# CSPJ Application

## Services

- 3331: Apache + ModSecurity
- 3332: Suricata
- 3333: Backend server
- 3334: Python backend server
- 3335: PostgreSQL

1. PostgreSQL
2. ~~Python ML server~~
3. Backend server
4. ~~Suricata~~
5. Apache + ModSecurity
6. Client

## Presentation Flow

1. [video] start postgres: postgres docker compose -> start pg docker
2. [video] start backend: show main.go -> http.go -> db.go -> go build . -> ./server
3. [video] setup db: postman -> /nuke-db -> /setup-demo-db
4. skip account registration
5. [video] login account normally -> show normal login
6. [video] do sql injection on unsecure endpoint -> show success
7. [video] do sql injection on secure endpoint -> show unsuccess
8. [slides] show backend code, unsecure login endpoint -> show concatenation of sql query
9. [slides] show backend code, secure login endpoint -> parameterization of sql query
10. [video] start apache reverse proxy + modsecurity: docker compose file -> start docker
11. [video] change server url on client to reverse proxy -> do sql injection -> show rejection
12. [video] zaproxy scan endpoint: start zaproxy -> send first request to unsecure server endpoint with arguments -> include context -> start attack -> show breached
    1. `Content-Type: application/json`
    2. same as on top
13. [video] zaproxy scan reverse proxy: send first request to unsecure reverse proxy endpoint with argumens -> include context -> start attack -> show unbreached

## Server

!only listening on localhost is supported. DO NOT run this on a public ip.

- `/health`
- `/health-db`
- `/setup-demo-db`
- `/nuke-db`
- `/fetch-all-users`

### SQL Injection

Use `' OR 1=1; --`  
Use `tohyouxuan@gmail.com' UNION SELECT id, email, password FROM users WHERE email = 'tohyouxuan@gmail.com'; --`

- `/unsecure-register-sql`
- `/secure-register-sql`
- `/unsecure-login-sql`
- `/secure-login-sql`

#### 1. Parameterization of Queries

Used `pool.Query()` with a parameterized query, instead of dynamically constructing the SQL query by directly inserting the user input.  
Parameterized queries separate the SQL code from the data, so user input is never directly put into the query's structure. Placeholders are used instead, and the data is passed as parameters. The DB will treat them as data, not executable code.

## ZAP

`Content-Type: application/json`

```json
{
  "email": "tohyouxuan@gmail.com",
  "password": "testpassword"
}
```