Vomitblood/cspj-application
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

login

Browse source
This commit is contained in:
Vomitblood 2025-01-14 03:18:08 +08:00
parent 9e466635de
commit 53c0ada12e
6 changed files with 304 additions and 275 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -41,11 +41,8 @@ PGPASSWORD=asdfpassword
### SQL Injection
- `/sql-execute`
- `/login-sql`
- `/secure-sql-execute`
- `/secure-register-sql`
- `/secure-login-sql`
- `/secure-get-user`
#### 1. Parameterization of Queries

128
client/src/components/Pages/SqlInjection/SqlInjectionLogin.tsx
View file

@ -1,12 +1,66 @@
import { Box, LinearProgress, TextField, Typography } from "@mui/material";
import { Box, TextField, Typography } from "@mui/material";
import { useAtom } from "jotai";
import { useState } from "react";
import { useNotification } from "../../../contexts/NotificationContext";
import { serverUrlAtom } from "../../../lib/jotai";
import { HeaderLogo } from "../../Generic/HeaderLogo";
import { LoadingButton } from "@mui/lab";
export const SqlInjectionLogin = () => {
// contexts
const { openNotification } = useNotification();
// atoms
const [serverUrl, setServerUrl] = useAtom(serverUrlAtom);
// states
const [emailValueRaw, setEmailValueRaw] = useState<string>("");
const [passwordValueRaw, setPasswordValueRaw] = useState<string>("");
const [passwordErrorMsg, setPasswordErrorMsg] = useState<string>("");
const [errorMsg, setErrorMsg] = useState<string>("");
const [loginLoading, setLoginLoading] = useState<boolean>(false);
const nextClickEvent = async () => {
// reset the error messages
setErrorMsg("");
// ensure that the server url does not end with a trailing slash
setServerUrl(serverUrl.replace(/\/$/, ""));
// construct the request body
const requestBody = {
email: emailValueRaw,
password: passwordValueRaw,
};
// start loading indicator
setLoginLoading(true);
try {
// make request good
const response = await fetch(serverUrl + "/register-sql", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify(requestBody),
});
// check if login was successful
if (!response.ok) {
const errorMessage = await response.text();
console.log("Login failed:", errorMessage);
setErrorMsg(errorMessage);
} else {
openNotification("Login successful");
}
} catch (e) {
// log the error and handle failure
console.log("Request failed", e);
} finally {
// stop loading indicator regardless of success/failure
setLoginLoading(false);
}
};
return (
<>
@ -34,30 +88,52 @@ export const SqlInjectionLogin = () => {
flexDirection: "column",
}}
>
<TextField
fullWidth
id="email"
label="Email"
onChange={(e: { target: { value: string } }) => setEmailValueRaw(e.target.value)}
size="small"
type="email"
value={emailValueRaw}
sx={{ mb: 2 }}
variant="outlined"
/>
<TextField
error={Boolean(passwordErrorMsg)}
fullWidth
helperText={Boolean(passwordErrorMsg) ? passwordErrorMsg : ""}
id="password"
label="Password"
onChange={(e: { target: { value: string } }) => setPasswordValueRaw(e.target.value)}
size="small"
type="password"
value={passwordValueRaw}
sx={{ mb: 2 }}
variant="outlined"
/>
<form
onSubmit={(e) => {
e.preventDefault();
nextClickEvent();
}}
>
<TextField
fullWidth
id="email"
label="Email"
onChange={(e: { target: { value: string } }) => setEmailValueRaw(e.target.value)}
size="small"
type="email"
value={emailValueRaw}
sx={{ mb: 2 }}
variant="outlined"
/>
<TextField
error={Boolean(errorMsg)}
fullWidth
helperText={Boolean(errorMsg) ? errorMsg : ""}
id="password"
label="Password"
onChange={(e: { target: { value: string } }) => setPasswordValueRaw(e.target.value)}
size="small"
type="password"
value={passwordValueRaw}
sx={{ mb: 2 }}
variant="outlined"
/>
<Box
sx={{
display: "flex",
flexDirection: "row",
justifyContent: "end",
}}
>
<LoadingButton
loading={loginLoading}
type="submit"
variant="contained"
>
Next
</LoadingButton>
</Box>
</form>
</Box>
</>
);

54
client/src/components/Pages/SqlInjection/SqlInjectionRegister.tsx
View file

@ -107,7 +107,7 @@ export const SqlInjectionRegister = () => {
try {
// make request good
const response = await fetch(serverUrl + "/register-sql", {
const response = await fetch(serverUrl + "/secure-register-sql", {
method: "POST",
headers: {
"Content-Type": "application/json",
@ -124,10 +124,10 @@ export const SqlInjectionRegister = () => {
openNotification("Registration successful");
}
} catch (e) {
// Log the error and handle failure
// log the error and handle failure
console.log("Request failed", e);
} finally {
// Stop loading indicator regardless of success/failure
// stop loading indicator regardless of success/failure
setRegisterLoading(false);
}
};
@ -152,16 +152,16 @@ export const SqlInjectionRegister = () => {
&nbsp;Register
</Typography>
</Box>
<form
onSubmit={(e) => {
e.preventDefault();
nextClickEvent();
<Box
sx={{
display: "flex",
flexDirection: "column",
}}
>
<Box
sx={{
display: "flex",
flexDirection: "column",
<form
onSubmit={(e) => {
e.preventDefault();
nextClickEvent();
}}
>
<TextField
@ -233,23 +233,23 @@ export const SqlInjectionRegister = () => {
<li>At least one special character</li>
</ul>
</Typography>
</Box>
<Box
sx={{
display: "flex",
flexDirection: "row",
justifyContent: "end",
}}
>
<LoadingButton
loading={registerLoading}
type="submit"
variant="contained"
<Box
sx={{
display: "flex",
flexDirection: "row",
justifyContent: "end",
}}
>
Next
</LoadingButton>
</Box>
</form>
<LoadingButton
loading={registerLoading}
type="submit"
variant="contained"
>
Next
</LoadingButton>
</Box>
</form>
</Box>
</>
);
};

18
server/internal/db/db.go
View file

@ -135,25 +135,25 @@ func NukeDb(w http.ResponseWriter, r *http.Request) {
}
// fetch existing usernames from db
func FetchUsernames() (map[string]bool, error) {
usernames := make(map[string]bool)
func FetchEmails() (map[string]bool, error) {
emails := make(map[string]bool)
rows, err := DbPool.Query(context.Background(), "SELECT username FROM users")
rows, err := DbPool.Query(context.Background(), "SELECT email FROM users")
if err != nil {
return nil, fmt.Errorf("error querying users: %w", err)
}
defer rows.Close()
for rows.Next() {
var username string
if err := rows.Scan(&username); err != nil {
return nil, fmt.Errorf("error scanning username: %w", err)
var email string
if err := rows.Scan(&email); err != nil {
return nil, fmt.Errorf("error scanning email: %w", err)
}
usernames[username] = true
emails[email] = true
}
log.Println("Fetched usernames:", usernames)
return usernames, nil
log.Println("Fetched emails:", emails)
return emails, nil
}
// fetch all users for demo

6
server/internal/http_server/http_server.go
View file

@ -21,12 +21,8 @@ func ServeApi() {
http.HandleFunc("/setup-demo-db", db.SetupDemoDb)
http.HandleFunc("/nuke-db", db.NukeDb)
http.HandleFunc("/fetch-all-users", db.FetchAllUsers)
http.HandleFunc("/execute-sql", sql_injection.ExecuteSql)
http.HandleFunc("/login-sql", sql_injection.LoginSql)
http.HandleFunc("/secure-execute-sql", sql_injection.SecureExecuteSql)
http.HandleFunc("/register-sql", sql_injection.RegisterSql)
http.HandleFunc("/secure-register-sql", sql_injection.SecureRegisterSql)
http.HandleFunc("/secure-login-sql", sql_injection.SecureLoginSql)
http.HandleFunc("/secure-get-user", sql_injection.SecureGetUser)
log.Println("Server is running on http://localhost:5000")
if err := http.ListenAndServe(":5000", nil); err != nil {
log.Fatalf("Failed to start server: %v", err)

368
server/internal/sql_injection/sql_injection.go
View file

@ -4,153 +4,16 @@ import (
"context"
"encoding/json"
"fmt"
"io"
"log"
"net/http"
"regexp"
"strings"
"github.com/Vomitblood/cspj-application/server/internal/db"
"golang.org/x/crypto/bcrypt"
)
// unsecure version
// take http reqeust body as raw sql and pass to db
func ExecuteSql(w http.ResponseWriter, r *http.Request) {
// read the request body
sqlQuery, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, "Failed to read request body", http.StatusBadRequest)
return
}
defer r.Body.Close()
// execute the sql query without any sanitization
rows, err := db.DbPool.Query(context.Background(), string(sqlQuery))
if err != nil {
http.Error(w, "Query execution error", http.StatusInternalServerError)
return
}
defer rows.Close()
// prepare the response by iterating over the returned rows
var response string
for rows.Next() {
values, err := rows.Values()
if err != nil {
http.Error(w, "Error reading query result", http.StatusInternalServerError)
return
}
response += fmt.Sprintf("%v\n", values)
}
// send the response to the client
w.Write([]byte(response))
}
// unsecure login
// login endpoint with sql injection vulnerability
func LoginSql(w http.ResponseWriter, r *http.Request) {
// parse the request body to get username and password
var credentials struct {
Username string `json:"username"`
Password string `json:"password"`
}
// decode the json body
if err := json.NewDecoder(r.Body).Decode(&credentials); err != nil {
http.Error(w, "Invalid request format", http.StatusBadRequest)
return
}
defer r.Body.Close()
// construct the unsafe query
query := fmt.Sprintf(
"SELECT id, username FROM users WHERE username = '%s' AND password = '&s'",
credentials.Username,
credentials.Password,
)
// execute the query without sanitizing the input
var id int
var username string
err := db.DbPool.QueryRow(context.Background(), query).Scan(&id, &username)
if err != nil {
http.Error(w, "Invalid credentials", http.StatusUnauthorized)
return
}
// if the user is found, return success response
response := map[string]interface{}{
"message": "Login successful",
"user_id": id,
"username": username,
}
if err := json.NewEncoder(w).Encode(response); err != nil {
http.Error(w, "Failed to encode response", http.StatusInternalServerError)
log.Printf("JSON encoding error: %v", err)
}
}
// secure version
// only allow parameterized queries with validation
func SecureExecuteSql(w http.ResponseWriter, r *http.Request) {
var input struct {
Query string `json:"query"`
Params []interface{} `json:"params"`
}
// parse json request body
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
http.Error(w, "Invalid JSON format", http.StatusBadRequest)
return
}
defer r.Body.Close()
// simple validation, only allow select statements
if !strings.HasPrefix(strings.ToUpper(input.Query), "SELECT") {
http.Error(w, "Only SELECT queries are allowed", http.StatusForbidden)
return
}
// execute the query as a parameterized statement
rows, err := db.DbPool.Query(context.Background(), input.Query, input.Params...)
if err != nil {
http.Error(w, "Query execution error", http.StatusInternalServerError)
return
}
defer rows.Close()
// format the response
var response []map[string]interface{}
for rows.Next() {
values, err := rows.Values()
if err != nil {
http.Error(w, "Error reading query result", http.StatusInternalServerError)
return
}
rowMap := make(map[string]interface{})
fieldDescriptions := rows.FieldDescriptions()
for i, fd := range fieldDescriptions {
rowMap[string(fd.Name)] = values[i]
}
response = append(response, rowMap)
}
// return json response
jsonResp, err := json.Marshal(response)
if err != nil {
http.Error(w, "Failed to encode response", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
w.Write(jsonResp)
}
// register endpoint
func RegisterSql(w http.ResponseWriter, r *http.Request) {
// secure register endpoint
func UnsecureRegisterSql(w http.ResponseWriter, r *http.Request) {
// read the request body
var credentials struct {
Email string `json:"email"`
@ -179,6 +42,75 @@ func RegisterSql(w http.ResponseWriter, r *http.Request) {
}
// get the number of emails that matches
// construct the sql query using concatenation, BAD
emailCheckSQL := fmt.Sprintf("SELECT COUNT(*) FROM users WHERE email = '%s'", credentials.Email)
var existingUserCount int
err := db.DbPool.QueryRow(context.Background(), emailCheckSQL).Scan(&existingUserCount)
if err != nil {
http.Error(w, "Error checking email in the database", http.StatusInternalServerError)
log.Printf("Error checking email: %v", err)
return
}
// if there is more than 0 matches, that means email already exists, reject
if existingUserCount > 0 {
http.Error(w, "Email already exists", http.StatusConflict)
return
}
// hash the password
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(credentials.Password), bcrypt.DefaultCost)
if err != nil {
http.Error(w, "Error hashing password", http.StatusInternalServerError)
return
}
// over here the validations has passed, so insert into the db
// also use concatenation here
insertSQL := fmt.Sprintf("INSERT INTO users (email, password, role) VALUES ('%s', '%s', 'user')", credentials.Email, string(hashedPassword))
_, err = db.DbPool.Exec(context.Background(), insertSQL)
if err != nil {
http.Error(w, "Error inserting user into the database", http.StatusInternalServerError)
log.Printf("Error inserting user: %v", err)
return
}
// send back status ok
w.WriteHeader(http.StatusOK)
w.Write([]byte("User registered successfully"))
log.Println("User registered successfully:", credentials.Email)
}
// secure register endpoint
func SecureRegisterSql(w http.ResponseWriter, r *http.Request) {
// read the request body
var credentials struct {
Email string `json:"email"`
Password string `json:"password"`
RePassword string `json:"rePassword"`
}
if err := json.NewDecoder(r.Body).Decode(&credentials); err != nil {
http.Error(w, "Invalid request format", http.StatusBadRequest)
return
}
defer r.Body.Close()
// check if the email is an email using regex, if not reject
emailRegex := `^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`
re := regexp.MustCompile(emailRegex)
if !re.MatchString(credentials.Email) {
http.Error(w, "Invalid email format", http.StatusBadRequest)
return
}
// check if the password matches, if not reject
if credentials.Password != credentials.RePassword {
http.Error(w, "Passwords do not match", http.StatusBadRequest)
return
}
// get the number of emails that matches
// use parameterization
var existingUserCount int
emailCheckSQL := `SELECT COUNT(*) FROM users WHERE email = $1`
err := db.DbPool.QueryRow(context.Background(), emailCheckSQL, credentials.Email).Scan(&existingUserCount)
@ -201,6 +133,7 @@ func RegisterSql(w http.ResponseWriter, r *http.Request) {
}
// over here the validations has passed, so insert into the db
// use parameterization
insertSQL := `INSERT INTO users (email, password, role) VALUES ($1, $2, $3)`
_, err = db.DbPool.Exec(context.Background(), insertSQL, credentials.Email, hashedPassword, "user")
if err != nil {
@ -215,46 +148,12 @@ func RegisterSql(w http.ResponseWriter, r *http.Request) {
log.Println("User registered successfully:", credentials.Email)
}
// secure login
func SecureLoginSql(w http.ResponseWriter, r *http.Request) {
var credentials struct {
Username string `json:"username"`
Password string `json:"password"`
}
if err := json.NewDecoder(r.Body).Decode(&credentials); err != nil {
http.Error(w, "Invalid request format", http.StatusBadRequest)
return
}
defer r.Body.Close()
// secure version using parameterized queries
query := "SELECT id, username FROM users WHERE username = $1 AND password = $2"
var id int
var username string
err := db.DbPool.QueryRow(context.Background(), query, credentials.Username, credentials.Password).Scan(&id, &username)
if err != nil {
http.Error(w, "Invalid credentials", http.StatusUnauthorized)
return
}
// send back the response if great success
response := map[string]interface{}{
"message": "Login successful",
"user_id": id,
"username": username,
}
if err := json.NewEncoder(w).Encode(response); err != nil {
http.Error(w, "Failed to encode response", http.StatusInternalServerError)
log.Printf("JSON encoding error: %v", err)
}
}
// even more secure
func SecureGetUser(w http.ResponseWriter, r *http.Request) {
// very secure login endpoint
func UnsecureLoginSql(w http.ResponseWriter, r *http.Request) {
// decode the json body
var requestData struct {
Username string `json:"username"`
Email string `json:"email"`
Password string `json:"password"`
}
// declare new json decoder with custom property
@ -269,43 +168,104 @@ func SecureGetUser(w http.ResponseWriter, r *http.Request) {
}
// validate that user is provided
if requestData.Username == "" {
if requestData.Email == "" || requestData.Password == "" {
http.Error(w, "Invalid request format", http.StatusBadRequest)
log.Println("Username is missing in the request body")
return
}
// retrieve list of existing usernames from db
existingUsernames, err := db.FetchUsernames()
if err != nil {
http.Error(w, "Internal server error", http.StatusInternalServerError)
log.Printf("Failed to fetch usernames: %v", err)
return
}
// check if the username exists in the allowed list
// this step is crucial
// server will reject ANYTHING that does not match the list
if !existingUsernames[requestData.Username] {
http.Error(w, "Invalid username", http.StatusBadRequest)
return
}
// construct the query
query := "SELECT id, username, email FROM users WHERE username = $1"
// retrieve the user data
// construct sql command using concatenation
query := fmt.Sprintf("SELECT id, email, password FROM users WHERE email = '%s'", requestData.Email)
var id int
var dbUsername, email string
err = db.DbPool.QueryRow(context.Background(), query, requestData.Username).Scan(&id, &dbUsername, &email)
var email string
var hashedPassword string
err := db.DbPool.QueryRow(context.Background(), query).Scan(&id, &email, &hashedPassword)
if err != nil {
http.Error(w, "User not found", http.StatusNotFound)
http.Error(w, "Invalid email or password", http.StatusNotFound)
return
}
// send back the user data as a json response
// compare the provided password with the stored hashed password
err = bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(requestData.Password))
if err != nil {
http.Error(w, "Invalid email or password", http.StatusUnauthorized)
return
}
// send back the user data as a JSON response
response := map[string]interface{}{
"id": id,
"username": dbUsername,
"email": email,
"id": id,
"email": email,
}
if err := json.NewEncoder(w).Encode(response); err != nil {
http.Error(w, "Failed to encode response as JSON", http.StatusInternalServerError)
log.Printf("JSON encoding error: %v", err)
}
}
// very secure login endpoint
func SecureLoginSql(w http.ResponseWriter, r *http.Request) {
// decode the json body
var requestData struct {
Email string `json:"email"`
Password string `json:"password"`
}
// declare new json decoder with custom property
jsonDecoder := json.NewDecoder(r.Body)
// rejects any unknown fields in the json, more strict
jsonDecoder.DisallowUnknownFields()
if err := json.NewDecoder(r.Body).Decode(&requestData); err != nil {
http.Error(w, "Invalid request format", http.StatusBadRequest)
log.Println("Failed to decode JSON body or extra fields present:", err)
return
}
// validate that user is provided
if requestData.Email == "" || requestData.Password == "" {
http.Error(w, "Invalid request format", http.StatusBadRequest)
return
}
// retrieve list of existing emails from db
existingEmails, err := db.FetchEmails()
if err != nil {
http.Error(w, "Internal server error", http.StatusInternalServerError)
log.Printf("Failed to fetch emails: %v", err)
return
}
// check if the email exists in the allowed list
// this step is crucial
// server will reject ANYTHING that does not match the list
if !existingEmails[requestData.Email] {
http.Error(w, "Invalid email or password", http.StatusBadRequest)
return
}
// retrieve the email and password from the database
var id int
var email string
var hashedPassword string
query := "SELECT id, email, password FROM users WHERE email = $1"
err = db.DbPool.QueryRow(context.Background(), query, requestData.Email).Scan(&id, &email, &hashedPassword)
if err != nil {
http.Error(w, "Invalid email or password", http.StatusNotFound)
return
}
// compare the provided password and the stored password hashes
err = bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(requestData.Password))
if err != nil {
http.Error(w, "Invalid email or password", http.StatusUnauthorized)
return
}
// send back the user data as a json response
response := map[string]interface{}{
"id": id,
"email": email,
}
if err := json.NewEncoder(w).Encode(response); err != nil {
http.Error(w, "Failed to encode response as JSON", http.StatusInternalServerError)