## https://sploitus.com/exploit?id=EE88CE65-3768-553B-989B-92C6B9CA2E80
# DEM β Docker Exploit Mapper
Welcome to **DEM**, a fully containerized
cybersecurity evaluation system designed to support authorized analysts
in conducting structured host discovery, container analysis,
vulnerability enumeration, exploitation testing, and reporting
operations.
DEM operates as a **self-contained Docker Compose environment**,
bundling the backend, frontend, and Neo4j database into isolated
containers.
---
## Table of Contents
- [Overview](#overview)
- [Interface Preview](#interface-preview)
- [Architecture Summary](#architecture-summary)
- [Containerized Services](#containerized-services)
- [Third-Party Tool Versions](#thirdparty-tool-versions)
- [Product Features](#product-features)
- [Deployment Using Docker Compose](#deployment-using-docker-compose)
- [Prerequisites](#prerequisites)
- [Deployment Steps](#deployment-steps)
- [Managing the Environment](#managing-the-environment)
- [Troubleshooting](#troubleshooting)
- [Database Schema](#database-schema)
- [Backend Architecture](#backend-architecture)
- [CAT 1 STIG Justification](#cat-1-stig-justification)
- [License](#license)
- [Support & Subsystem Responsibilities](#support--subsystem-responsibilities)
---
## Overview
DEM is an integrated vulnerabilityβassessment and exploitation platform
that unifies host discovery, container enumeration, topology mapping,
vulnerability analysis, exploitation workflows, and reporting into a
single cohesive system.
The platform enables analysts to:
- Detect hosts and running Docker
containers within a target host
- Retrieve metadata, open ports, services, and container configurations
- Analyze container relationships and generate interactive topology
visualizations
- Perform vulnerability enumeration using Trivy, Grype, Dockle, and
Gobuster
- Execute controlled exploitation with Metasploit and record supporting
artifacts
- Compile and export structured reports in PDF, CSV, or XML formats
DEM is designed for use within a controlled environment and assumes
users are authenticated prior to accessing the system. User
authorization is handled externally, while DEM focuses exclusively on
analysis, exploitation workflows, and reporting.
---
## Interface Preview
Dashboard
Discovery
Assessment
Exploitation
Reporting
Topology Map
## Architecture Summary
- **Frontend:** SvelteKit application (`5173`)
- **Backend:** FastAPI service (`8000`)
- **Database:** Neo4j Graph Database (`7474`, `7687`)
- **Security Tools:** Trivy, Grype, Gobuster, Nmap, Dockle, Metasploit
- **Managers:** Handle project lifecycle, scans, topology, dashboard functions, and secure DB operations.
### Containerized Services
DEM operates as four coordinated Docker containers, each with a dedicated role within the system architecture:
| Container | Purpose | Description |
|----------|----------|-------------|
| **Frontend** | User Interface | Hosts the SvelteKit application that delivers all pages for discovery, assessment, exploitation, reporting, and topology visualization. |
| **Backend** | API & Processing Layer | Runs the FastAPI backend, all managers, tool interfaces, routing logic, and system orchestration. |
| **Neo4j** | Primary Data Store | Stores projects, topology graphs, scan results, activities, notes, and all operational data. |
| **Neo4j Backup** | Automated Backup Sidecar | Continuously performs scheduled backups of Neo4j data volumes to prevent data loss during restarts, resets, or redeployments. |
### ThirdβParty Tool Versions
| Tool | Version |
|------|---------|
| Docker Engine | 28.x |
| Dockle | 0.4.15 |
| Gobuster | 3.6.0 |
| Grype | 0.91.0 |
| Trivy | 0.61.1 |
| Nmap | 7.95 |
| Metasploit Framework | 6.4 |
| SSH/OpenSSH | 10.x |
```
DEM/
βββ backend/
β βββ app/
β β βββ core/
β β βββ managers/
β β βββ models/
β β βββ routes/
β β βββ tools/
β β βββ utils/
β β βββ main.py
β βββ tests/
β βββ Dockerfile
β βββ pyproject.toml
β
βββ frontend/
β βββ src/
β β βββ lib/
β β βββ routes/
β βββ static/
β βββ package.json
β βββ Dockerfile
β
βββ sample_data/
βββ scripts/
βββ docker-compose.yml
βββ README.md
```
---
## Product Features
- **Project Management** (create, open, archive, import/export)
- **Container Identification**
- **Topology Mapping**
- **Vulnerability Analysis** using Trivy, Grype, Dockle, Gobuster
- **Exploitation Workflow** using Metasploit
- **Dashboard Management** (activity logs, notes, container history)
- **Report Generation** (PDF, XML, CSV)
---
## Deployment Using Docker Compose
### Prerequisites
- Docker Desktop or Docker Engine
- Ability to run Docker containers
- SSH tunnel to target hosts must be prepared prior to discovery
- Authorized DAC analyst access
---
### Deployment Steps
1. **Clone the repository**
```bash
git clone https://github.com/sofimaynez/CS4311_DEM_Bravo_Fall2025.git
cd CS4311_DEM_Bravo_Fall2025
```
2. **Start the environment**
``` bash
docker compose up --build
```
(Optional) Run the environment in the background (detached mode):
``` bash
docker compose up -d --build
```
This launches:
- Neo4j
- Neo4j backup
- FastAPI backend
- SvelteKit frontend
- All security tool interfaces
3. **Access services**
| Service | URL |
|---------|-----|
| Frontend | http://localhost:5173 |
| Backend API | http://localhost:8000 |
| Neo4j Browser | http://localhost:7474 |
4. **Health check**
```bash
curl http://localhost:8000/health
```
Expected:
```json
{"ok": true}
```
---
### Managing the Environment
| Action | Command |
|--------|---------|
| Stop all containers | `docker compose down` |
| Rebuild | `docker compose up --build` |
| View logs | `docker compose logs -f` |
| Restart backend | `docker compose restart backend` |
| Reset (remove volumes) | `docker compose down -v` |
---
### Troubleshooting
| Issue | Resolution |
|--------|------------|
| Port conflict | Free ports 7474, 7687, 8000, 5173 |
| Backend can't reach Neo4j | Wait 5β10 seconds; backend retries automatically |
| Containers start incorrectly | `docker compose down && docker compose up --build` |
| Neo4j password mismatch | Update the `NEO4J_AUTH` variable |
---
## Database Schema
```mermaid
flowchart TB
classDef root fill:#e8f0ff,stroke:#2f5597,stroke-width:1.5px,color:#1a3557,font-size:14px,font-weight:bold;
classDef mid fill:#f7f9fc,stroke:#8a9bb5,stroke-width:1.1px,color:#2f3a45,font-size:12px;
classDef leaf fill:#fff9e6,stroke:#c9a34e,stroke-width:1px,color:#5c4a1d,font-size:11px;
linkStyle default stroke:#777,stroke-width:0.8px,color:#444,fill:none;
Project["Project"]:::root
Host["Host"]:::mid
Container["Container"]:::mid
Scan["Scan"]:::mid
Vulnerability["Vulnerability"]:::leaf
Finding["Finding"]:::leaf
Activity["Activity Log"]:::mid
Note["Note"]:::mid
Project -->|HAS_HOST| Host
Host -->|HAS_CONTAINER| Container
Container -->|HAS_SCAN| Scan
Scan -->|FOUND| Vulnerability
Scan -->|FOUND| Finding
Project -->|HAS_ACTIVITY| Activity
Project -->|HAS_NOTE| Note
```
---
## Backend Architecture
```mermaid
flowchart TD
classDef api fill:#e7f0ff,stroke:#205295,stroke-width:1.5px,color:#102544,font-weight:bold;
classDef mgr fill:#f4f7ff,stroke:#3b6fb6,stroke-width:1.3px,color:#102544;
classDef tool fill:#edf4ff,stroke:#5b8fe0,stroke-width:1.3px,color:#102544;
classDef db fill:#d8e6ff,stroke:#1b437d,stroke-width:1.8px,color:#0b2440,font-weight:bold;
subgraph API_Routes["API Layer β Routes"]
direction TB
DiscoveryAPI
AssessmentAPI
ExploitationAPI
ReportsAPI
TopologyAPI
end
class API_Routes,DiscoveryAPI,AssessmentAPI,ExploitationAPI,ReportsAPI,TopologyAPI api;
subgraph Managers["Managers / Service Layer"]
direction TB
ProjectManager
ScanInfoManager
DiscoveryManager
ContainerInfoManager
HostInfoManager
DashboardManager
TopologyManager
ReportManager
NotesManager
ActivityManager
end
class Managers,ProjectManager,ScanInfoManager,DiscoveryManager,ContainerInfoManager,HostInfoManager,DashboardManager,TopologyManager,ReportManager,NotesManager,ActivityManager mgr;
subgraph Tools["Tool Interfaces"]
direction TB
NmapInterfacer
TrivyInterfacer
GrypeInterfacer
DockleInterfacer
GobusterInterfacer
MetasploitInterfacer
DockerInterfacer
end
class Tools,NmapInterfacer,TrivyInterfacer,GrypeInterfacer,DockleInterfacer,GobusterInterfacer,MetasploitInterfacer,DockerInterfacer tool;
subgraph DataLayer["Data & Security Layer"]
direction TB
DatabaseSecurityManager
DatabaseManager
Neo4j[(Neo4j Graph DB)]
end
class DataLayer,DatabaseSecurityManager,DatabaseManager,Neo4j db;
API_Routes --> Managers
Managers --> Tools
Managers --> DatabaseManager
DatabaseSecurityManager --> DatabaseManager
DatabaseManager --> Neo4j
```
---
## CAT 1 STIG Justification
This section documents mitigation and justification for all Category I
STIG vulnerabilities relevant to the DEM application.
| VULNERABILITY ID | DESCRIPTION | MITIGATING REASON |
|------------------|-------------|--------------------|
| V β 222400 | Validity periods must be verified on all application messages using WS-Security or SAML assertions. | For this project, this would not apply. |
| V β 222404 | The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion. | For this project, this would not apply. |
| V β 222612 | The application must not be vulnerable to overflow attacks. | DEM mitigates overflow attacks by implementing: Input Validation Buffer Size Checks Secure Coding PracticesMemory Safety Languages Static Code Analysis Dynamic Analysis |
| V β 222578 | The application must destroy the session ID value and/or cookie on logoff or browser close. | There will be no sessions established on this project. |
| V β 222430 | The application must execute without excessive account permissions. | DEM will inherit permission inline with DAC Analysts. |
| V β 222432 | The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | For this project, this would not apply. |
| V β 222577 | The application must not expose session IDs. | For this project, this does not apply. |
| V β 222609 | The application must not be subject to input handling vulnerabilities. | DEM address input handling vulnerabilities by implementing: Avoid trusting user input Use parameterized queries File upload security (valid file types and restrict size)Error HandlingInput Validation |
| V β 222608 | The application must not be vulnerable to XML-oriented attacks | For this project, this does not apply. |
| V β 222602 | The application must protect from Cross-Site Scripting (XSS) vulnerabilities | DEM mitigates Cross-Site Scripting (XSS) vulnerabilities by implementing: Output encoding Use frameworks with built-in protection (.g. React, Angular, Vue...) Escape Dynamic JavaScript values |
| V β 222601 | The application must not store sensitive information in hidden fields | DEM does not store sensitive information in hidden fields by implementing these practices: Avoid Storing Sensitive Data Secure Communication Channels Use local storage Data Masking |
| V β 222607 | The application must not be vulnerable to SQL Injection. | Neo4J is a NoSQL database and not susceptible to traditional SQL injection attacks.DEM prevents NoSQL injection by implementing: Use parameterized queries Sanitize input Error Handling Update dependencies |
| V β 222604 | The application must be protected from command injection. | DEM mitigates command injection vulnerabilities, especially in the context of using Neo4J, by implementing: Use parameterized queries Sanitize input Error Handling Update dependencies |
| V β 222403 | The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. | The analysts shall not be required to log in, so this does not apply. |
| V β 222585 | The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | DEM fails to a secure state by implementing: Error handlingGraceful initializationShutdown processAbort handlingTesting Scenarios |
| V β 222550 | The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path to an accepted trust anchor. | DEM shall validate certificates as necessary to ensure system security and trustworthiness. |
| V β 222522 | The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | For this project, this would not apply. |
| V β 222554 | The application must not display passwords/PINs as clear text. | For this project, this would not apply. |
| V β 222596 | The application must protect the confidentiality and integrity of transmitted information. | DEM Will communicate with devices using an SSH Encrypted Channel. |
| V β 222399 | Messages protected with WS_Security must use time stamps with creation and expiration times. | N/ADEM will not use WS_Security tokens. |
| V β 222658 | All products must be supported by the vendor or the development team. | All products from DEM will be supported by the development team and vendor. |
| V β 222659 | The application must be decommissioned when maintenance or support is no longer available. | When decommissioned DEM will be available to terminate any files and storage |
| V β 222551 | The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. | All PKI-Based Authentication shall give access to a corresponding private key. |
| V β 222620 | Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ. | DEM will have no use of the internet. |
| V β 222536 | The application must enforce a minimum 15-character password length. | For this project, this would not apply. |
| V β 222643 | The application must have the capability to mark sensitive/classified output when required. | DEM gives the option to mark sensitive data to specific users. |
| V β 222542 | The application must only store cryptographic representations of passwords. | For this project, this would not apply. |
| V β 222543 | The application must transmit only cryptographically-protected passwords. | For this project, this would not apply. |
| V β 222425 | The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | DEM gives the approved user specific data they are entrusted with. |
| V β 222642 | The application must not contain embedded authentication data. | For this project, this would not apply. |
| V β 222662 | Default passwords must be changed. | For this project, this would not apply. |
| V β 222555 | The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | DEM will follow all the guidelines of Federal Laws, Executive Orders, Policies, Regulations, Stands for the cryptographic module. |
---
## License
This project is for educational, evaluation, and controlled deployment
use unless otherwise licensed.
---
## Support & Subsystem Responsibilities
| **Subsystem** | **Responsibilities** | **Contact** |
|---------------|-----------------------|------------------------|
| **Subsystem 1** | - Dashboard View & Backend- Discovery Views & Backends- Docker PS & SSH Tunnel Compatibility- Nmap Component | **Team 7**Ivan Armenta |
| **Subsystem 2** | - Projects Component- Assessment Views & Backends- Grype Component | **Team 16**Joe Mota |
| **Subsystem 3** | - Topology Map Views & Backends- Database- Trivy Component | **Team 14**Javier Falliner |
| **Subsystem 4** | - Exploitation Views & Backends- Reporting Views & Backends- Dockle Component | **Team 15**Victor Gonzalez |