| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161 |
- <html class="" lang="en"><head>
- <meta charset="UTF-8">
- <title>IRIS Demonstration</title>
- <meta name="robots" content="noindex">
- <link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Barlow:wght@100&display=swap">
- <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css">
- <link rel="stylesheet" href="/static/assets/css/bootstrap.min.css">
- <link rel="stylesheet" href="/static/assets/css/atlantis.css">
- <link rel="stylesheet" href="/static/assets/css/demo.css">
- <link rel="icon" href="/static/assets/img/logo.ico" type="image/x-icon"/>
- <script defer data-domain="v200.beta.dfir-iris.org" src="https://analytics.dfir-iris.org/js/plausible.js"></script>
- </head>
- <body class="landing-demo">
- <div class="ml-1 row justify-content-center mr-1">
- <div class="col-xl-8">
- <div class="card mt-3">
- <div class="mt-4">
- <div class="col d-flex justify-content-center">
- <a href="/" class="logo ml-2 text-center">
- <img src="/static/assets/img/logo-full-blue.png" alt="navbar brand" width="300rem">
- </a>
- </div>
- </div>
- <div class="row">
- <h4 class="ml-auto mr-auto"><span class="text-danger">shared</span> demonstration instance {{ iris_version }}</h4>
- </div>
- <div class="row">
- <h5 class="text-muted ml-auto mr-auto"><i>Try out IRIS, find bugs and security vulnerabilities</i></h5><br/>
- </div>
- <div class="row mt-4">
- </div>
- <div class="row mt-4">
- </div>
- <div class="row mt-2 mb-4">
- <div class="col-md-1 col-lg-2"></div>
- <div class="col-md-10 col-lg-8 ml-4">
- <h3 class=" ml-auto mr-auto">Kindly read the following carefully</h3><br/>
- <ul>
- <li><b>Do not upload any illegal or confidential materials</b></li>
- <li><b>Do not download and open files from other users blindly</b></li>
- <li><b>Respect a <a class="text-muted" target="_blank" rel="noopener noreferrer" href="https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#responsible-or-coordinated-disclosure">responsible disclosure</a> of 30 days if you find a vulnerability</b></li>
- </ul>
- <b>Not sure what IRIS is about? You'll find more info on the <a target="_blank" rel="noopener" href="https://dfir-iris.org">main website</a></b>
- </div>
- <div class="col-md-1 col-lg-2"></div>
- </div>
- <div class="row mt-3">
- <div class="col-md-1 col-lg-2"></div>
- <div class="col-md-10 col-lg-8 ml-4 mr-3">
- <p class="">Accounts to access the instance are available at the bottom of the page. If they don't work, try checking if there are not trailing spaces when copying. <br/>
- IRIS is not optimized to be used on phones. We recommend accessing it from a computer.<br/>
- If you notice anything suspicious or have any question, please <a href="mailto:contact@dfir-iris.org">contact us</a>. <br/>Note that the instance might be reset at any moment.</p>
- <p><i>By accessing this instance you confirm you read, understand and agree with all the information on this page.</i></p>
- </div>
- <div class="col-md-1 col-lg-2"></div>
- </div>
- <div class="row mt-4 mb-4 mr-2">
- <a class="btn btn-outline-success ml-auto mr-auto" target="_blank" rel="noopener" href="/login">
- Access IRIS
- </a>
- </div>
- <div class="row mt-4 mb-4 mr-2 justify-content-center">
- <div class="ml-mr-auto">
- <button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapseSecRules" aria-expanded="false" aria-controls="collapseSecRules">
- Rules of engagement
- </button>
- <button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapseLiability" aria-expanded="false" aria-controls="collapseLiability">
- Disclaimer
- </button>
- <button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapseAccounts" aria-expanded="false" aria-controls="collapseAccounts">
- Accounts
- </button>
- </div>
- </div>
- <div class="row mt-4 mb-4 mr-2 justify-content-center">
- <div class="col ml-4">
- <div class="collapse" id="collapseLiability">
- <div class="card card-body">
- <h3 class="mt-2">Disclaimer</h3>
- DFIR-IRIS is a non-profit organization. It is not responsible for any damage caused by the use of this site and any material contained in it, or from any action or decision taken as a result of using this site.<br/>
- It is not responsible for the content of any external sites linked to this site.<br/> By using this site, you acknowledge that content posted on this site is public and DFIR-IRIS cannot guarantee the security of any information disclose on it; you make such disclosures at your own risk.
- <h4 class="mt-2">Privacy</h4><br/>
- <p>This demonstration instance is shared and we cannot guarantee the privacy of data you might upload on it. We are not responsible for any data loss or data leak. </p>
- <p>To better understand the use of this instance, DFIR-IRIS uses a privacy-friendly cookie-less analytics. DFIR-IRIS does not collect any personal data. DFIR-IRIS does not use any third-party analytics and uses a self-hosted <a target="_blank" rel="noopener" href="https://plausible.io/">Plausible</a> instance.</p>
- </div>
- </div>
- <div class="collapse" id="collapseSecRules">
- <div class="card card-body">
- <h3 class="mt-2">Rules of engagement</h3>
- <p class=""><b>If you find a vulnerability</b>, <a href="mailto:contact@dfir-iris.org">contact us</a> before going public as it may impact systems already in production.<br/>
- In other words, please respect a responsible disclosure of 30 days. We will patch and then publish the vulnerability. Depending on the finding a CVE might be requested, and will have your name - except if you don't want to.<br/>
- You can report anything you find at <a href="mailto:contact@dfir-iris.org">contact@dfir-iris.org</a>.</p>
- <p class=""><b>The scope of the security tests</b> is limited to the Web Application IRIS hosted on <a class="" target="_blank" rel="noopener" href="{{ demo_domain }}">{{ demo_domain }}</a>.<br/>
- <span class="text-danger">Subdomains, SSH, scanning of the IP, BF, and other flavors are <b>out of scope.</b></span></p>
- We are mostly interested in the following:
- <ul>
- <li><b>authentication bypass</b>: achieve any action requiring an authentication without being authenticated. <span class="text-danger">Brute-force is not what we are looking for</span></li>
- <li><b>privilege escalations within the application</b>: from a standard user (<code>user_std_XX</code>) to administrative rights (<code>adm_XX</code>) on IRIS</li>
- <li><b>privilege escalations on the host server</b>: from a standard user (<code>user_std_XX</code>) to code execution on the server</li>
- <li><b>data leakage</b>: from a standard user (<code>user_std_XX</code>) read data of non-accessible cases (titled <code>Restricted Case XXX</code>)</li>
- </ul>
- <h3>Important Remarks</h3>
- <ul>
- <li>If you can, use a local instance of IRIS instead of this one. It only takes a few minutes to <a target="_blank" rel="noopener" href="https://docs.dfir-iris.org/getting_started/">get it on docker.</a></li>
- <li>The administrators account can publish stored XSS on the platform via <a target="_blank" rel="noopener" href="https://docs.dfir-iris.org/operations/custom_attributes/">Custom Attributes</a>. This is an operational requirement and not recognized as a vulnerability.</li>
- <li><b>Try not to be destructive.</b> If you manage to run code on the host server, do not try to go further.</li>
- </ul>
- <h3>Restrictions</h3>
- To keep this demo instance alive, there are some restrictions put in place.
- <ul>
- <li>The <code>administrator</code> account cannot be updated nor deleted.</li>
- <li>The accounts available on this page cannot be updated nor deleted.</li>
- <li>File upload in datastore is limited to 200KB per file.</li>
- </ul>
- <h3>Resources</h3>
- <p>You can read more about IRIS on the <a target="_blank" rel="noopener" href="https://docs.dfir-iris.org">official documentation website</a>.<br/>
- IRIS is an open source app, so you can directly access the code on <a target="_blank" rel="noopener" href="https://github.com">GitHub</a>.</p>
- </div>
- </div>
- <div class="collapse" id="collapseAccounts">
- <div class="card card-body">
- <h3 class="mt-2">Accounts</h3>
- The following accounts are available on the instance. These users cannot be updated or deleted. However, new users and groups can be created.<br/>
- <b class="text-danger">If the passwords are not working, please double-check spaces were not added while copying.</b>
- <table class="table table-striped table-hover responsive">
- <thead>
- <tr>
- <th>Username</th>
- <th>Password</th>
- <th>Role</th>
- </tr>
- </thead>
- <tbody>
- {% for user in demo_users %}
- <tr>
- <td>{{ user.username }}</td>
- <td><code>{{ user.password }}</code></td>
- <td>{{ user.role }}</td>
- </tr>
- {% endfor %}
- </tbody>
- </table>
- </div>
- </div>
- </div>
- </div>
- </div>
- </div>
- </div>
- </body>
- <script src="/static/assets/js/core/jquery.3.2.1.min.js"></script>
- <script src="/static/assets/js/core/bootstrap.min.js"></script>
- <script type="module" src="/static/assets/js/iris/demo.js"></script>
- </html>
|
