Burger Lab Vulnerable Web Application (BLVWA)
Cook. Break. Exploit.
A production-grade, high-fidelity e-commerce platform designed exclusively for Cybersecurity Research, Penetration Testing, and Offensive Security Training.
Overview
Welcome to Burger Labs (BLVWA). This platform is engineered with a molecularly-inspired architecture, containing 105+ unique intentional vulnerabilities ranging from classic OWASP Top 10 flaws to complex business logic exploits.
Whether you are a security student, a bug bounty hunter, or an enterprise security architect, Burger Labs provides a realistic, high-stakes environment to sharpen your artisanal exploit skills.
Quick Start (Local Deployment)
Option 1: Docker (Pro Way)
Perfect for a standardized, clean environment. Deploy in seconds.
Option 2: PHP Native Server
If you have PHP installed locally, spin up a server fast.
Vulnerability Deep Dive
This platform is engineered to simulate a Security Architect's Nightmare. Unlike basic CTFs, Burger Labs implements vulnerabilities at various layers of the stack:
1. The Injection Layer Critical Severity
SQL Injection (SQLi): Found in authentication, search, and order tracking. We use a Mock DB Engine that supports UNION-based, Boolean-blind, and Error-based techniques.
Command Injection (RCE): The admin diagnostics tool directly executes system commands (ping), allowing for full OS takeover if not properly sanitized.
SSTI (Server-Side Template Injection): The analytics engine uses eval() on user-supplied template strings, enabling remote code execution within the PHP context.
2. The Authorization Layer High Severity
BFLA (Broken Function Level Authorization): The /owner/dashboard and /staff portals lack robust role-based access control (RBAC). A simple horizontal or vertical jump allows customers to access executive data.
IDOR (Insecure Direct Object Reference): Every "Dossier" and "Profile" is accessible via predictable numerical IDs. Changing ?id=1 to ?id=2 leaks PII, bank accounts, and private notes.
Mass Assignment: The profile update logic blindly trusts $_POST data. Injecting role=owner into a profile update request permanently promotes the attacker in the database.
3. The Logic & Financial Layer Moderate Severity
Price Tampering: The Wallet Top-up uses a simulated payment gateway that trusts a hidden paid_amount field. Modifying this in transit allows for balance inflation.
Race Conditions: Concurrent requests to the refund or transfer endpoints can lead to "double spending" or "balance theft" due to non-atomic session updates.
Path of the Attacker: Walkthroughs
Vector: /login
Payload: admin' OR '1'='1
Outcome: Logs into administrator
account bypass controls.
Vector: /checkout/payment
Payload: Modify query string total=350 to total=1
Outcome:
Order purchase confirmation for ₹1.
Vector: /checkout/confirm
Payload: Set total parameter to total=-500
Outcome:
Subtracting a negative price adds ₹500 balance.
Vector: /track
Payload: Query incremental order IDs (BL-1004)
Outcome:
Views sensitive customer order data.
Vector: /search
Payload: <script>alert('Vulnerable
Lab!')</script>
Outcome: Forces local browser popups.
Vector: /orders/search
Payload: ' UNION SELECT
1,username,password_hash...
Outcome: Dumps user database and hashes.
Vector: /help ticket support
Payload: Submit image tag with cookie fetch code.
Outcome:
Administrative account session hijacked.
Vector: /forgot-password
Payload: Intercept request and rewrite Host
header.
Outcome: Routes password token to attacker site.
Vector: /lab/jwt/1
Payload: Decode cookie, replace customer payload role to
admin.
Outcome: Vertical privilege escalation to Admin.
Vector: /profile/edit (Mass Assignment)
Payload: Inject hidden parameter name="role"
value="owner"
Outcome: Accesses administrative founder panels.
All 105 Vulnerabilities
Injection & Scripting (1-40)
Access Control & IDOR (41-70)
Business Logic & Flow (71-90)
Cryptography & Config (91-105)
Requirements
Minimum Requirements
- Docker version 20.10+ & Docker Compose
- PHP version 7.4 / 8.0 (for native start)
- 4GB System RAM
Dependencies
- Standard Linux shell utils (bash, curl)
Technical Specifications
GitHub Statistics
Contributors
Security Policy
This repository is strictly for offensive training exercises. If any critical configuration leaks outside of container bounds occur, please contact us.
security@hgema.orgCommunity channels
Discussions
Join our GitHub communityLegal Disclaimer
Burger Labs is not a real company. It is a strictly fictional entity created for security training. Do not use this platform for actual financial transactions or store real-world sensitive data.