2025-01-16 03:18:48 +08:00
# CSPJ Application
2024-11-10 23:59:51 +08:00
2025-01-16 03:18:48 +08:00
## Services
2024-11-10 23:59:51 +08:00
2025-01-16 03:18:48 +08:00
- 3331: Apache + ModSecurity
- 3332: Suricata
- 3333: Backend server
- 3334: Python backend server
- 3335: PostgreSQL
2024-11-11 00:43:09 +08:00
backend-for-frontend server
!remember to set the environment variables
!include this in the setup instructions
!should we use a .env file and let the user set the variables?
PGHOST=localhost
PGPORT=5432
PGDATABASE=asdfdb
PGUSER=asdfuser
PGPASSWORD=asdfpassword
2024-11-11 17:34:37 +08:00
## Server
2024-12-12 10:56:17 +08:00
!only listening on localhost is supported. DO NOT run this on a public ip.
2024-11-12 00:55:04 +08:00
2024-11-12 11:53:55 +08:00
- `/health`
2024-12-12 10:56:17 +08:00
- `/health-db`
2024-11-11 18:48:23 +08:00
- `/setup-demo-db`
- `/nuke-db`
- `/fetch-all-users`
2024-11-11 18:47:15 +08:00
2024-11-11 17:34:37 +08:00
### SQL Injection
2025-01-16 03:18:48 +08:00
Use `' OR 1=1; --`
Use `tohyouxuan@gmail.com' UNION SELECT id, email, password FROM users WHERE email = 'tohyouxuan@gmail.com'; --`
2025-01-14 04:12:55 +08:00
2025-01-14 03:50:45 +08:00
- `/unsecure-register-sql`
2025-01-14 03:18:08 +08:00
- `/secure-register-sql`
2025-01-14 03:50:45 +08:00
- `/unsecure-login-sql`
2024-11-12 11:53:55 +08:00
- `/secure-login-sql`
2024-11-11 17:34:37 +08:00
#### 1. Parameterization of Queries
Used `pool.Query()` with a parameterized query, instead of dynamically constructing the SQL query by directly inserting the user input.
2024-12-12 10:56:17 +08:00
Parameterized queries separate the SQL code from the data, so user input is never directly put into the query's structure. Placeholders are used instead, and the data is passed as parameters. The DB will treat them as data, not executable code.
2025-01-16 03:18:48 +08:00
## ZAP
Content-Type: application/json
{
"email": "tohyouxuan@gmail.com",
"password": "testpassword"
}
