Disclaimer

DFIR-IRIS is a non-profit organization. It is not responsible for any damage caused by the use of this site and any material contained in it, or from any action or decision taken as a result of using this site.
It is not responsible for the content of any external sites linked to this site.
By using this site, you acknowledge that content posted on this site is public and DFIR-IRIS cannot guarantee the security of any information disclose on it; you make such disclosures at your own risk.

Privacy

This demonstration instance is shared and we cannot guarantee the privacy of data you might upload on it. We are not responsible for any data loss or data leak.

To better understand the use of this instance, DFIR-IRIS uses a privacy-friendly cookie-less analytics. DFIR-IRIS does not collect any personal data. DFIR-IRIS does not use any third-party analytics and uses a self-hosted Plausible instance.

Rules of engagement

If you find a vulnerability, contact us before going public as it may impact systems already in production.
In other words, please respect a responsible disclosure of 30 days. We will patch and then publish the vulnerability. Depending on the finding a CVE might be requested, and will have your name - except if you don't want to.
You can report anything you find at contact@dfir-iris.org.

The scope of the security tests is limited to the Web Application IRIS hosted on v200.beta.dfir-iris.org.
Subdomains, SSH, scanning of the IP, BF, and other flavors are out of scope.

We are mostly interested in the following:

• authentication bypass: achieve any action requiring an authentication without being authenticated. Brute-force is not what we are looking for
• privilege escalations within the application: from a standard user (user_std_XX) to administrative rights (adm_XX) on IRIS
• privilege escalations on the host server: from a standard user (user_std_XX) to code execution on the server
• data leakage: from a standard user (user_std_XX) read data of non-accessible cases (titled Restricted Case XXX)

Important Remarks

• If you can, use a local instance of IRIS instead of this one. It only takes a few minutes to get it on docker.
• The administrators account can publish stored XSS on the platform via Custom Attributes. This is an operational requirement and not recognized as a vulnerability.
• Try not to be destructive. If you manage to run code on the host server, do not try to go further.

Restrictions

To keep this demo instance alive, there are some restrictions put in place.

• The administrator account cannot be updated nor deleted.
• The accounts available on this page cannot be updated nor deleted.
• File upload in datastore is limited to 200KB per file.

Resources

You can read more about IRIS on the official documentation website.
IRIS is an open source app, so you can directly access the code on GitHub.

Accounts

The following accounts are available on the instance. These users cannot be updated or deleted. However, new users and groups can be created.
If the passwords are not working, please double-check spaces were not added while copying.

Username	Password	Role
adm_1	ZL#la{KlgoG\Rq<s	Admin
adm_2	#(0ECliV'@l]Tp?I	Admin
adm_3	(Mm_X6XtIA~J^oY\	Admin
user_std_1	<*DoMC,sIS\Lq*Wn	User
user_std_2	[]OA%p/<[T`SG!~]	User
user_std_3	ICRLtx;nQ1(v4qm`	User
user_std_4	-=cMZw>q13#Q__\3	User
user_std_5	o,Ex6>$[G"bBj3`k	User
user_std_6	.Z0hLn6=_sC/5Ybq	User
user_std_7	saER]^D9+(2F#2]{	User
user_std_8	'ujrI`-qQ#-FB+En	User
user_std_9	!xIDI$tZ5s)4W2I@	User