L33T Mario is a web game/application where you as Mario have to rescue the princess just like the classic but you play it by hacking. It's a vulnerable web game where you exploit several vulnerabilites to proceed through levels and eventually rescue the princess, each level getting harder and harder.
It's made for a YouTube video and to help beginners learn Web Application Security with a little nostalgia and fun.
It's written in one night and I haven't even bothered to document or clean the code, just pushed it to master when it finally worked 😂! I mean you still can understand what's going on but playing the game is the main point.
I will work on cleaning & documenting the code later on when I add more levels/vulnerabilities to the game.
Currently Linux is the only compatible operating system.
Apache Setup:
$ cd /var/www/html/
$ git clone https://github.com/mufeedvh/l33tmario.git
$ cd l33tmario/
$ ./setup.shUsing Docker:
$ git clone https://github.com/mufeedvh/l33tmario.git
$ cd l33tmario/
$ docker-compose up -d
$ curl -I http://127.0.0.1 # to test- IDOR (Insecure Direct Object Reference)
- XSS (Cross-site Scripting)
- Information Disclosure
- Broken Access Control
- Command Injection
- LFI (Local File Inclusion)
- SSTI (Server-side Template Injection)
- SSRF (Server-side Request Forgery)
- XXE (XML External Entity)
- Open Redirect
- SQL Injection
- DOM Clobbering
More vulnerabilities and the pending ones will be covered in later levels/versions.
Ways to contribute
- Suggest a level idea
- Add a new level
- Clean the code
- Report any unintentional vulnerabilities
- Fix something and open a pull request
- Help me document the code
- Spread the word
Licensed under the MIT License, see LICENSE for more information.