<!DOCTYPE html>
<html>
<head>
    <title>Acunetix Art - Test Site</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <style>
        body {
            margin: 0;
            padding: 0;
            font-family: Arial, Helvetica, sans-serif;
            font-size: 13px;
            color: #333;
            background: #fff;
        }
        #mainLayer {
            width: 900px;
            margin: 0 auto;
            padding: 10px;
        }
        #masthead {
            background: #1a1a2e;
            padding: 15px 20px;
            border-bottom: 3px solid #e94560;
        }
        #masthead h1 {
            margin: 0;
            font-size: 14px;
        }
        #masthead h1 a {
            color: #fff;
            text-decoration: none;
        }
        #masthead #siteInfo {
            color: #aaa;
            font-size: 11px;
            margin: 5px 0 0 0;
            font-weight: normal;
        }
        #masthead #siteInfo a {
            color: #e94560;
        }
        #navbar {
            background: #16213e;
            padding: 8px 20px;
            font-size: 12px;
        }
        #navbar a {
            color: #ccc;
            text-decoration: none;
            padding: 4px 10px;
            border-right: 1px solid #333;
        }
        #navbar a:hover {
            color: #e94560;
        }
        #navbar a:last-child {
            border-right: none;
        }
        #content {
            padding: 20px;
            min-height: 400px;
            background: #fafafa;
        }
        #footer {
            background: #1a1a2e;
            color: #888;
            padding: 15px 20px;
            font-size: 11px;
            text-align: center;
            border-top: 3px solid #e94560;
        }
        #footer a {
            color: #e94560;
            text-decoration: none;
        }
        .warning-banner {
            background: #fff3cd;
            color: #856404;
            border: 1px solid #ffeeba;
            padding: 12px 20px;
            font-size: 12px;
            text-align: center;
        }
        .warning-banner strong {
            color: #dc3545;
        }
        h2 {
            color: #1a1a2e;
            font-size: 20px;
            border-bottom: 2px solid #e94560;
            padding-bottom: 8px;
        }
        table {
            border-collapse: collapse;
            width: 100%;
        }
        table td, table th {
            border: 1px solid #ddd;
            padding: 8px;
            font-size: 12px;
        }
        table th {
            background: #1a1a2e;
            color: #fff;
            text-align: left;
        }
        table tr:nth-child(even) {
            background: #f9f9f9;
        }
        table tr:hover {
            background: #f1f1f1;
        }
        a {
            color: #0d6efd;
        }
        input[type=text], input[type=password], input[type=email], textarea, select {
            border: 1px solid #ccc;
            padding: 6px 10px;
            font-size: 13px;
            border-radius: 3px;
        }
        input[type=submit], button {
            background: #1a1a2e;
            color: #fff;
            border: none;
            padding: 8px 16px;
            font-size: 13px;
            border-radius: 3px;
            cursor: pointer;
        }
        input[type=submit]:hover, button:hover {
            background: #e94560;
        }
        .error {
            color: #dc3545;
            font-weight: bold;
        }
        .product-grid {
            display: flex;
            flex-wrap: wrap;
            gap: 20px;
        }
        .product-card {
            border: 1px solid #ddd;
            padding: 15px;
            width: 220px;
            background: #fff;
            border-radius: 5px;
        }
        .product-card h4 {
            margin: 0 0 8px 0;
            color: #1a1a2e;
        }
        .product-card .price {
            color: #e94560;
            font-size: 16px;
            font-weight: bold;
        }
        .product-card a {
            display: inline-block;
            margin-top: 8px;
            background: #16213e;
            color: #fff;
            padding: 5px 12px;
            text-decoration: none;
            border-radius: 3px;
            font-size: 12px;
        }
        .product-card a:hover {
            background: #e94560;
        }
    </style>
</head>
<body>

<div id="mainLayer">

<div id="masthead">
    <h1><a href="index.php">Acunetix Art</a></h1>
    <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
</div>

<div id="navbar">
    <a href="index.php">home</a> |
    <a href="categories.php">categories</a> |
    <a href="artists.php">artists</a> |
    <a href="disclaimer.php">disclaimer</a> |
    <a href="cart.php">your cart</a> |
    <a href="guestbook.php">guestbook</a> |
    <a href="AJAX/index.php">AJAX Demo</a> |
    <a href="search.php">search</a> |
    <a href="contact.php">contact</a> |
    <a href="upload.php">upload</a> |
    <a href="redirect.php">redirect</a> |
    <a href="server.php">server</a> |
    <a href="api.php">API</a> |
    <a href="xml.php">XML</a> |
    <a href="eval.php">eval</a> |
            <a href="login.php">login</a> |
        <a href="secured/newuser.php">signup</a>
    </div>

<div class="warning-banner">
    <strong>WARNING:</strong> This is not a real shop. This is an example PHP application which is intentionally vulnerable to web attacks.
    It is intended to help you test security scanners and practice manual hacking skills.
    <br>Tip: Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.
</div>

<div id="content">
<h2>Insecure CORS API</h2>
<p>This endpoint returns <code>Access-Control-Allow-Origin: *</code> with credentials allowed.</p>

<h3>API Endpoints</h3>
<table>
    <tr><th>Method</th><th>URL</th><th>Description</th></tr>
    <tr><td>GET</td><td><a href="api.php?endpoint=artists">?endpoint=artists</a></td><td>Returns all artists as JSON</td></tr>
    <tr><td>GET</td><td><a href="api.php?endpoint=pictures">?endpoint=pictures</a></td><td>Returns all pictures as JSON</td></tr>
    <tr><td>GET</td><td><a href="api.php?endpoint=users">?endpoint=users</a></td><td>Returns users (SQLi vulnerable)</td></tr>
    <tr><td>GET</td><td><a href="api.php?endpoint=search&q=test">?endpoint=search&q=test</a></td><td>Search (SQLi vulnerable)</td></tr>
</table>

<h3>Test CORS from Console</h3>
<pre>
fetch('http://YOUR_SERVER/api.php?endpoint=users', {
    credentials: 'include'
}).then(r => r.json()).then(console.log)
</pre>

[{"userid":"90","uname":"Test User","email":"test@example.com","cc":"test","phone":null,"address":null},{"userid":"89","uname":"pHqghUme","email":"testing@example.com","cc":"4111111111111111","phone":null,"address":null}]