81 lines
2.5 KiB
Markdown
81 lines
2.5 KiB
Markdown
# CSPJ Application
|
|
|
|
## Setup
|
|
|
|
### Requirements
|
|
|
|
User to be added into `docker` group.
|
|
|
|
```bash
|
|
sudo usermod -aG docker $USER
|
|
```
|
|
|
|
## Services
|
|
|
|
- 3331: Apache + ModSecurity
|
|
- 3332: Suricata
|
|
- 3333: Backend server
|
|
- 3334: Python backend server
|
|
- 3335: PostgreSQL
|
|
|
|
1. PostgreSQL
|
|
2. ~~Python ML server~~
|
|
3. Backend server
|
|
4. ~~Suricata~~
|
|
5. Apache + ModSecurity
|
|
6. Client
|
|
|
|
## Presentation Flow
|
|
|
|
1. [video] start postgres: postgres docker compose -> start pg docker
|
|
2. [video] start backend: show main.go -> http.go -> db.go -> go build . -> ./server
|
|
3. [video] setup db: postman -> /nuke-db -> /setup-demo-db
|
|
4. skip account registration
|
|
5. [video] login account normally -> show normal login
|
|
6. [video] do sql injection on unsecure endpoint -> show success
|
|
7. [video] do sql injection on secure endpoint -> show unsuccess
|
|
8. [slides] show backend code, unsecure login endpoint -> show concatenation of sql query
|
|
9. [slides] show backend code, secure login endpoint -> parameterization of sql query
|
|
10. [video] start apache reverse proxy + modsecurity: docker compose file -> start docker
|
|
11. [video] change server url on client to reverse proxy -> do sql injection -> show rejection
|
|
12. [video] zaproxy scan endpoint: start zaproxy -> send first request to unsecure server endpoint with arguments -> include context -> start attack -> show breached
|
|
1. `Content-Type: application/json`
|
|
2. same as on top
|
|
13. [video] zaproxy scan reverse proxy: send first request to unsecure reverse proxy endpoint with argumens -> include context -> start attack -> show unbreached
|
|
|
|
## Server
|
|
|
|
!only listening on localhost is supported. DO NOT run this on a public ip.
|
|
|
|
- `/health`
|
|
- `/health-db`
|
|
- `/setup-demo-db`
|
|
- `/nuke-db`
|
|
- `/fetch-all-users`
|
|
|
|
### SQL Injection
|
|
|
|
Use `' OR 1=1; --`
|
|
Use `tohyouxuan@gmail.com' UNION SELECT id, email, password FROM users WHERE email = 'tohyouxuan@gmail.com'; --`
|
|
|
|
- `/unsecure-register-sql`
|
|
- `/secure-register-sql`
|
|
- `/unsecure-login-sql`
|
|
- `/secure-login-sql`
|
|
|
|
#### 1. Parameterization of Queries
|
|
|
|
Used `pool.Query()` with a parameterized query, instead of dynamically constructing the SQL query by directly inserting the user input.
|
|
Parameterized queries separate the SQL code from the data, so user input is never directly put into the query's structure. Placeholders are used instead, and the data is passed as parameters. The DB will treat them as data, not executable code.
|
|
|
|
## ZAP
|
|
|
|
`Content-Type: application/json`
|
|
|
|
```json
|
|
{
|
|
"email": "tohyouxuan@gmail.com",
|
|
"password": "testpassword"
|
|
}
|
|
```
|