# CSPJ Application

## HOW TO TEST

The IP address refers to the IP address that y'all configure for the VM.

### 1. DVWA (ignore)

DVWA is listening on port `80`, so in the browser no need to enter port number.  
Just navigate to the IP address.  
![dvwa-no-modsecurity](assets/screenshot_130225_040803.png)

### 2. ModSecurity DVWA

ModSecurity is listening on port `3331`, it is a proxy for DVWA.  
Go to `<ip>:3331` in the browser.  
![dvwa-modsecurity](assets/screenshot_130225_040940.png)

Go to the `Command Injection` tab.  
![dvwa-command-injection](assets/screenshot_130225_041013.png)

Enter in `127.0.0.1; ls`.  
![dvwa-command-injection-2](assets/screenshot_130225_041113.png)

If 401 Forbidden error is returned, ModSecurity is great success.  
![dvwa-modsecurity-forbidden](assets/screenshot_130225_041144.png)

### 3. Client + Backend Server + ML Model (ignore)

Start the `cspj-application` program, be it on Windows or Linux.  
Backend server is listening on port `3333`.  
At the top right of the program window, click on the red `Server disconnected` thingy.  
Enter the IP address, and make sure port is set to `3333`.  
Click connect, and it should turn green.  
![client-server-url](assets/screenshot_130225_042054.png)

Press the humongous blue `Setup/reset DB` button.  
Should see that DB setup was carried out.  
![client-db-setup](assets/screenshot_130225_042221.png)

Go to the `Login` tab.  
Enter:

- Email: `asdf@gmail.com`
- Password: `asdf`

Press next, and should see `Login successful`.  
![client-login-unsecure](assets/screenshot_130225_042610.png)

Turn on the secure endpoint switch.  
Enter:

- Email: `asdf@gmail.com' OR 1=1; --`
- Password: `randompasswordjakfl;dsjflkadsjlkf;sjkfl;dj;l`

Press next again.  
This time should fail.  
![client-login-secure](assets/screenshot_130225_042859.png)

Okay done.

## Everything below can ignore

## Setup

### Requirements

User to be added into `docker` group.

```bash
sudo usermod -aG docker $USER
```

## Services

- 3331: Apache + ModSecurity
- 3332: Suricata
- 3333: Backend server
- 3334: Python backend server
- 3335: PostgreSQL

1. PostgreSQL
2. ~~Python ML server~~
3. Backend server
4. ~~Suricata~~
5. Apache + ModSecurity
6. Client

## Presentation Flow

1. [video] start postgres: postgres docker compose -> start pg docker
2. [video] start backend: show main.go -> http.go -> db.go -> go build . -> ./server
3. [video] setup db: postman -> /nuke-db -> /setup-demo-db
4. skip account registration
5. [video] login account normally -> show normal login
6. [video] do sql injection on unsecure endpoint -> show success
7. [video] do sql injection on secure endpoint -> show unsuccess
8. [slides] show backend code, unsecure login endpoint -> show concatenation of sql query
9. [slides] show backend code, secure login endpoint -> parameterization of sql query
10. [video] start apache reverse proxy + modsecurity: docker compose file -> start docker
11. [video] change server url on client to reverse proxy -> do sql injection -> show rejection
12. [video] zaproxy scan endpoint: start zaproxy -> send first request to unsecure server endpoint with arguments -> include context -> start attack -> show breached
    1. `Content-Type: application/json`
    2. same as on top
13. [video] zaproxy scan reverse proxy: send first request to unsecure reverse proxy endpoint with argumens -> include context -> start attack -> show unbreached

## Server

!only listening on localhost is supported. DO NOT run this on a public ip.

- `/health`
- `/health-db`
- `/setup-demo-db`
- `/nuke-db`
- `/fetch-all-users`

### SQL Injection

Use `' OR 1=1; --`  
Use `tohyouxuan@gmail.com' UNION SELECT id, email, password FROM users WHERE email = 'tohyouxuan@gmail.com'; --`

- `/unsecure-register-sql`
- `/secure-register-sql`
- `/unsecure-login-sql`
- `/secure-login-sql`

#### 1. Parameterization of Queries

Used `pool.Query()` with a parameterized query, instead of dynamically constructing the SQL query by directly inserting the user input.  
Parameterized queries separate the SQL code from the data, so user input is never directly put into the query's structure. Placeholders are used instead, and the data is passed as parameters. The DB will treat them as data, not executable code.

## ZAP

`Content-Type: application/json`

```json
{
  "email": "tohyouxuan@gmail.com",
  "password": "testpassword"
}
```