Vomitblood/cspj-application
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

added presentation flow notes

Browse source
This commit is contained in:
Vomitblood 2025-01-16 05:48:18 +08:00
parent 4f984a46f8
commit 9e817d081f
3 changed files with 31 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
README.md
View file

@ -8,17 +8,30 @@
- 3334: Python backend server
- 3335: PostgreSQL
backend-for-frontend server
1. PostgreSQL
2. ~~Python ML server~~
3. Backend server
4. ~~Suricata~~
5. Apache + ModSecurity
6. Client
!remember to set the environment variables
!include this in the setup instructions
!should we use a .env file and let the user set the variables?
## Presentation Flow
PGHOST=localhost
PGPORT=5432
PGDATABASE=asdfdb
PGUSER=asdfuser
PGPASSWORD=asdfpassword
1. [video] start postgres: postgres docker compose -> start pg docker
2. [video] start backend: show main.go -> http.go -> db.go -> go build . -> ./server
3. [video] setup db: postman -> /nuke-db -> /setup-demo-db
4. skip account registration
5. [video] login account normally -> show normal login
6. [video] do sql injection on unsecure endpoint -> show success
7. [video] do sql injection on secure endpoint -> show unsuccess
8. [slides] show backend code, unsecure login endpoint -> show concatenation of sql query
9. [slides] show backend code, secure login endpoint -> parameterization of sql query
10. [video] start apache reverse proxy + modsecurity: docker compose file -> start docker
11. [video] change server url on client to reverse proxy -> do sql injection -> show rejection
12. [video] zaproxy scan endpoint: start zaproxy -> send first request to unsecure server endpoint with arguments -> include context -> start attack -> show breached
1. `Content-Type: application/json`
2. same as on top
13. [video] zaproxy scan reverse proxy: send first request to unsecure reverse proxy endpoint with argumens -> include context -> start attack -> show unbreached
## Server
@ -47,9 +60,11 @@ Parameterized queries separate the SQL code from the data, so user input is neve
## ZAP
Content-Type: application/json
`Content-Type: application/json`
```json
{
"email": "tohyouxuan@gmail.com",
"password": "testpassword"
"email": "tohyouxuan@gmail.com",
"password": "testpassword"
}
```

2
client/install.sh Normal file
View file

@ -0,0 +1,2 @@
sudo rm /usr/local/bin/cspj-application
sudo cp ./src-tauri/target/release/cspj-application /usr/local/bin

4
client/src/components/Pages/SqlInjection/SqlInjection.tsx
View file

@ -78,8 +78,8 @@ export const SqlInjection = () => {
>
<SqlInjectionLogin />
</TabPanel>
<Divider />
the logged in account details goes here
{/* <Divider />
the logged in account details goes here */}
</Box>
</TabContext>
</Box>