Feature Overview - capstone-hermes/hermes-fullstack GitHub Wiki
Feature Overview
🚨 Educational Purpose Only
This application contains intentional security vulnerabilities for educational purposes. Never deploy in production environments.
Core Features
User Authentication System
- Registration: Account creation with email/password
- Login: Basic authentication (deliberately insecure)
- Password Management: Change password functionality
- Session Management: JWT-based sessions (hardcoded secrets)
Educational Vulnerabilities:
- SQL injection in authentication
- Weak password policies
- Hardcoded JWT secrets
- No rate limiting
- Predictable session tokens
Content Management
- Post Creation: Users can create and publish posts
- Post Viewing: Browse all user posts
- Rich Content: Support for text and media content
- User Profiles: Basic user information display
Educational Vulnerabilities:
- XSS in post content
- No content validation
- CSRF vulnerabilities
- Insecure direct object references
File Management
- File Upload: Upload various file types
- File Download: Access uploaded files
- File Processing: Basic file manipulation
- File Execution: Command execution on files
Educational Vulnerabilities:
- Unrestricted file upload
- Path traversal attacks
- Command injection via file processing
- No file type validation
- Executable file uploads allowed
Input Processing
- Form Handling: Various input forms throughout application
- Data Validation: Minimal client-side validation only
- Parameter Processing: URL and form parameter handling
- Search Functionality: Basic search features
Educational Vulnerabilities:
- HTTP Parameter Pollution
- NoSQL injection vectors
- Insufficient input validation
- Unescaped output rendering
API Endpoints
- RESTful API: Standard CRUD operations
- Authentication API: Login/logout endpoints
- File API: Upload/download functionality
- User API: Profile management
Educational Vulnerabilities:
- Insecure API design
- Missing authorization checks
- Verbose error messages
- No rate limiting
Security Information Dashboard
- OWASP ASVS Mapping: View implemented vulnerabilities
- Vulnerability Categories: Browse by security weakness
- Educational Resources: Links to learning materials
- Testing Guidance: Hints for penetration testing
Technology Stack Features
Frontend (React + TypeScript)
- Modern React functional components
- TypeScript for type safety
- Responsive design with Tailwind CSS
- Form validation (deliberately weak)
- Client-side routing
Backend (NestJS + TypeScript)
- RESTful API architecture
- TypeORM for database operations
- JWT authentication
- File upload handling
- Error handling (deliberately verbose)
Database (MySQL)
- User account storage
- Post content management
- File metadata tracking
- Session information
Infrastructure
- Docker containerization
- Docker Compose orchestration
- Environment configuration
- Development/production modes
Learning Objectives
For Security Students
- Vulnerability Identification: Learn to spot common web vulnerabilities
- Exploitation Techniques: Practice safe exploitation methods
- Impact Assessment: Understand real-world attack consequences
- Remediation Strategies: Learn proper security implementations
For Developers
- Secure Coding: Understand common coding mistakes
- Input Validation: Learn proper validation techniques
- Authentication Security: Implement secure auth systems
- API Security: Design secure REST APIs
For Penetration Testers
- Web Application Testing: Practice systematic testing approaches
- Tool Usage: Learn various security testing tools
- Report Writing: Document findings effectively
- Client Communication: Explain vulnerabilities to stakeholders
Usage Scenarios
Classroom Environment
- Instructor-led vulnerability demonstrations
- Student hands-on practice sessions
- Group penetration testing exercises
- Security code review workshops
Self-Study
- Individual vulnerability exploration
- Personal skill development
- Certification exam preparation
- Portfolio project development
Security Training
- Corporate security awareness
- Developer security training
- Red team skill building
- Blue team detection practice
Safety Features
Isolation
- Containerized deployment
- Network isolation options
- No external network access required
- Local development focus
Reset Capability
- Database reset functionality
- Container restart procedures
- Clean state restoration
- Progress tracking options
Educational Warnings
- Clear vulnerability indicators
- Educational purpose statements
- Authorized testing reminders
- Legal compliance guidance
Next Steps
- User Workflows - Detailed user interaction flows
- Security Architecture - Security design principles
- Testing Methodology - Systematic testing approaches