version: "3.8"

# CVE-2020-13654 - XWiki Platform < 12.8 - Stored XSS Lab
# Author: Astaruf (nstsec.com)
#
# Usage:
#   docker compose up -d
#   Wait ~2 minutes for XWiki to initialize
#   Open: http://localhost:8080

services:
  xwiki:
    image: xwiki:11.10.5-postgres-tomcat
    container_name: cve-2020-13654-xwiki
    ports:
      - "8080:8080"
    environment:
      DB_USER: xwiki
      DB_PASSWORD: xwikipassword
      DB_DATABASE: xwiki
      DB_HOST: db
    depends_on:
      db:
        condition: service_healthy
    volumes:
      - xwiki_data:/usr/local/xwiki
    networks:
      - xwiki_net

  db:
    image: postgres:13
    container_name: cve-2020-13654-db
    environment:
      POSTGRES_USER: xwiki
      POSTGRES_PASSWORD: xwikipassword
      POSTGRES_DB: xwiki
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - xwiki_net
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U xwiki"]
      interval: 10s
      timeout: 5s
      retries: 5

  # Minimal cookie-catcher server (listens on host port 9000)
  cookie_catcher:
    image: python:3.11-slim
    container_name: cve-2020-13654-catcher
    ports:
      - "9000:9000"
    volumes:
      - ../exploit:/exploit
    command: python /exploit/cookie_catcher.py
    networks:
      - xwiki_net

volumes:
  xwiki_data:
  postgres_data:

networks:
  xwiki_net:
    driver: bridge