Home
Hermes is a comprehensive cybersecurity education platform consisting of three integrated components designed for security testing, vulnerability assessment, and hands-on learning. This platform provides a complete ecosystem for understanding, detecting, and exploiting web application vulnerabilities in a controlled educational environment.
THIS PLATFORM CONTAINS INTENTIONAL SECURITY VULNERABILITIES
- DO NOT deploy in production environments
- DO NOT expose to public networks
- USE ONLY in isolated, controlled environments
- INTENDED FOR educational and training purposes only
Hermes consists of three integrated components working together to provide a complete cybersecurity learning experience:
Automated Vulnerability Scanner
- Comprehensive web application security scanner
- Automated detection of common vulnerabilities
- Educational reporting with detailed explanations
- Plugin-based architecture for extensibility
- RESTful API for integration
Deliberately Vulnerable Web Application
- Full-stack web application with intentional vulnerabilities
- OWASP ASVS Level 1 compliance testing platform
- Educational target for security testing practice
- Real-world application patterns with security flaws
Unified Security Testing Interface
- User-friendly interface for security testing workflows
- Integration hub for WebScanner and Weak Website
- Educational dashboards and learning modules
- Report generation and vulnerability visualization
- WebScanner Overview - Scanner capabilities and architecture
- WebScanner User Guide - Command-line and API usage
- WebScanner Installation - Setup and deployment
- User Guide - Application features and functionality
- Feature Overview - Detailed feature documentation
- User Workflows - Common user interaction patterns
- Technical Architecture - System design and technology stack
- Database Schema - Data models and relationships
- API Reference - RESTful endpoints and Swagger documentation
- GUI Overview - Interface capabilities and features
- GUI User Guide - User interface guide
- GUI Installation - Setup and deployment
- GUI Architecture - Technical architecture
- GUI Developer - Developer documentation
- Vulnerability Overview - OWASP ASVS mapping and vulnerability categories
- Security Architecture - Intentional security flaws vs. secure design
- SQL Injection - Authentication bypass and data extraction
- Cross-Site Scripting - XSS attack techniques
- File Upload Attacks - File-based vulnerability exploitation
- Authentication Bypass - Session and authentication attacks
- Parameter Pollution - HTTP parameter manipulation
- Path Traversal - Directory traversal attacks
- Command Injection - OS command execution
- Docker and Docker Compose
- Python 3.8+ (for WebScanner)
- Node.js 18+ (for development)
- Git
# Clone the repository
git clone <repository-url>
cd hermes-fullstack
# Start all components with Docker Compose
docker-compose up --build -d
# Access components
# GUI: http://localhost:8080
# Weak Website Client: http://localhost:8081
# Weak Website Server: http://localhost:3000
# WebScanner API: http://localhost:8000# WebScanner
cd web-scanner
python src/main.py https://localhost:8081
# Weak Website
cd weak-website
docker-compose -f docker-compose.dev.yml up -d
# GUI
cd gui
npm run devThis platform provides hands-on experience with:
- Vulnerability Discovery: Learn to identify security weaknesses
- Exploitation Techniques: Practice safe exploitation methods
- Security Tool Usage: Master industry-standard security tools
- Defensive Security: Understand security from both attack and defense perspectives
- Practical Demonstrations: Show real vulnerability examples
- Systematic Teaching: Structured learning progression
- Assessment Tools: Evaluate student security knowledge
- Safe Environment: Controlled testing platform
- Tool Testing: Evaluate security scanner effectiveness
- Methodology Validation: Test penetration testing approaches
- Skill Development: Practice advanced security techniques
- Training Delivery: Educational platform for team training
graph TD
A[GUI Interface] --> B[Configure Scan Target]
B --> C[Weak Website]
C --> D[WebScanner Engine]
D --> E[Vulnerability Detection]
E --> F[Report Generation]
F --> G[GUI Visualization]
G --> H[Educational Content]
- Setup: Deploy platform components
- Explore: Use GUI to understand weak website features
- Scan: Configure WebScanner to test weak website
- Analyze: Review discovered vulnerabilities
- Learn: Study exploitation techniques
- Practice: Perform manual exploitation
- Document: Generate comprehensive reports
Perfect for:
- Computer Science Courses: Web security, ethical hacking
- Cybersecurity Programs: Hands-on penetration testing
- Professional Training: Corporate security awareness
- Certification Preparation: CEH, OSCP, CISSP
- OWASP ASVS: Application Security Verification Standard
- OWASP Top 10: Most critical security risks
- OWASP Testing Guide: Systematic testing methodology
- OWASP ZAP: Integration with popular security tools
- Framework: FastAPI
- HTTP Client: Requests
- Testing: pytest
- Quality: flake8, black
- Frontend: React 18 + TypeScript + TailwindCSS
- Backend: NestJS + TypeScript + TypeORM
- Database: MySQL 8.0+
- Framework: Ionic + React
- Language: TypeScript
- Testing: Cypress (E2E), Jest (Unit)
- Build: Vite
- Containerization: Docker + Docker Compose
- Development: Docker Dev environments
- Orchestration: Multi-container deployment
- Follow GitHub wiki markdown conventions
- Include practical examples and code snippets
- Reference specific code locations with file paths and line numbers
- Maintain cross-references between related pages
- Implement educational vulnerabilities responsibly
- Include clear security warnings
- Provide detailed exploitation examples
- Maintain educational focus in all features
- Documentation: Search existing wiki pages
- Issue Tracker: Check GitHub issues for common problems
- Community: Engage with educational cybersecurity community
- OWASP Resources: Leverage OWASP documentation and tools
- Use GitHub issue tracker
- Provide detailed reproduction steps
- Include environment information
- Specify affected component (WebScanner/Weak Website/GUI)
- Educational Purpose Only: Use for authorized learning and testing
- Isolated Environment: Never deploy on public or production systems
- Respect Privacy: Use only test data, never real personal information
- Follow Laws: Comply with local cybersecurity and computer crime laws
- Authorized Testing Only: Test only systems you own or have explicit permission
- Responsible Disclosure: Report real vulnerabilities through proper channels
- No Malicious Use: Never use these techniques for illegal activities
- Educational Documentation: Maintain learning records and portfolios
Mission: Hermes empowers cybersecurity education through hands-on learning, combining theoretical knowledge with practical experience in a safe, controlled environment.
- Quick Start Guide - Platform deployment and setup
- Installation - Detailed installation instructions
- WebScanner Overview - Understand the scanning component
- GUI Overview - Explore the user interface
- Vulnerability Overview - Understand security weaknesses
- SQL Injection - Start with fundamental attacks
- Cross-Site Scripting - Client-side vulnerabilities
- Testing Methodology - Systematic assessment approach
- Security Architecture - Deep security analysis
- Tools and Scripts - Automation and tooling
- User Workflows - Complex testing scenarios
Legend: ✅ Complete | 🚧 In Progress | 📋 Planned