2025-01-16 03:18:48 +08:00
# CSPJ Application
2024-11-10 23:59:51 +08:00
2025-01-16 03:18:48 +08:00
## Services
2024-11-10 23:59:51 +08:00
2025-01-16 03:18:48 +08:00
- 3331: Apache + ModSecurity
- 3332: Suricata
- 3333: Backend server
- 3334: Python backend server
- 3335: PostgreSQL
2024-11-11 00:43:09 +08:00
2025-01-16 05:48:18 +08:00
1. PostgreSQL
2. ~~Python ML server~~
3. Backend server
4. ~~Suricata~~
5. Apache + ModSecurity
6. Client
## Presentation Flow
1. [video] start postgres: postgres docker compose -> start pg docker
2. [video] start backend: show main.go -> http.go -> db.go -> go build . -> ./server
3. [video] setup db: postman -> /nuke-db -> /setup-demo-db
4. skip account registration
5. [video] login account normally -> show normal login
6. [video] do sql injection on unsecure endpoint -> show success
7. [video] do sql injection on secure endpoint -> show unsuccess
8. [slides] show backend code, unsecure login endpoint -> show concatenation of sql query
9. [slides] show backend code, secure login endpoint -> parameterization of sql query
10. [video] start apache reverse proxy + modsecurity: docker compose file -> start docker
11. [video] change server url on client to reverse proxy -> do sql injection -> show rejection
12. [video] zaproxy scan endpoint: start zaproxy -> send first request to unsecure server endpoint with arguments -> include context -> start attack -> show breached
1. `Content-Type: application/json`
2. same as on top
13. [video] zaproxy scan reverse proxy: send first request to unsecure reverse proxy endpoint with argumens -> include context -> start attack -> show unbreached
2024-11-11 17:34:37 +08:00
## Server
2024-12-12 10:56:17 +08:00
!only listening on localhost is supported. DO NOT run this on a public ip.
2024-11-12 00:55:04 +08:00
2024-11-12 11:53:55 +08:00
- `/health`
2024-12-12 10:56:17 +08:00
- `/health-db`
2024-11-11 18:48:23 +08:00
- `/setup-demo-db`
- `/nuke-db`
- `/fetch-all-users`
2024-11-11 18:47:15 +08:00
2024-11-11 17:34:37 +08:00
### SQL Injection
2025-01-16 03:18:48 +08:00
Use `' OR 1=1; --`
Use `tohyouxuan@gmail.com' UNION SELECT id, email, password FROM users WHERE email = 'tohyouxuan@gmail.com'; --`
2025-01-14 04:12:55 +08:00
2025-01-14 03:50:45 +08:00
- `/unsecure-register-sql`
2025-01-14 03:18:08 +08:00
- `/secure-register-sql`
2025-01-14 03:50:45 +08:00
- `/unsecure-login-sql`
2024-11-12 11:53:55 +08:00
- `/secure-login-sql`
2024-11-11 17:34:37 +08:00
#### 1. Parameterization of Queries
Used `pool.Query()` with a parameterized query, instead of dynamically constructing the SQL query by directly inserting the user input.
2024-12-12 10:56:17 +08:00
Parameterized queries separate the SQL code from the data, so user input is never directly put into the query's structure. Placeholders are used instead, and the data is passed as parameters. The DB will treat them as data, not executable code.
2025-01-16 03:18:48 +08:00
## ZAP
2025-01-16 05:48:18 +08:00
`Content-Type: application/json`
2025-01-16 03:18:48 +08:00
2025-01-16 05:48:18 +08:00
```json
2025-01-16 03:18:48 +08:00
{
2025-01-16 05:48:18 +08:00
"email": "tohyouxuan@gmail.com",
"password": "testpassword"
2025-01-16 03:18:48 +08:00
}
2025-01-16 05:48:18 +08:00
```
