulnerable web application containing XSS, SQL injection, OS command injection and more.
- Docker
-
Clone the repo
git clone https://github.com/chimms1/MorBet.git
-
From top of the repo directory, run
- Build images and start containers (first run will initialize DB from SQL file):
docker-compose up --build
- To remove everything (containers + network, leaving persistent DB data):
docker-compose down
- volumes remain; to drop data:
docker-compose down -v
-
Wait until all containers start, backend may restart until DB starts. Wait until backend start.Then access:
The backend is a deliberately vulnerable Node.js + Express application connected to a MySQL database.
It implements core user functionality such as registration, login, wallet management, withdrawals, and a public comment section.
- User registration and authentication (session handled via cookies)
- Add funds and withdraw from wallet
- Change password
- Public comment system
- Proxy endpoint to request user images from the GameServer
| Type | Location | Description |
|---|---|---|
| SQL Injection | /login |
Direct concatenation of user input into SQL queries without sanitization. |
| Stored XSS | /comment |
User input stored in the database and rendered as HTML, allowing script injection. |
| Command Injection | /withdraw |
Unsanitized command query parameter passed directly to exec(). |
| CSRF | All forms (especially /changepassword and /withdraw) |
No CSRF protection, allowing cross-site form submissions. |
| Insecure Authentication | Cookie-based session tracking without validation or expiration. |
The GameServer is a secondary Node.js microservice that serves user images dynamically based on the userType cookie.
It exposes endpoints that the main backend queries internally.
- Demonstrates Server-Side Request Forgery (SSRF) by allowing the backend (
/userImage) to make requests to the GameServer.
The frontend consists of several static HTML pages styled with Bootstrap, served from the frontend/ directory.
Each page demonstrates typical web app features — intentionally insecure where relevant.
| Page | Description |
|---|---|
| login.html | Login form submitting credentials to /login. |
| register.html | Registers a new user into the system. |
| dashboard.html | Main user dashboard showing wallet balance and a public comment feed. |
| addfunds.html | Allows adding funds to wallet. |
| withdraw.html | Allows withdrawing funds and executes OS commands. |
| changepassword.html | Changes password via POST. |
| public comments | Displays all user comments |
Insecure application, use at own risk