{"id":32968743,"url":"https://github.com/adamdoupe/WackoPicko","last_synced_at":"2025-11-15T08:01:14.015Z","repository":{"id":44173446,"uuid":"778110","full_name":"adamdoupe/WackoPicko","owner":"adamdoupe","description":"WackoPicko is a vulnerable web application used to test web application vulnerability scanners.","archived":false,"fork":false,"pushed_at":"2024-05-25T16:13:27.000Z","size":4576,"stargazers_count":333,"open_issues_count":2,"forks_count":202,"subscribers_count":23,"default_branch":"master","last_synced_at":"2025-06-02T08:15:46.318Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adamdoupe.png","metadata":{"files":{"readme":"README.markdown","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2010-07-16T02:50:03.000Z","updated_at":"2025-05-15T11:07:14.000Z","dependencies_parsed_at":"2025-05-25T23:04:20.450Z","dependency_job_id":"c4636b68-265d-4337-a2c1-17e2bac6200d","html_url":"https://github.com/adamdoupe/WackoPicko","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/adamdoupe/WackoPicko","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adamdoupe%2FWackoPicko","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adamdoupe%2FWackoPicko/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adamdoupe%2FWackoPicko/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adamdoupe%2FWackoPicko/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adamdoupe","download_url":"https://codeload.github.com/adamdoupe/WackoPicko/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adamdoupe%2FWackoPicko/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":284524384,"owners_count":27020135,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-15T02:00:06.050Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-11-13T04:00:21.096Z","updated_at":"2025-11-15T08:01:14.005Z","avatar_url":"https://github.com/adamdoupe.png","language":"PHP","funding_links":[],"categories":["🕸️ Vulnerable Web Applications","Vulnerable Web apps:","Support","Vulnerable Web Applications","Downloadable Applications"],"sub_categories":["PHP"],"readme":"# WackoPicko Vulnerable Website\n\nWackoPicko is a website that contains known vulnerabilities. It was first used for the paper [Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners](http://adamdoupe.com/publications/black-box-scanners-dimva2010.pdf)\n\n## Docker Image\n\nI recently created a\n[wackopicko docker image](https://hub.docker.com/r/adamdoupe/wackopicko/),\nwhich is just about the easiest way to run wackopicko.\n\nSimply run the following, which will map your local port `8080` to the\nport `80` in the container. Change the `8080` to another port if you\nlike:\n\n\tdocker run -p 127.0.0.1:8080:80 -it adamdoupe/wackopicko\n\nOnce the docker image is downloaded and running, you should be able to\naccess wackopicko on your browser:\n[http://localhost:8080](http://localhost:8080).\n\nNote that Windows users might need some additional steps to do the\nport forwarding correctly. Google is your friend, use it well. \n\n## Virtual Machine\n\nWackoPicko is now included as an application in the [OWASP Broken Web Applications Project](https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project#tab=Main) which is a Virtual Machine with numerous intentionally vulnerable application.\n\n## External Links/Help\n* [WackoPicko on aldeid](http://www.aldeid.com/wiki/WackoPicko), a security wiki.\n\n## Install From Source \n\nFirst, ensure that short_open_tag PHP ini option is enabled:\n\nhttp://www.php.net/manual/en/ini.core.php#ini.short-open-tag\n\nImport the WackoPicko database into MySQL using a command like the following:  \n  mysql -u \u003cuser\u003e -p \u003c current.sql\n  \nThis will create the MySQL user wackopicko with the password webvuln!@# as well as create the wackopicko table.\n\nThe wackopicko table contains all of the data that was present while testing the scanners in [Why Johnny Can't Pentest](http://adamdoupe.com/publications/black-box-scanners-dimva2010.pdf).\n\nThe final step is to enable read/write access to the upload directory of WackoPicko for the webserver user. An easy way to do this is:  \n  chmod 777 -R upload\n\n## Valid Logins\n\n### Regular users\n* scanner1/scanner1\n* scanner2/scanner2\n* bryce/bryce\n\n### Administrator users\n* admin/admin\n* adamd/adamd\n\n## Known Issues\n* The search bar doesn't appear in Internet Explorer.\n* There are some onions hanging around (particularly in the upload folder) but I kept them there to preserve parity with the version used during the tests.\n* WackoPicko was developed with the assumption that is was running as the root application as the URL and won't work running as a directory.\n* WackoPicko uses PHP's short tags, they must be enabled to run the application.\n\n## Vulnerabilities\n\n* Reflected XSS  \nhttp://localhost/pictures/search.php?query=blah  \nThe query parameter is vulnerable.  \n\n* Stored XSS  \nhttp://localhost/guestbook.php  \nThe comment field is vulnerable.  \n\n* SessionID vulnerability  \nhttp://localhost/admin/login.php  \nThe session cookie value is admin_session, which is an auto-incrementing value.  \n\n* Stored SQL Injection  \nhttp://localhost/users/register.php -\u003e http://localhost/users/similar.php  \nThe first name field of the register users form contains a stored SQL injection which is then used unsanitized on the similar users page.  \n\n* Reflected SQL Injection  \nhttp://localhost/users/login.php  \nThe username field is vulnerable.  \n\n* Directory Traversal  \nhttp://localhost/pictures/upload.php  \nThe tag field has a directory traversal vulnerability enabling a malicious users to overwrite any file the web server uses has access to.  \n\n* Multi-Step Stored XSS  \nhttp://localhost/pictures/view.php?picid=3  \nThe comment field is vulnerable to XSS, however must go through a preview form.  \n\n* Forceful Browsing  \nhttp://localhost/pictures/highquality.php?picid=3\u0026key=highquality  \nThe user doesn't have to purchase the picture to see the high quality version.\n\n* Command-line Injection  \nhttp://localhost/passcheck.php  \nThe password field is vulnerable to a command line injections.  \n\n* File Inclusion  \nhttp://localhost/admin/index.php?page=login  \nThe page is vulnerable to a file inclusion vulnerability, however you have to include %00 at the end.  \n\n* Parameter Manipulation  \nhttp://localhost/users/sample.php?userid=1  \nThe userid parameter can be manipulated to see any user's page when you need to be logged in otherwise.  \n\n* Reflected XSS Behind JavaScript  \nhttp://localhost/piccheck.php  \nThe name parameter is vulnerable.  \n\n* Logic Flaw  \nhttp://localhost/cart/review.php  \nA coupon can be applied multiple times reducing the price of an order to zero. The coupon in the initial data is SUPERYOU21.  \n\n* Reflected XSS Behind a Flash Form  \nhttp://localhost/submitname.php  \nThe value parameter is vulnerable.  \n\n* Weak username/password  \nhttps://localhost/admin/login.php  \nThere is a default username/password combination of admin/admin.  \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadamdoupe%2FWackoPicko","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadamdoupe%2FWackoPicko","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadamdoupe%2FWackoPicko/lists"}