Open Source MIT License v2.1.0

Burger Lab Vulnerable Web Application (BLVWA)

Cook. Break. Exploit.

A production-grade, high-fidelity e-commerce platform designed exclusively for Cybersecurity Research, Penetration Testing, and Offensive Security Training.

Latest ReleaseJune 2026
Vulnerabilities105+ Unique vectors
PlatformsDocker, PHP Native
CategoryVulnerable Web Application

Overview

Welcome to Burger Labs (BLVWA). This platform is engineered with a molecularly-inspired architecture, containing 105+ unique intentional vulnerabilities ranging from classic OWASP Top 10 flaws to complex business logic exploits.

Whether you are a security student, a bug bounty hunter, or an enterprise security architect, Burger Labs provides a realistic, high-stakes environment to sharpen your artisanal exploit skills.

Quick Start (Local Deployment)

Option 1: Docker (Pro Way)

Perfect for a standardized, clean environment. Deploy in seconds.

1. Clone & Navigate
git clone https://github.com/Amegh3/Burger-Lab-Vulnerable-Web-Application-BLVWA-.git && cd Burger-Lab-Vulnerable-Web-Application-BLVWA-
2. Launch Script
bash docker-start.sh
URL: http://localhost:8000

Option 2: PHP Native Server

If you have PHP installed locally, spin up a server fast.

Run Server Script
bash start_lab.sh
URL: http://localhost:8000

Vulnerability Deep Dive

This platform is engineered to simulate a Security Architect's Nightmare. Unlike basic CTFs, Burger Labs implements vulnerabilities at various layers of the stack:

1. The Injection Layer Critical Severity

SQL Injection (SQLi): Found in authentication, search, and order tracking. We use a Mock DB Engine that supports UNION-based, Boolean-blind, and Error-based techniques.

Command Injection (RCE): The admin diagnostics tool directly executes system commands (ping), allowing for full OS takeover if not properly sanitized.

SSTI (Server-Side Template Injection): The analytics engine uses eval() on user-supplied template strings, enabling remote code execution within the PHP context.

2. The Authorization Layer High Severity

BFLA (Broken Function Level Authorization): The /owner/dashboard and /staff portals lack robust role-based access control (RBAC). A simple horizontal or vertical jump allows customers to access executive data.

IDOR (Insecure Direct Object Reference): Every "Dossier" and "Profile" is accessible via predictable numerical IDs. Changing ?id=1 to ?id=2 leaks PII, bank accounts, and private notes.

Mass Assignment: The profile update logic blindly trusts $_POST data. Injecting role=owner into a profile update request permanently promotes the attacker in the database.

3. The Logic & Financial Layer Moderate Severity

Price Tampering: The Wallet Top-up uses a simulated payment gateway that trusts a hidden paid_amount field. Modifying this in transit allows for balance inflation.

Race Conditions: Concurrent requests to the refund or transfer endpoints can lead to "double spending" or "balance theft" due to non-atomic session updates.

Path of the Attacker: Walkthroughs

1. Broken Authentication (Auth Bypass)

Vector: /login

Payload: admin' OR '1'='1
Outcome: Logs into administrator account bypass controls.

2. Price Manipulation

Vector: /checkout/payment

Payload: Modify query string total=350 to total=1
Outcome: Order purchase confirmation for ₹1.

3. Wallet Negative Price Attack

Vector: /checkout/confirm

Payload: Set total parameter to total=-500
Outcome: Subtracting a negative price adds ₹500 balance.

4. IDOR (Order Tracking)

Vector: /track

Payload: Query incremental order IDs (BL-1004)
Outcome: Views sensitive customer order data.

5. Reflected XSS

Vector: /search

Payload: <script>alert('Vulnerable Lab!')</script>
Outcome: Forces local browser popups.

6. SQL Injection Data Exfiltration

Vector: /orders/search

Payload: ' UNION SELECT 1,username,password_hash...
Outcome: Dumps user database and hashes.

7. Stored XSS Admin Hijack

Vector: /help ticket support

Payload: Submit image tag with cookie fetch code.
Outcome: Administrative account session hijacked.

8. Host Header Reset Attack

Vector: /forgot-password

Payload: Intercept request and rewrite Host header.
Outcome: Routes password token to attacker site.

9. JWT Auth Bypass

Vector: /lab/jwt/1

Payload: Decode cookie, replace customer payload role to admin.
Outcome: Vertical privilege escalation to Admin.

10. Owner Privilege Escalation

Vector: /profile/edit (Mass Assignment)

Payload: Inject hidden parameter name="role" value="owner"
Outcome: Accesses administrative founder panels.

All 105 Vulnerabilities

Injection & Scripting (1-40)

[Login] SQLi: Tautology Auth Bypass.
[Search] SQLi: UNION-based data exfiltration.
[Tracking] SQLi: Boolean-blind exploitation on Order IDs.
[Help Desk] Stored XSS: Victim-side script execution.
[Menu] Reflected XSS: Unsanitized search query reflection.
[Checkout] Parameter Injection: Overriding total amounts.
[API] NoSQL-style Injection (Simulated): Bypassing filters.
[Contact] SMTP Header Injection: Manipulating email metadata.
[Feedback] HTML Injection: Rendering malicious markup.
[Network] OS Command Injection: RCE via ping tool.
[Logger] Log Injection: Forging log entries.
[Newsletter] CSV Injection: Formulas in exports.
[Profile] Attribute Injection: Modifying hidden role attributes.
[Review] Client-side Template Injection (CSTI).
[Cart] CRLF Injection: Injecting headers via cart parameters.
[Auth] LDAP Injection (Simulated) on legacy enterprise login.
[Search] XPath Injection in legacy XML product catalog.
[API] GraphQL Injection: Introspection queries allowed.
[Checkout] SSI Injection (Server-Side Includes).
[Help] Host Header Injection on password reset.
[Auth] SQLi: Time-based blind on registration form.
[Menu] XSS: Event handler injection (onclick) in filters.
[Review] XSS: URI-based (javascript: protocol) in user links.
[Cart] SQLi: Order-by clause manipulation.
[API] SQLi: Limit-offset clause manipulation.
[Booking] SQLi: Insert-based injection in table bookings.
[Auth] XSS: Document.referrer reflection in login errors.
[Menu] XSS: Hash-based (fragment) reflection.
[Tracking] SQLi: Second-order injection in status updates.
[Profile] XSS: CSS-based injection (expression/url).
[Help] SQLi: Group-by clause manipulation.
[API] NoSQL: PHP-array based bypass on login.
[Search] XSS: Meta-tag injection via page title.
[Contact] Email Injection: CC/BCC field manipulation.
[Auth] SQLi: Truncation-based attack on registration.
[Menu] XSS: Polyglot payload execution.
[Review] XSS: SVG-based (onload) in avatar upload.
[Cart] XSS: Mouseover event injection in cart tooltips.
[API] SQLi: Update-based injection in user preferences.
[Tracking] XSS: Print-dialog trigger on order receipt.

Access Control & IDOR (41-70)

[Orders] IDOR: Viewing any user's order details via ID.
[Profile] IDOR: Modifying other users' profile settings.
[Admin] Broken Access: Direct access to /admin_p0rtal.
[Files] Directory Traversal: Accessing /etc/passwd.
[Uploads] Unrestricted File Upload: PHP webshell.
[API] Mass Assignment: Elevating user privileges.
[Checkout] Insecure Direct Object Reference: Cart takeover.
[Referral] Forced Browsing: Hidden reward page access.
[API] BOLA on user stats.
[Files] LFI in page parameter.
[Profile] IDOR: Deleting other users' accounts.
[Cart] IDOR: Clearing other users' shopping carts.
[Admin] Horizontal Privilege Escalation: User-to-User profile access.
[Admin] Vertical Privilege Escalation: Guest-to-Admin via hidden cookie.
[Auth] Session Hijacking: Session fixation vulnerability.
[API] Broken Function Level Authorization: /api/v1/delete_user.
[Orders] Information Disclosure: Exporting order logs.
[Help] IDOR: Accessing private support tickets.
[Profile] IDOR: Modifying wallet ID.
[API] Improper Asset Management: Accessing deprecated v0 API.
[Files] Remote File Inclusion (RFI) via external proxy.
[Admin] IDOR: Accessing server PHPinfo.
[Auth] Broken Authentication: Bypass via 'Remember Me' cookie.
[API] Excessive Data Exposure: Returning full user object in search.
[Checkout] IDOR: Changing delivery address for active orders.
[Admin] Bypassing WAF: Manipulation of User-Agent headers.
[Help] IDOR: Resolving other users' complaints.
[API] Broken Object Property Level Authorization.
[Profile] IDOR: Viewing sensitive KYC data in hidden fields.
[Admin] IDOR: Accessing internal server logs.

Business Logic & Flow (71-90)

[Checkout] Price Manipulation: GET parameter tampering.
[Wallet] Negative Price Attack: Balance inflation.
[Coupons] Logical Flaw: Infinite reuse of promo codes.
[Inventory] Oversell Vulnerability: Race condition.
[Refunds] Double Refund Exploit: Concurrent requests.
[Booking] Time Conflict Flaw: System lock via overbooking.
[Cart] Rounding Error: Fractional ₹0 purchase.
[Promo] Brute-forceable Coupon Logic (short 4-char codes).
[Wallet] Improper Validation: Transferring more than balance.
[Auth] Account Lockout Bypass: IP-rotation.
[Referral] Circular Referral: Self-referral loop for points.
[Checkout] Step Skip: Accessing /payment without /address.
[Cart] Item Duplication: Adding 0.5 items via API.
[Booking] Guest Booking: Booking without login (Logic Bypass).
[Auth] Weak Password Policy: 1-character passwords allowed.
[Promo] Logic Flaw: Stacking multiple non-stackable coupons.
[Wallet] Negative Transfer: Stealing balance from other users.
[Checkout] Address Validation Bypass: Empty address allowed.
[Cart] Price Update Delay: Purchasing at old price after update.
[Auth] Email Change Without Verification.

Cryptography & Config (91-105)

[Users] Weak Hashing: MD5 (no salt).
[Sessions] Predictable Tokens: Sequential IDs.
[Secrets] Hardcoded Credentials: config.php.bak.
[Headers] Missing Security Headers: CSP/HSTS.
[Debug] Verbose Error Reporting: Stack traces.
[CORS] Insecure Policy: Wildcard origin.
[API] Information Disclosure: /api/v1/debug.
[Cookies] Missing HttpOnly/Secure Flags.
[CDN] Cache Poisoning: Unkeyed headers.
[Auth] Lack of Rate Limiting: Brute-force on login.
[XML] XXE Injection: Franchise portal.
[SSL] Insecure Renegotiation.
[JS] Insecure Dependency: Vulnerable jQuery.
[API] Broken Object Level Authorization (BOLA).
[Server] SSRF: Proxy metadata.

Requirements

Minimum Requirements

  • Docker version 20.10+ & Docker Compose
  • PHP version 7.4 / 8.0 (for native start)
  • 4GB System RAM

Dependencies

  • Standard Linux shell utils (bash, curl)

Technical Specifications

PHP Engine
SQLite / Custom Mock Database
Docker Environment
JWT Session Auth

GitHub Statistics

82 Stars
24 Forks
1 Issues
6 Contributors
64 Commits
3 days ago Updated

Contributors

Security Policy

This repository is strictly for offensive training exercises. If any critical configuration leaks outside of container bounds occur, please contact us.

security@hgema.org

Community channels

Discussions

Join our GitHub community

WhatsApp

Live chat with developers

Reddit

Reddit updates & community info

Legal Disclaimer

Burger Labs is not a real company. It is a strictly fictional entity created for security training. Do not use this platform for actual financial transactions or store real-world sensitive data.