hcornet
506716e703
Some checks failed
Deployment Verification / deploy-and-test (push) Failing after 29s
160 lines
11 KiB
HTML
160 lines
11 KiB
HTML
<html class="" lang="en"><head>
|
|
|
|
<meta charset="UTF-8">
|
|
<title>IRIS Demonstration</title>
|
|
|
|
<meta name="robots" content="noindex">
|
|
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Barlow:wght@100&display=swap">
|
|
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css">
|
|
<link rel="stylesheet" href="/static/assets/css/bootstrap.min.css">
|
|
<link rel="stylesheet" href="/static/assets/css/atlantis.css">
|
|
<link rel="stylesheet" href="/static/assets/css/demo.css">
|
|
<link rel="icon" href="/static/assets/img/logo.ico" type="image/x-icon"/>
|
|
<script defer data-domain="v200.beta.dfir-iris.org" src="https://analytics.dfir-iris.org/js/plausible.js"></script>
|
|
|
|
</head>
|
|
<body class="landing-demo">
|
|
<div class="ml-1 row justify-content-center mr-1">
|
|
<div class="col-xl-8">
|
|
<div class="card mt-3">
|
|
<div class="mt-4">
|
|
<div class="col d-flex justify-content-center">
|
|
<a href="/" class="logo ml-2 text-center">
|
|
<img src="/static/assets/img/logo-full-blue.png" alt="navbar brand" width="300rem">
|
|
</a>
|
|
</div>
|
|
</div>
|
|
<div class="row">
|
|
<h4 class="ml-auto mr-auto"><span class="text-danger">shared</span> demonstration instance {{ iris_version }}</h4>
|
|
</div>
|
|
<div class="row">
|
|
<h5 class="text-muted ml-auto mr-auto"><i>Try out IRIS, find bugs and security vulnerabilities</i></h5><br/>
|
|
</div>
|
|
|
|
<div class="row mt-4">
|
|
</div>
|
|
<div class="row mt-4">
|
|
</div>
|
|
<div class="row mt-2 mb-4">
|
|
<div class="col-md-1 col-lg-2"></div>
|
|
<div class="col-md-10 col-lg-8 ml-4">
|
|
<h3 class=" ml-auto mr-auto">Hey there, please read the following carefully</h3><br/>
|
|
<ul>
|
|
<li><b>Do not upload any illegal or confidential materials</b></li>
|
|
<li><b>Do not download and open files from other users blindly</b></li>
|
|
<li><b>Respect a <a class="text-muted" target="_blank" rel="noopener noreferrer" href="https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#responsible-or-coordinated-disclosure">responsible disclosure</a> of 30 days if you find a vulnerability</b></li>
|
|
</ul>
|
|
<b>Not sure what IRIS is about? You'll find more info on the <a target="_blank" rel="noopener" href="https://dfir-iris.org">main website</a></b>
|
|
</div>
|
|
<div class="col-md-1 col-lg-2"></div>
|
|
</div>
|
|
<div class="row mt-3">
|
|
<div class="col-md-1 col-lg-2"></div>
|
|
<div class="col-md-10 col-lg-8 ml-4 mr-3">
|
|
<p class="">Accounts to access the instance are available at the bottom of the page. <br/>
|
|
IRIS is not optimized to be used on phones. We recommend accessing it from a computer.<br/>
|
|
If you notice anything suspicious or have any question, please <a href="mailto:contact@dfir-iris.org">contact us</a>. <br/>Note that the instance might be reset at any moment.</p>
|
|
|
|
<p><i>By accessing this instance you confirm you read, understand and agree with all the information on this page.</i></p>
|
|
</div>
|
|
<div class="col-md-1 col-lg-2"></div>
|
|
</div>
|
|
<div class="row mt-4 mb-4 mr-2">
|
|
|
|
<a class="btn btn-outline-success ml-auto mr-auto" target="_blank" rel="noopener" href="/login">
|
|
Access IRIS
|
|
</a>
|
|
</div>
|
|
<div class="row mt-4 mb-4 mr-2 justify-content-center">
|
|
<div class="ml-mr-auto">
|
|
<button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapseSecRules" aria-expanded="false" aria-controls="collapseSecRules">
|
|
Rules of engagement
|
|
</button>
|
|
<button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapseLiability" aria-expanded="false" aria-controls="collapseLiability">
|
|
Disclaimer
|
|
</button>
|
|
<button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapseAccounts" aria-expanded="false" aria-controls="collapseAccounts">
|
|
Accounts
|
|
</button>
|
|
</div>
|
|
</div>
|
|
<div class="row mt-4 mb-4 mr-2 justify-content-center">
|
|
<div class="col ml-4">
|
|
<div class="collapse" id="collapseLiability">
|
|
<div class="card card-body">
|
|
<h3 class="mt-2">Disclaimer</h3>
|
|
DFIR-IRIS is a non-profit organization. It is not responsible for any damage caused by the use of this site and any material contained in it, or from any action or decision taken as a result of using this site.<br/>
|
|
It is not responsible for the content of any external sites linked to this site.<br/> By using this site, you acknowledge that content posted on this site is public and DFIR-IRIS cannot guarantee the security of any information disclose on it; you make such disclosures at your own risk.
|
|
|
|
<h4 class="mt-2">Privacy</h4><br/>
|
|
<p>This demonstration instance is shared and we cannot guarantee the privacy of data you might upload on it. We are not responsible for any data loss or data leak. </p>
|
|
<p>To better understand the use of this instance, DFIR-IRIS uses a privacy-friendly cookie-less analytics. DFIR-IRIS does not collect any personal data. DFIR-IRIS does not use any third-party analytics and uses a self-hosted <a target="_blank" rel="noopener" href="https://plausible.io/">Plausible</a> instance.</p>
|
|
</div>
|
|
</div>
|
|
<div class="collapse" id="collapseSecRules">
|
|
<div class="card card-body">
|
|
<h3 class="mt-2">Rules of engagement</h3>
|
|
<p class=""><b>If you find a vulnerability</b>, <a href="mailto:contact@dfir-iris.org">contact us</a> before going public as it may impact systems already in production.<br/>
|
|
In other words, please respect a responsible disclosure of 30 days. We will patch and then publish the vulnerability. Depending on the finding a CVE might be requested, and will have your name - except if you don't want to.<br/>
|
|
You can report anything you find at <a href="mailto:contact@dfir-iris.org">contact@dfir-iris.org</a>.</p>
|
|
<p class=""><b>The scope of the security tests</b> is limited to the Web Application IRIS hosted on <a class="" target="_blank" rel="noopener" href="{{ demo_domain }}">{{ demo_domain }}</a>.<br/>
|
|
<span class="text-danger">Subdomains, SSH, scanning of the IP, BF, and other flavors are <b>out of scope.</b></span></p>
|
|
We are mostly interested in the following:
|
|
<ul>
|
|
<li><b>authentication bypass</b>: achieve any action requiring an authentication without being authenticated. <span class="text-danger">Brute-force is not what we are looking for</span></li>
|
|
<li><b>privilege escalations within the application</b>: from a standard user (<code>user_std_XX</code>) to administrative rights (<code>adm_XX</code>) on IRIS</li>
|
|
<li><b>privilege escalations on the host server</b>: from a standard user (<code>user_std_XX</code>) to code execution on the server</li>
|
|
<li><b>data leakage</b>: from a standard user (<code>user_std_XX</code>) read data of non-accessible cases (titled <code>Restricted Case XXX</code>)</li>
|
|
</ul>
|
|
<h3>Important Remarks</h3>
|
|
<ul>
|
|
<li>If you can, use a local instance of IRIS instead of this one. It only takes a few minutes to <a target="_blank" rel="noopener" href="https://docs.dfir-iris.org/getting_started/">get it on docker.</a></li>
|
|
<li>The administrators account can publish stored XSS on the platform via <a target="_blank" rel="noopener" href="https://docs.dfir-iris.org/operations/custom_attributes/">Custom Attributes</a>. This is an operational requirement and not recognized as a vulnerability.</li>
|
|
<li><b>Try not to be destructive.</b> If you manage to run code on the host server, do not try to go further.</li>
|
|
</ul>
|
|
<h3>Restrictions</h3>
|
|
To keep this demo instance alive, there are some restrictions put in place.
|
|
<ul>
|
|
<li>The <code>administrator</code> account cannot be updated nor deleted.</li>
|
|
<li>The accounts available on this page cannot be updated nor deleted.</li>
|
|
<li>File upload in datastore is limited to 200KB per file.</li>
|
|
</ul>
|
|
<h3>Resources</h3>
|
|
<p>You can read more about IRIS on the <a target="_blank" rel="noopener" href="https://docs.dfir-iris.org">official documentation website</a>.<br/>
|
|
IRIS is an open source app, so you can directly access the code on <a target="_blank" rel="noopener" href="https://github.com">GitHub</a>.</p>
|
|
</div>
|
|
</div>
|
|
<div class="collapse" id="collapseAccounts">
|
|
<div class="card card-body">
|
|
<h3 class="mt-2">Accounts</h3>
|
|
The following accounts are available on the instance. These users cannot be updated or deleted. However, new users and groups can be created.<br/>
|
|
<b>If the passwords are not working, please double check spaces were not added while copying.</b>
|
|
<table class="table table-striped table-hover responsive">
|
|
<thead>
|
|
<tr>
|
|
<th>Username</th>
|
|
<th>Password</th>
|
|
<th>Role</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
{% for user in demo_users %}
|
|
<tr>
|
|
<td>{{ user.username }}</td>
|
|
<td>{{ user.password }}</td>
|
|
<td>{{ user.role }}</td>
|
|
</tr>
|
|
{% endfor %}
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
<script src="/static/assets/js/core/jquery.3.2.1.min.js"></script>
|
|
<script src="/static/assets/js/core/bootstrap.min.js"></script>
|
|
</html> |