From ffbdd9d42711b67ff85443a31f88eff240d0ce81 Mon Sep 17 00:00:00 2001 From: Vomitblood Date: Tue, 14 Jan 2025 03:50:45 +0800 Subject: [PATCH] login and registration unsecured --- README.md | 2 ++ client/public/images/logo.webp | Bin 0 -> 17554 bytes client/src/components/Generic/HeaderLogo.tsx | 2 +- .../components/HeaderBar/ServerUrlInput.tsx | 6 ++--- client/src/components/Pages/Home/Home.tsx | 4 +-- .../Pages/SqlInjection/SqlInjectionLogin.tsx | 25 ++++++++++++++---- .../SqlInjection/SqlInjectionRegister.tsx | 25 ++++++++++++++---- client/src/lib/jotai.ts | 3 ++- server/internal/db/db.go | 22 +++++++++++---- server/internal/http_server/http_server.go | 3 +++ .../internal/sql_injection/sql_injection.go | 1 + 11 files changed, 71 insertions(+), 22 deletions(-) create mode 100644 client/public/images/logo.webp diff --git a/README.md b/README.md index f6aebcc..354acb8 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,9 @@ PGPASSWORD=asdfpassword ### SQL Injection +- `/unsecure-register-sql` - `/secure-register-sql` +- `/unsecure-login-sql` - `/secure-login-sql` #### 1. Parameterization of Queries diff --git a/client/public/images/logo.webp b/client/public/images/logo.webp new file mode 100644 index 0000000000000000000000000000000000000000..4f28713a56f6c9b6dfe3aed85d7d0ab2f572f1b1 GIT binary patch literal 17554 zcmaI6V~{4n+AaFFZQGo-ZQJhY?&;}i+xE0=+qP}nwr#$5_C7c6cYd66Ga@Tjt!J&Q z$|obTBBN48T0$aR3;@s+7g5qs;?jZz002z?svrnJ4g?@ADyozV`tKG1nrmfj?FcRe z09e~NIjBgA5Nm1c5JQ~;-~cE9GypjO&B)l%PFP7v?mz1Pb9r6{fcz)2K>we<{?D5K zD~s^k#L*Z403rUT5HhxNaQcT0|6vYSC%gaP)PES=*v#nnKV10_(>eTm!GC!5Km4!% zg)jeuP5+DkJ1BGqH5Ji+V?+PP6Px~T_}Bl2jm;da|7qC%X~=(D+x+VvRO^4?-~Yj0 z|H0N)&i~%+zvVw8gg3EKSN+$L|Eu@_Nq{s!9-ssu2K)jz1Iz(d04D(bzt-j-;|Ngs z7Z>@z_;LU1SNiAr_0MGvF#hKd1K0wr0Y?Az1O77y|1|%~|K!&34=c-mDG+!O003ee z2z;Ob0H6{8fUj5}@FNch{K^Laz%~JZUYq~%+vWlQTu=Y_*#F_ka{vIOAON6w@PD{p zDF8rA2mpY+W@qGJ^xx-z{kwwx`2zslmjD0=+5iCBEC2wj`@iz`FZQ1}pkM_6Q2UoF zxhVi3Egb-$H2v4N-v4FX(EkkoU*7(IHUDq^gyoc^YQg`_c1RwvHQ1k>o@<&==m6<- z3tq@`8v_>ta;f-3Y86sQjohZcOTBgf@~}OAR((Cbfbx|CIJ{54Q6SNMiai`?RW4IY zABZwcCNGo~>F5k`2{Z5tIoICD+VS`L{s5j>8ZX5n?yLwiZ}R25EgfuC>V9>%sK!tK zz%>2qv8~nvMts(^?Qh?`?FB(LZ$LlX^C@S4IHpgUe*!Nu;sBpLHwHk-n^_hK(AFWMYuy@@DAs zR<5|(qyEg^u#=s-=(Mf zQd-Y9x-foWAMtC2q9*w^&yxu z{{+;%**MgD`UKQ|YZ4Ora;$_Pv=kU_1*|bXbP!0AFeb(u@n)14F)TGgyx%f$Xq*?a zhbCglE-_S)Am)H9I5OC;Oj#p5h(bRuC=o3&P!i(hJb0ctA;?fI@TpW6T%ko&p-p;_ zO0qxza@PkkaM_&~Y?m+flxKC-ZnGbn3-M1o!e5>$i?Mzas?>89>$hA|qRnwA?~%?ca)4$x$;vax zG>JAV(lrU*a-ZPgAXn#m2%F75$#2pcltC>ub)hsujgG_#jn#{N; zE_C5E)VX?E#T?h0i3f!3MvNc=@GECPGKoB5O)a0CzSl3le$5Wn?Ed@W62tQY0JU3y zED%~D5P1**X3Q{AQW6q$ZSPTHFz`A~9}-q!vNHLvhx>(=juh9O8=^+REnhnyql%if zp0;oA?>S)07tw?wxW~oUN$yFSPtAA5N6+=n>kbeI{N4hl1Jk|(w^~ja-v##seZK<) z6?*1;t$?aP<4?(d3ZQmQv%ssMjUcfA1n?)21X%M$)sgeQ^Rjc!zYlZ-LI5>CU0-)% zb1sSY1s_}}e6BsAfGYp&wrd05l0e00!N+c8L2F-|Zb;uE-#FmSB?u6>2v$PWEV$Z( z?W-wZ_eS$Bc-zwqY{{PfW`Ek*7i{ra@wEhw+}Imn&1YK*T=|TAj9kam0-rj$Uk4s~ z_G?BBj&`Piv%bb(W8V)SIoFKs3bP(?9~X}^Pdn>9jy>(~YQUzinq}L1;PqE8P}z6W z=eG~=WB%332kqOomgr&T5_sp^>?7mN0b~XSenNc+uE#hDX8NWB2fliC72kRuZ(e&g z1wDaFzQFg@XM+zY;K>%*^8s*dtGQK$T)%e4MMsWUJP#~Pf!6m+Dqgq^-ZQ;W6zWg< zJ0$OT=cw^cPfH>*!kl$ef5Z<0u6^Yk`U9RVA|1&xof|d33bUE(jBp%athkAg;v)wq z(zau9;7-HaqvXX$gp)RkALGQjdW5Mb^DB2SNfoAgPxtlXn1j}us6$v`TwoTB0(Wr~$t1pHx3;+@&vN?*I_ zAwYSM9MFOnC0-jP?h|cGh$M9bmgSw$4om9YVQemnh4xI9y>${!k>zGXbhcsSdw_oy zfx-dv?V=sAud^hUYvAc>mu*(l_roTwf;Bn@R^!^eEIF&B@njGy*vr$|k2RA^z)1XvUHE~?rp+SX& z6Fe{NN0W{OcROXz`$WLC52jx#`c!c@L)gpIS<8q26svYK3gj&F*emIFKP!{}=*rbdu9v8i3y8o?QNVrwhR(GtryWAM7m>;T>jfcm) zQP_nFhqN%UixBI&7+<}YvQ5v+eH8xAoACE50gua9pymx%EGj75$qp(hq8^(N@%iXz zuJe_(r!}NeKZ7(3W*VTtKzuoEn=f3$-5mm#;t`!Pss0X>eBF>&LCe8B2UbjG6s{TO zlN9f$jV$#p1ig=^(Sl1c`08(Y1Z?fIa;G*n^6j4XEY?o3IWb5FPF_-EP>{DIs$7g5 zE~R$!oXM+IReMksA2Tbxk(ZfOtjZmAsuLEyvf-=1!JNE#OOr)ZzR(Eb?mEEc?kJy$ z1YQj8o2Ulc)W<-LjJ%5k3z&=Ec)btR4X52x6NL!9ule`RPl6# z3to;v$}>1nA>yaB+&$&~(O0XYRQ7{TqGNFN_A6(9EZ+l zM+!=HX8b0Bs}+$kB~C+CirI432C}Q0Zq^9G%k}~Ei6@S%OZb3W5bMMvMJTha?V|r~ zMteT(vlikNk-zF|v)T?9NUbXP(@<@3KdN&(w0Kiac~h^giS+4sBIZkVkD?hZ^4gIF zQ?{*iV}?xUDZTroSt@wXn#plL1rpF0j4EvW=!Rr_$P?kh;!CCZ;ZgKUl2jHHqjcgu zB&y*d(wNW*D$6J&utB>|5`U@fdLXbJhX0K12~0UNP|dP0L@Z0SPtn2~^Vx0?#5XU9(A&$VjelRLM?grwnpyw)T(Ee%PI|l$%fkr*CKV34#Wa)lY{R+e9 ztM@@uT7`VvxND9yBaLWu{r+VM2TJcheVFAu42v-1N?I1KpVnNcE9P^^j>|nFPe83m zb5MlKF)tTVan9Z(f)enuRG(D_6=+?&tY0GA^&leM4(8oM>Tz>BUfzodqHuGfU1~_& z==ch4PBHQF*smA>$+Nq$PM~^eDDXPSlF#Fh26b06)m+oey-(jQZlfjgToeEVHi|tD z+b@P{*VWYtO&-b&=@vB!N1cf&)kc5Tx5NKHlMkjisOdQ`=H$|)mywFEp z`gn5xN~rKK2C>bZZ(1(<^`=TpY<&(lzY;ropWX0~3|~i=+5K0C5ywTk_MtGC8~Zu_ zj(qcQ!N*?6>cmpMZn#(z>KLJ;!q(X~oYmCq9@3;Net;7%mTZ7i@%0&Dq(+ z>f3t9A3g+YO1a74vnPE=iw-*4HHhvMs>(|uGg`NG5=s3HZ%lB_w1tIPr%nX6DFp~j zn}ZnJ!bBQ2(-?XwA6;D@Hg|?;|Nr@igs$WER9nK%=TGK1g)uwyJfk0La3 z(Q-+MzXSKin*NQDpmz51&Yu%-{py(X!|(V|7>GHWK^wHOTccCOCj2BsHX^a64R;Fw zT|it<^`n4p{A=e`TaF_0U$^L{QP7=t<(F95t5=Fy807PO7=Nims(0mQo|V?qs^i(P z7(oq8d~Fq{K}Ng6d5EfQPlM_eOkbFZo3QB zQ@cWG8;8R;4L$@7%C=tLx-Yv-KM2Ip%2RaW1t07>t|wGmDHv03lPV=4dgdO$dKOjF z29xBZ2IonZ2U%(q%{SRjpGXAU-gJ#GgB?t39Xq_6L9)5Y=@6H?L&M=Ph-=uWTZnhn zV_9Fw7CQ8_&DeW;31ylnVor~=zhWt}?7z;E8j{Q0unG|w@fq+|hd_eCI@<_1XtpM~ zocV#0ZaX7RRvq!abEv*LlHWJY3Gtf13ng|{ZR-&ng?QR!6U>AnO<3%F1QW@THkRtv zYf%f7SL7eZ_YAn9qo%B&-O_wv55*T3TB$tGZ?A!!qhBG)op0PBNb7Y@+Dn&dM|>wJ zW@>{DTuU_!-@oFZ&uESjV>hW@S|WurhYxdn=>^8FoqXa%g{cVhmSRl0u6rY#28APV z;g2sVN)y6aq5cvE1;atRe8KT^>u1YlgH~R1>e*8~eHLfnC*cb-6w83w#GIlR%z#gT zt~y5FHe%XRI<^}?ajICe$-f4`gExga@=wl2lw_@N^)!l;>D2g=<3N;P_Kit(yQYD# zc@xCK@#B%qgX(@06Fs-kLw0w5C94KdTm(yh)#{;``qJs)I4l)~S}k+(>y_6y;+a58 z3DlYGr%I6&A)CQ>^pfW#^c8pM!U(1sZe@n2KJ|iyu6ZcM{(a+$zvf_Mpe-=SPTw!= z{Tc6i+jh-__ba#D83(Zygb1_$h;-0!AL02hM89890V=;aAsgmA>b9xWh}nw>6o+_o)@eAJljcre($3{R%!l z{LL@9r__hrn(tK(U#^ux9arx>9LF;FUyrU2wA_DmevJc(ucYC&boYvuPJXT=wYFpy z=QEOuxo&t&8sq=o82gRsH_3O2z_+6k3&gKUF4Ze5_&lv#IRK z^xG>@avhc?P5M(B8*OfhFaS^djU`_Ae%cKGBm8$G=!x}xBQQB-M)vo|4?oi>U#XD= zEZJ4OBCaq~4O-C3hjT`KV|Q)v@;d6_Nh@fiH5WBZVdZ*j z-qbO$5I5YGcy;2j>sl>{41e-yxiAHDZ$nYUzb|1A+2@6~NuHwffqom%Q-7w9=uxZZ zZ59w+pBbG}cr@}KG?S+@tBCefXzoTz%CJ3c_Il|)KJ5ubwRb(65ePA?1*V^{GU-d` z>?8>`#=W?#v`TGygL&=dJU3<@s?&W?onIzckTp>tH@B%*GF?5g|BWJ&p~lFid?=+= z%iEfH{LPUvZ-<8P-r4jiMIPv{c!{ksiWs;>0yv*~V&sD|%EfT%2p-HovO=7Nc7cUl zF+N^kWqL%}84Bf;BNn5z^z)d#pH09ay|?c`;F!q`=gH?6MR1%^Hxe$$YB;cpF_);Y zX`C_Zh7A`^8X%D(r+;=? z(38(AFD-RE8j>wZ?D4ym>r{7Jgl+-duGfUg}a2tNObROXZS`F^4_k|mh4 zgn4-bkYJvkFtCaG|Rj&=H^WC#r zQ037fU=3(GB^29%o~#h$r4eGSU}#MG2@97&1yfg~3Lc+vgQYT4`6nRIAd|!NOjtHJ z-+-n`3*HEdFf$MsMaT0OEV4l2HPJz&&-Nz~#SYKV48VE9w$qU!ij-P0xW@uc*KK(= zc%+F0=^$v8pFUKcjU@j-LDHig?`F|c|E*ss?kT+XbbRThGn#u&VG5uR zUsFr9kc}ZGJlPG|OzGgVz+2xDE7+H}MZJpF-8&LC z_DR>ar{tU~mA5GHvVIm$Iv**>)Ko=QM*V76VItos^Vv6aaUG~*%@zfQ&CRh?c@uW( zR28>%=aiBKFghI9C#cboAu8WSH`$EO06P5?T&(u?@VF9@UH{%z#;`Al+nOhcEZ4Kn zkAf*>qHG61FluSd*~K`0GnuaZAXFjg<_05+%%rM&f94Glu}I5`>E7y<*xQgB8Q!fF z$uO1Cpf4(QewYp{m_*sPcKORv(huYC#hT7K8%_?cu=r643$hn9js{zA$60< z_yWR=UA|M=VVx^nbOVvJ-2~2!9186=)*?H|7WD&o#L<2~RosJIV%ijmvxh}%!QR~_ zPyf~QTePeXg{A9Rm`G+jX@hoLv`zvsBIoj{!A@31&=hOFSbVzG*pc6=O&4NmnDG2j zvlAbqBS=T@4Ho8|P335hcrC}Sfx~|~uC^n9^mgYS!I`E^>3YBU{4n@r4I0_HLgjkS zb@QrBU@ZK8xJeSA*o7&65~Bu0kGX-w!9~ zY06fCH#FdNNP{3CK*7Sbupo`|)N0xH@cevfWMey19~401t4#KgQ=1K*MefLYu$(M~ z`-5jSPl-a&BA!1Wew%Yl$1<2EfGX=d)+g{)5bL&utl%FBU^bwJ@chvb|LDtk54&iR$jRN6y|c0gjn-sG_}A zzKA6SN~g{@=yNE+0Gp~Lg-_O>pV4GDWJ*fNKZiebVWC&%gA%CY4S9twA4NNUQVfpc zlYCFa&wTb(I-J21dIyM%85g@K;x8{N1)7K}-K_wyo%SH&A%6)B$*3SIXi^{D2P%HO zQzNpE^PyV_$nXWv^mDRVIVk1`!pX1~)df+xffR;Df|;F2aeV`kFhYBbztaQ85^jB3?PFLGnvMTU(4g zhjAohE5?R_Mvih>)ui>dWOjN`%ddGqT|IQyz6agS{wM_<&1UTrg%OOpLeW2&X{smB zQT|(JLOlLf2R=WYu-v9v^?^>72}33P#fy;7^vxfqg0A{+#|p(%5f2N_)M+{752ADK zNN^ZfdsY$Al|9_4LN1|q#8V~?8qhxyUvRf_r+ z1X$OS@rirCIHQu^glGszFza1?T9shC+-gV83xYgtkqVaRzIUh>{{nH2emc5{~f9(v+1#i>^GV1fjE2`VfT z7UG~XXfA4bP*3K+K;9hTQ?8u z`a11$y6THKS9X#9Zfqb94x{fsN6^?nQb%+hQ_knJb1NwvQF|&JH%`v~wt2RxQs4`6EGk%InN2^NN*TSGGUH`UO$Q8or zd15rc507%q)1>y8tW^hNKtri^dQX$ycpol}A1s+{w5km8H6UFKI-Nr@XG912&A)iOdeOxSY$N4hi*!1~bDqcoS-TazFLii&3alM&V# zul71lBcxkY$a)-VoK6WXCA6#;iv>hog1hUByqytzXkec9@6&X7F3Kh}1NBRo(n{5A zv$aX%UJ0XJDP#>OjCsI;LSjV}r zU3WRfFS=>CpJ*qx7tpOV`$hCd%Z8yo!PFjnnhuD26O{xIH+YQ`X|)0A0&xzLEv zBN?8Ii|YbB{ZU+KX18h$3kn6ZroC2;5piV~@Ek{AJr_M>|7y_s{iG(`@T@Iq*>883 zTOuhm>1_w9wLVtOzX+|Pw)k6V8ucXV&xkavg#4;9cKafH8JX`oiSBCzsS&3qL6Ri}{jjPGUt;X{|_4rBj zskHpX`Z2tbzKETFB#6y?mpo~Iv=L$z@V$c{_R*e~X8?e3iB4>O1!l5r%jDA&SwbTa zYD*vui@g(m$O+ydm`nb;@HR2ezSui(7?(9&YALaQV)tOS6iiY%0e>MOW43wQ2-6%F zeCmDm_BVR^=!8)%KThqDw(w26!)z=icmnAXV*U~)HK_s+34(X4QL&)~*H6m}xpIWZ z8WVfzMW2NU%g@u#SniDo0=G3~S&NyQ(Y_aiEa>O@q~u;uyli80X#W~s%&p`_%vPW` z=a;#h&H*SGdh`=45n}_WHn!VKTrE7v6iNDcw+$QpvN(obgdwNg^*?KH1H@bi_<}aN z+|c)xwGi@ZXD2v0d-zQQ{vGRcHqD|!t`J-X6g$MZdZ(rCr+%uAU_Ip)^|CZG4I)Eb zLEndkq)GB~s=v}`nra4j7HCa2vS?#qcnHR7Z*m zlobo{9U#(~dD;#%l1sj87B!Z`1Ww;2&TEaWbbN@Q$uO=;DZd}!;Eq}f5W<~kby9I2 zUz@ZFqCy_}C8)FB^kL>24jsDZyk)8oBtBYfnH)j50uaEe_fyZ!)pBI2T-m%Y%83{} zRuAILde;7~xXw}g00JI1(y{0eOWlVoeDwjd&T5MY%4A>*)+1&s- z`vCnzkN8+6dx*l*Y7PpnuOBWEJeOYvUVKA2+jr~PNOJyP_rJmXQ)iFp zrr`5}B1DUM8!)#D?%QXgP7{oQ0veFv=C` zBnrlyhjDs>_Xz$ab$-K-huwn4*XH{ik)-O`&Dx@91Ak`wU9$#>0gAb(Ss zQLNf>!Fix_L|zql2_k0$NLn3CK|D>S;IES(bTKfLO99ok-v1Swr`3CvhG#3~prz|V zF17bN5LLoWf;#J_eae`$=2f39PhQ&a8GOOh$wrlCznyG;lAi6B4BF;eH&d}(HJrsw z(iJ>BGC^j*kWLEsmxtHScR3YfpB-`P)SSWAy~T}5s+n$%Y4lDkdr!ZUphG`2_Nggs zBt8?4-d+77R(jc5LvbL1zw_f`oPD$tQD|-12DQ?`p-`x14en;O|7z2xIVpo26W#*A z`^AB*ez6==F$LbBV@}JIZC*7bNclN z>Y^@HxYG&L4f4xlgq(8Vwbr(sLg+nXpn5_lGg@b&mZe&2`|iX7WQ+Zs0Ll0Ub+aqq zT+a%@5ebGfeH*-3g`HGF9SrL{-hlSy%>`ToG)2+uU4Z}tqVb|kYuZu4nSGEaRBU!MduxEkkv{Jn)_G!7TeWs>_Wh} z9D?VW1Bb_@^5&UpEchy+!W*`Nl?moK{t`Ea?z>8CnS~O3it_n#e(xUR$sbPYGg4K! zTfCl^@uLNKR?C541^Rx0INiq&>y1jBVEWCkci!aFm4hBfzj%NVVyJ54?wEeBLxmuH5_@9amZr$$&I75IwDks6S3|!Sh2m5EtNyN z`gdDFv7yZ>2kqYs`26IKLhcCu$J-xTtmQ>4!-ZWK^ZQt@8J-P2VshgW>#{%KBG*-8Sv5RO0*qzA_v2 zR27C%j)7fwV z6g|-!S?^Z{&m?sa*aqkuSjKC}44MOHu$QGD?#z8*HWSJHth|%QjQ;fBa|4(BF&p*~ zLdObY76M|Md*ADa?QnxSq<5>z29{KPM%oQB+#oHsmMb6MT+P~n2bGLJS?|~OJ9<9s&h$p0$b^6SgRYD zHU6S>{7^;-tkC^^gllqqMZZu@fcuP!p{^qk5I8RA9k2_rT;a;2SSMQm6`8!64a!{$ zP*!;ZHvOFKTXmx%#!g}^#6ImQ(u&5o;xqKyvv7)wFHfUk<+n_rYCV> z3p|iCIS6RzVLOLgc$*QUP?jK92Tz4=UPCxy6vyXZqOYPvIGOHy7F3sP;lvuR2iUEl*r#1wk+fwavpW481iNPH&ztDY@rg1Ubqd)Jm`~?&5OEylUM3?OpqA) zj?gXI@M9~l(`Oj4i1hj?FNuZef zal~AXL>AMAM7>SB#oh}BPG*N~>o*eYw?p%dKf`29)?+~kl**3->06a$_d1Dv0TpI+ zQ84gl+m$&~4^Z;yphme(ZZtRsG;8{^`nbyuMq4=!(v&gD^EO%x(V!po;USgFOh9%d z7^+_QmuR=m+JRNpYr)J!;h|clXbxC%42gh~l5s*ev|x?5y!%jS@($3DXcF)v8+v(} z%ZN-pXvz$lch!gbnev6cf!^Bu1yavY@}$bdltCnjhkSOog0#`0m^K``9C@UMPE?}v z#z0+Obn&gzE#Ac%jgY$EX`td-jQFIje6Dz#_7w3Q_c90<`7Vc-X;@NpIZA@rbagr| zbD(HXX@W5|21!!WI(`!@TGB8;t&eTmRiUQI5N>vP5&95lpk@N0Ua_cIaRX|F1wp00 z%JJ}A9%4?r{$qvD(3)aRiJim_v-bE>?aiGeMt1|>muil^AZrOzENp2lWO33Wc(!{^ z56Rdl&zX~9d41J8PXgUz4YN4JU)vA$$?+NdcZ#JA6s%M{cpu)4Z>x@y_x+T%GS?~i zRweJW6|V$|0x@gqm@*0Z*UDb!J-IYc^PctoL!W8rt>hVV5B+`4p(*n|n)$Vq$Kp}U zDXVjy#`wZplk!__HC`U0Q@qfDxdiHA7o*s*jY}$q-7MxpsXuRBDrKP@XGu4NU`q=l z6~x-uKhPfUry(H4i{3lU_t!6mgh^1#u&=s}dH3eWt~_gCniWM7wq0t#+-r)tPbn;d z7xUF{MJLrYEE%L;zPIAy!~7MGm!nq>xUYNGM!%f|`qBnBsQWql6kgx@C$W?fs($qf zE{-5|O#e!>8r-`Tw7t@A;#oDW_zA1HOLyVbmHTP8p@y9cXvE+>u7Pu4l%;yv+78zr zOd9)IF3^y8HPuI*8=wYsiGM#6kh>?X z)%|H1e|UT#MfnX+Sn!~tLL|oA6abzRy#rH%93-vf z{ME!EU7kClLzN81n=z_vPtkd>G&{!^d+{SJx^BTOl*b#(QrY;t%8~yKKcie#;#_Ctv}Fr* zdH6B&W(POlByN91Sh+5-%FQ2k4tIsxPkP$_UVbHeQOExz+S0I0ItG0ifT3|0!GewHDD zRZVv!1V8o!4D{t{z)l?!4VA=)3)c9*-?HExX6ViDqSpxot=u+`kfkA73VE*@;2DGZ z@IDhS4r>?QXCiZzj$p?$Aql>=FEOEl9P^fn(!&)SsM%sbtEnHQ?T%)uCcogdKeq^t zfFD=wuaWv=A(iPM;@^NHT#IV1mcIHBd=kBpnq#I#GfPv~!crK+bAYgvm_IZ+CYy3y9_NiH+=v`H?J z`oy`Eyn{DNm**83!{Z}bb9mSm!xGuG2S!D*DO`XV?hu=M`*oL9HF1&FK90s&Zoe^X zBOX_QY}dE29yiOD84G4pcXF~w6ja@8NxZdMwwiYiBr0wFJDqSh|I2r#Xq}wG8p@9s zv~VfRK_U24#9X)A^raAmRP7PHY~KkGJJnKK{y9ZFZdjtN686|-GTxtWsdJosh2`Qmu+!VKTN;vJ8w zGOvt9!OqUGIAyu#5$p&7>0eaM8>t;SudLFmF6%V?LYymqjJ2ta49+fQn%N1|d;Xqw zF?Mf%GY;T$j$mMOp5gyKAY6F3}9#m<%6O#5O!*;fw*jx%68@k zcMED$oBDW(hc?S0#h2I(J*!aSoH-|H>3s^Hm zj-Gp;aj1Kwok;GzGIgTDc{_NJ4FB7K7ZE3|lKf}9d#FHDaj(#FweM$lI3$JE)X*4L zwYMtIyFT82S!Agg>zf$=3~__Gh8Rv05d!64{pD|V+dYnBK0im<)oY?c$-Ue8medyBJ0vJsq#;b$pWbTJa-yQ}2R(WWJU=ET z^=if_2k9`+A`49Vrl!GjycYm{24BcB|zc`P}F#k26FXut2Iw6Kd&B(BJFW=LMVd`H2*u5G-Xk> zZ|}E>;u5Aqv}^P$=3Lzf%g&;O;yKl@f0){AMF(o__V|GVD9{ICiyUrgOffS=GHz4) zp}RFdmPU!}OlUy~S!Q6Bv6XmbZjt%6C`U76V0XY7{FIJ?CUs)z`Ve2JB$c9+fiSh; z!8)s(VcF_xi{9ng7c*m9*6Y}WTa3oW^^F%|vj5Ydxwf9-#Pp9GvODYs9XH3-mZvxt zYa&Ea6}V2w`1S64+8SpUrE$M+=qi9q-@Tem#LyBD_sTk*mQ2!E$)Ie+e)+56F9%{l zlnZM-1CnwP`ZSbAL_^Q0`1t&574SH_1g9e1WEPtZ6j{?+g)iJVrQgv7lDl1l;;2)` zxSg90$3bep&*iuZuN}aTkUJN||Nf=WA|2u&pI@ny*aqH&S@MTR>9!sea(QphK^a48 zEx{>Mz}}WZM&!1ilcoPig*Lqh9Q-7`dgt5e<=OwED)hL>Ag6H8IoIP%jwBHg45~TF z0wGJF%9OWiT4lfsc~LcSE02AWehRIl-Am>~LR-d=x#*%9wlkGWoy!dwuL6E17l)Y{ zg$SFSjl*b2E>orA=>ENu>Z`YX@~WJ$8EVBuXvg!}R6~BHjhfXyo8oM+?H=`jv=MNG zYe@r5+3lY0z~>?c7rXTfq5Z_&wB-jBp=3u|h>1ZTd7KUC(pKOUHzcBs4@RqCQ& zW>wW+J3LOnD60wUDukubfQRp$u~(xq=kdWU33J$5D{GCz6C+x2WZwuHOI%x4q&Gh~ zd~j%h_qlIjQ@<$j4N3f}8ErB=FePm?{|8R??E5GDQs zSj>%1-;vFSK*PKe0(F=^)d!+y*RpHnnlu-yMOyu?E;C8kX_Lz>uoQ78{s_>G@1Y_T z8To(FK_S@?=L+s^Zw1Xs6+#=ndSYrj*|Z@#jyBzbUf;jO_kUUX|7uzwUjv7A z?Cd0{QTV}mCAAu_f(C&=>8iGFYof{$qA1Z}&$*W&7&Mz;{cz=-22;N@Ew}tmBvpt< z#-<*%SV_n3AeApME$=kpK5t3mT*oJ;Kl?4PZ&$q?WF2ijMVH{R3tR^8;RUR?>c&p* zwCk~=ZzAXg!qa+>=bKsCXCgq8R#7{lB9t13#>wQ;Gv)KqZcuDR ze6etDMiYz6i#BQL1?s1?oMY6Hp_4%lWGYr@3?@z0Q;Ab zXcaZ67=^74M{Eg?8eI7lpS|Htz8gQ^gx5jq@wWW@^pclBchBF-$RM@sK<@d?>qVPg z0pf6h6FiJx!kBV(CUZ-B+Zohd_h28=eXYRf7mr_tFa!d4YamA9t21O64KEd)xL+Jd zCd@+E1F}cLc9TxDj9tai{}UMl=KKVAC1Ys3sG?daq85A1(zriLE^%oUz0TbZm!3H( zZ?0DW7kwa~{TERx7Mx14H~Nb*2e$70I9CjzA0tP>%gh zV9c@Sj~R}n=TAf!_ZnSra*%TG{{{e9hKDL|(1w4vdIS$#mV{GkbwALJ6lpmMIi7k( z<)L?!3?3Rpai4<(V~v;n|0H9~0;b|r#IxOqDCIB$@LE1Z3=LjRT{!$Jv&l{v-~xzL zw>!ngEA%|S^kCTH^cDPM0SsrR3eVKVZBt12fyQm4(9zpvHr#SgixI#)mrhm!82JM; z#E+#0H?GH^VttGUmQ&dMJlng6xO*|q`_3=}m_l|)gkd@wn{Y*a(zCX>V@B_pj_s-{ zY*I}0m3qi68BLnr7H|(*o_3pRIQGgmWc3l4uzXh^BT7tXPoWJ~HOyN=u2bk{C|806 zwAW}4W0m>nR-8GW2mh!%BAV*Iqbsq%EFsGWzqITG65r>)$rv+RipVl4BE+%WQ=g%9 zeY9Qv^DIVq_intW%RNZlwfashT3EE8cWdoP>F-!LnkAn(*l-GM7dlePS1Epx(V(Wa z(PdABywc-Wz)uBibTT=qIqs-)T_bK{ z2F@(1!Sb_2`~f4fgN#|v*+HnX7cHR^IK&c zrK?K`_T?%{q(=Sozd_u=>xvlXf%`Tu$qsVN%i{k^O7A`^t=yoa0b{Y0lBy^Z=7zo3 zB&Z%-*N_WI>RiH}6;45?7~ezIH)mtR6;ssv6cRC{IAKiSUlWOK1YaJ9?$Mg%rUJsB6xZ-)3)s$F*@ mPuTE$k``U0h^{HW?d(xDe8D|ka2D&IbZ7smK2~R`|3CoFdSLDV literal 0 HcmV?d00001 diff --git a/client/src/components/Generic/HeaderLogo.tsx b/client/src/components/Generic/HeaderLogo.tsx index 3702651..ecdcc9f 100644 --- a/client/src/components/Generic/HeaderLogo.tsx +++ b/client/src/components/Generic/HeaderLogo.tsx @@ -17,7 +17,7 @@ export const HeaderLogo: FC = ({ sx }) => { alt="Logo" height={40} priority - src="images/logo.gif" + src="images/logo.webp" width={40} /> { return ( setServerUrl(event.target.value)} - size='small' + label="Backend server URL" + // onChange={(event) => setServerUrl(event.target.value)} + size="small" value={serverUrl} /> ); diff --git a/client/src/components/Pages/Home/Home.tsx b/client/src/components/Pages/Home/Home.tsx index 930898a..3060274 100644 --- a/client/src/components/Pages/Home/Home.tsx +++ b/client/src/components/Pages/Home/Home.tsx @@ -30,12 +30,12 @@ export const Home = () => { CSPJ Application Attack Simulator - + */} { // contexts @@ -18,6 +19,7 @@ export const SqlInjectionLogin = () => { const [passwordValueRaw, setPasswordValueRaw] = useState(""); const [errorMsg, setErrorMsg] = useState(""); const [loginLoading, setLoginLoading] = useState(false); + const [secured, setSecured] = useState(false); const nextClickEvent = async () => { // reset the error messages @@ -35,9 +37,11 @@ export const SqlInjectionLogin = () => { // start loading indicator setLoginLoading(true); + const endpointUrl = serverUrl + (secured ? "/secure-login-sql" : "/unsecure-login-sql"); + try { // make request good - const response = await fetch(serverUrl + "/register-sql", { + const response = await fetch(endpointUrl, { method: "POST", headers: { "Content-Type": "application/json", @@ -100,7 +104,7 @@ export const SqlInjectionLogin = () => { label="Email" onChange={(e: { target: { value: string } }) => setEmailValueRaw(e.target.value)} size="small" - type="email" + type="text" value={emailValueRaw} sx={{ mb: 2 }} variant="outlined" @@ -122,9 +126,20 @@ export const SqlInjectionLogin = () => { sx={{ display: "flex", flexDirection: "row", - justifyContent: "end", + justifyContent: "space-between", }} > + { + setSecured(e.target.checked); + }} + /> + } + label="Use secure endpoint" + /> { // contexts @@ -25,6 +25,7 @@ export const SqlInjectionRegister = () => { ); const [passwordStrengthInfo, setPasswordStrengthInfo] = useState("Enter a password"); const [registerLoading, setRegisterLoading] = useState(false); + const [secured, setSecured] = useState(false); let newPasswordStrengthInfo = "Enter a password"; @@ -105,9 +106,12 @@ export const SqlInjectionRegister = () => { // start loading indicator setRegisterLoading(true); + // construct endpoint url + const endpointUrl = serverUrl + (secured ? "/secure-register-sql" : "/unsecure-register-sql"); + try { // make request good - const response = await fetch(serverUrl + "/secure-register-sql", { + const response = await fetch(endpointUrl, { method: "POST", headers: { "Content-Type": "application/json", @@ -171,7 +175,7 @@ export const SqlInjectionRegister = () => { label="Email" onChange={(e: { target: { value: string } }) => setEmailValueRaw(e.target.value)} size="small" - type="email" + type="text" value={emailValueRaw} sx={{ mb: 2 }} variant="outlined" @@ -237,9 +241,20 @@ export const SqlInjectionRegister = () => { sx={{ display: "flex", flexDirection: "row", - justifyContent: "end", + justifyContent: "space-between", }} > + { + setSecured(e.target.checked); + }} + /> + } + label="Use secure endpoint" + /> ("disconnected"); // store the url of the backend server -export const serverUrlAtom = atom(""); +// TODO: let user enter their own backend server url +export const serverUrlAtom = atom("http://localhost:5000"); diff --git a/server/internal/db/db.go b/server/internal/db/db.go index 88d1369..7847787 100644 --- a/server/internal/db/db.go +++ b/server/internal/db/db.go @@ -8,6 +8,7 @@ import ( "net/http" "github.com/jackc/pgx/v5/pgxpool" + "golang.org/x/crypto/bcrypt" ) // db connection info @@ -75,6 +76,17 @@ func DbHealthCheck(w http.ResponseWriter, r *http.Request) { // setup demo db func SetupDemoDb(w http.ResponseWriter, r *http.Request) { + // default password for demo users + defaultPassword := "Password!23" + + // Hash the default password + hashedPassword, err := bcrypt.GenerateFromPassword([]byte(defaultPassword), bcrypt.DefaultCost) + if err != nil { + http.Error(w, "Error hashing password", http.StatusInternalServerError) + log.Printf("Error hashing password: %v", err) + return + } + // create table and insert demo data createTableSQL := ` CREATE TABLE IF NOT EXISTS users ( @@ -87,13 +99,13 @@ func SetupDemoDb(w http.ResponseWriter, r *http.Request) { // avoid duplicate entries and specify roles insertDataSQL := ` INSERT INTO users (email, password, role) VALUES - ('alice@example.com', 'asdfalicepassword', 'user'), - ('bob@example.com', 'asdfbobpassword', 'user'), - ('charlie@example.com', 'asdfcharliepassword', 'admin') + ('alice@example.com', $1, 'user'), + ('bob@example.com', $2, 'user'), + ('charlie@example.com', $3, 'admin') ` // execute create table - _, err := DbPool.Exec(context.Background(), createTableSQL) + _, err = DbPool.Exec(context.Background(), createTableSQL) if err != nil { http.Error(w, "Failed to create table", http.StatusInternalServerError) log.Printf("Error creating table: %v", err) @@ -101,7 +113,7 @@ func SetupDemoDb(w http.ResponseWriter, r *http.Request) { } // execute insert demo data - _, err = DbPool.Exec(context.Background(), insertDataSQL) + _, err = DbPool.Exec(context.Background(), insertDataSQL, hashedPassword, hashedPassword, hashedPassword) if err != nil { http.Error(w, "Failed to insert demo data", http.StatusInternalServerError) log.Printf("Error inserting demo data: %v", err) diff --git a/server/internal/http_server/http_server.go b/server/internal/http_server/http_server.go index 3772679..ba22a59 100644 --- a/server/internal/http_server/http_server.go +++ b/server/internal/http_server/http_server.go @@ -21,8 +21,11 @@ func ServeApi() { http.HandleFunc("/setup-demo-db", db.SetupDemoDb) http.HandleFunc("/nuke-db", db.NukeDb) http.HandleFunc("/fetch-all-users", db.FetchAllUsers) + http.HandleFunc("/unsecure-register-sql", sql_injection.UnsecureRegisterSql) http.HandleFunc("/secure-register-sql", sql_injection.SecureRegisterSql) + http.HandleFunc("/unsecure-login-sql", sql_injection.UnsecureLoginSql) http.HandleFunc("/secure-login-sql", sql_injection.SecureLoginSql) + log.Println("Server is running on http://localhost:5000") if err := http.ListenAndServe(":5000", nil); err != nil { log.Fatalf("Failed to start server: %v", err) diff --git a/server/internal/sql_injection/sql_injection.go b/server/internal/sql_injection/sql_injection.go index 273ce6d..892151d 100644 --- a/server/internal/sql_injection/sql_injection.go +++ b/server/internal/sql_injection/sql_injection.go @@ -59,6 +59,7 @@ func UnsecureRegisterSql(w http.ResponseWriter, r *http.Request) { // hash the password hashedPassword, err := bcrypt.GenerateFromPassword([]byte(credentials.Password), bcrypt.DefaultCost) + fmt.Println(hashedPassword) if err != nil { http.Error(w, "Error hashing password", http.StatusInternalServerError) return