Based on Hackazon by Rapid7 — all credit for the original application, vulnerability design, and training content goes to the Rapid7 team.
Hackazon is an intentionally vulnerable e-commerce web application built for offensive security training, CTF challenges, and penetration testing labs. Originally created by Rapid7, this repository is a complete migration of the PHP 5.4 / PHPixie codebase to PHP 8.4 / Laravel 13 — making it a modern, Docker-ready alternative to DVWA and WebGoat for teaching real-world web vulnerabilities.
Spin up a full security lab in under two minutes with Docker. Each vulnerability can be toggled on/off from the admin panel, making it ideal for structured courses and guided labs.
WARNING: This application contains deliberate security vulnerabilities including SQL Injection, XSS, CSRF, IDOR, Remote File Inclusion, XXE, and OS Command Injection. Do not deploy on a public server or production environment.
| Storefront | Product Page |
|---|---|
 |
 |
| Search Results | Admin — Products |
|---|---|
 |
 |
| Vulnerability Matrix | Vulnerability Editor |
|---|---|
 |
 |
| Layer | Technology |
|---|---|
| Language | PHP 8.4+ |
| Framework | Laravel 13 |
| Database | MySQL 8 (same schema as original) |
| Frontend | jQuery + Knockout.js + Bootstrap (unchanged) |
| Special modules | GWT (Google Web Toolkit), AMF/Flash, REST API |
Docker is the recommended way to run Hackazon for security labs. It handles all dependencies automatically and makes resetting the database trivial between student sessions.
- Docker Desktop (or Docker Engine + Compose v2)
git clone https://github.com/agugliotta/hackazon.git
cd hackazon
# Build and start (first run ~2 minutes)
docker compose up -d --buildThe app will be available at http://localhost:8080
Students can trigger XSS payloads, create accounts, place orders, etc. Restore a clean state between sessions:
# Wipe only the database, keep app running (~15 seconds)
./docker/reset-db.sh
# Full teardown and rebuild
./docker/reset-db.sh --fulldocker compose logs -f app # tail application logs
docker exec -it hackazon_app bash # shell inside app container
docker exec -it hackazon_db mysql -uhackazon -phackazon hackazon # MySQL shell
docker compose down # stop (data preserved)- PHP 8.4+
- MySQL 8
- Composer
composer install
cp .env.example .env
# Edit .env — set DB_HOST, DB_DATABASE, DB_USERNAME, DB_PASSWORD
php artisan key:generate
mysql -u hackazon -p hackazon < database/hackazon_schema.sql
mysql -u hackazon -p hackazon < database/migration_coupons.sql
mysql -u hackazon -p hackazon < database/migration_credit_card.sql
mysql -u hackazon -p hackazon < database/hackazon_demo_data.sql
php artisan serve| Role | Username | Password |
|---|---|---|
| Admin | admin |
123456 |
| User | test_user |
123456 |
All vulnerabilities are preserved from the original application and can be toggled per-context from the admin panel at /admin/vulnerability.
| Vulnerability | Entry Point |
|---|---|
| SQL Injection (UNION) | Search bar — ' UNION SELECT ... |
| SQL Injection (blind) | Wishlist search |
| XSS (Reflected) | Login — username echoed back unescaped |
| XSS (Stored) | Product reviews, profile fields |
| CSRF | Checkout, cart, best price form |
| IDOR | Orders /account/orders/{id}, wishlists |
| Remote File Inclusion | Account → Help articles ?page= |
| OS Command Injection | Account → Documents ?page= |
| XXE | REST API — POST /api/user with Content-Type: application/xml |
| Arbitrary File Upload | Profile photo upload |
- Log in as admin → go to http://localhost:8080/admin/vulnerability
- Select a context from the dropdown (e.g.
account,search,user) - Check Edit Mode
- Toggle vulnerability checkboxes and click Save changes
Changes apply immediately — no restart required.
URL: http://localhost:8080/admin
| Section | URL |
|---|---|
| Dashboard / Vuln Matrix | /admin |
| Vulnerability Editor | /admin/vulnerability |
| Products | /admin/product |
| Users | /admin/user |
| Orders | /admin/order |
| Categories | /admin/category |
| FAQs | /admin/faq |
| Coupons | /admin/coupon |
app/
Http/Controllers/ Laravel controllers (one per PHPixie controller)
Models/ Eloquent models (same table names as original)
VulnModule/ Vulnerability injection system (preserved as-is)
AmfphpModule/ AMF/Flash gateway
Services/ CartService, AuthService
Auth/ MD5 auth provider (legacy password hashing)
resources/views/ Blade templates
routes/web.php Frontend + admin routes
routes/api.php REST API routes
database/ SQL schema + demo seed data
assets/config/vuln/ Per-context vulnerability config files (PHP arrays)
assets/config/vuln.sample/ Default/reference configs (used by Restore button)
content_pages/ Static help article content (PHP includes)
docker/ Entrypoint script, MySQL init
public/ Static assets, GWT compiled JS
vendor/
hackazon/amfphp/ AMF library (vendored — not on Packagist)
gwtphp/gwtphp/ GWT PHP library (vendored — not on Packagist)
- Password hashing: MD5 — preserved for compatibility with original demo data
- Sessions: File-based (
SESSION_DRIVER=file) - CSRF: Disabled globally — intentional (CSRF is a training vulnerability)
allow_url_include: Enabled in Docker for RFI vulnerability- GWT helpdesk:
/helpdeskserved through Laravel via.htaccessrewrite rule (thepublic/helpdesk/directory would otherwise shadow the route) - AMF endpoint:
/amfrequires a Flash client; back office at/amf_back_office/
61 routes tested (GET + admin CRUD + API), all returning 200. Verified vulnerabilities:
- SQLi UNION — search extracts DB user via
' UNION SELECT user(),... - XSS Reflected —
<script>alert(1)</script>in login username echoed back - XXE —
<!ENTITY xxe SYSTEM "file:///etc/passwd">returns/etc/passwdin response - OS Command Injection —
?page=terms.html;idexecutesidand returns output - Remote File Inclusion —
?page=restloads arbitrary PHP include
Original application: Hackazon by Rapid7 — PHP 5.4 / PHPixie, all vulnerability design and training content by the Rapid7 team.
This migration was performed with the assistance of Claude Code (Anthropic). The migration preserves all intentional vulnerabilities exactly as designed in the original.