added presentation flow notes
This commit is contained in:
parent
4f984a46f8
commit
9e817d081f
39
README.md
39
README.md
|
|
@ -8,17 +8,30 @@
|
||||||
- 3334: Python backend server
|
- 3334: Python backend server
|
||||||
- 3335: PostgreSQL
|
- 3335: PostgreSQL
|
||||||
|
|
||||||
backend-for-frontend server
|
1. PostgreSQL
|
||||||
|
2. ~~Python ML server~~
|
||||||
|
3. Backend server
|
||||||
|
4. ~~Suricata~~
|
||||||
|
5. Apache + ModSecurity
|
||||||
|
6. Client
|
||||||
|
|
||||||
!remember to set the environment variables
|
## Presentation Flow
|
||||||
!include this in the setup instructions
|
|
||||||
!should we use a .env file and let the user set the variables?
|
|
||||||
|
|
||||||
PGHOST=localhost
|
1. [video] start postgres: postgres docker compose -> start pg docker
|
||||||
PGPORT=5432
|
2. [video] start backend: show main.go -> http.go -> db.go -> go build . -> ./server
|
||||||
PGDATABASE=asdfdb
|
3. [video] setup db: postman -> /nuke-db -> /setup-demo-db
|
||||||
PGUSER=asdfuser
|
4. skip account registration
|
||||||
PGPASSWORD=asdfpassword
|
5. [video] login account normally -> show normal login
|
||||||
|
6. [video] do sql injection on unsecure endpoint -> show success
|
||||||
|
7. [video] do sql injection on secure endpoint -> show unsuccess
|
||||||
|
8. [slides] show backend code, unsecure login endpoint -> show concatenation of sql query
|
||||||
|
9. [slides] show backend code, secure login endpoint -> parameterization of sql query
|
||||||
|
10. [video] start apache reverse proxy + modsecurity: docker compose file -> start docker
|
||||||
|
11. [video] change server url on client to reverse proxy -> do sql injection -> show rejection
|
||||||
|
12. [video] zaproxy scan endpoint: start zaproxy -> send first request to unsecure server endpoint with arguments -> include context -> start attack -> show breached
|
||||||
|
1. `Content-Type: application/json`
|
||||||
|
2. same as on top
|
||||||
|
13. [video] zaproxy scan reverse proxy: send first request to unsecure reverse proxy endpoint with argumens -> include context -> start attack -> show unbreached
|
||||||
|
|
||||||
## Server
|
## Server
|
||||||
|
|
||||||
|
|
@ -47,9 +60,11 @@ Parameterized queries separate the SQL code from the data, so user input is neve
|
||||||
|
|
||||||
## ZAP
|
## ZAP
|
||||||
|
|
||||||
Content-Type: application/json
|
`Content-Type: application/json`
|
||||||
|
|
||||||
|
```json
|
||||||
{
|
{
|
||||||
"email": "tohyouxuan@gmail.com",
|
"email": "tohyouxuan@gmail.com",
|
||||||
"password": "testpassword"
|
"password": "testpassword"
|
||||||
}
|
}
|
||||||
|
```
|
||||||
|
|
|
||||||
2
client/install.sh
Normal file
2
client/install.sh
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
sudo rm /usr/local/bin/cspj-application
|
||||||
|
sudo cp ./src-tauri/target/release/cspj-application /usr/local/bin
|
||||||
|
|
@ -78,8 +78,8 @@ export const SqlInjection = () => {
|
||||||
>
|
>
|
||||||
<SqlInjectionLogin />
|
<SqlInjectionLogin />
|
||||||
</TabPanel>
|
</TabPanel>
|
||||||
<Divider />
|
{/* <Divider />
|
||||||
the logged in account details goes here
|
the logged in account details goes here */}
|
||||||
</Box>
|
</Box>
|
||||||
</TabContext>
|
</TabContext>
|
||||||
</Box>
|
</Box>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue