Vomitblood/cspj-application
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
55 commits 1 branch 0 tags 3.6 MiB
TypeScript 53.7%
Go 32%
Kotlin 6%
CSS 3.7%
Python 2.3%
Other 2.3%
Go to file
Vomitblood 9caedb4480 added cli flags functionality
2025-02-13 02:44:44 +08:00
client added setup page 2025-02-13 02:43:35 +08:00
docker fixes for webdav client 2025-02-09 20:07:57 +08:00
dvwa asdf 2025-02-06 06:56:15 +08:00
server added cli flags functionality 2025-02-13 02:44:44 +08:00
server-ml added docker image for server-ml 2025-02-13 02:44:22 +08:00
sqlmap asdf 2025-02-06 08:36:41 +08:00
suricata asdf 2025-02-06 08:51:05 +08:00
.gitignore changed modsecurity logs location 2025-02-09 17:05:57 +08:00
.prettierrc asdf 2025-01-13 20:08:15 +08:00
.tool-versions docker modsecurity 2025-01-14 21:08:26 +08:00
README.md asdf 2025-02-13 02:44:26 +08:00

README.md

CSPJ Application

Setup

Requirements

User to be added into docker group.

sudo usermod -aG docker $USER

Services

  • 3331: Apache + ModSecurity
  • 3332: Suricata
  • 3333: Backend server
  • 3334: Python backend server
  • 3335: PostgreSQL
  1. PostgreSQL
  2. Python ML server
  3. Backend server
  4. Suricata
  5. Apache + ModSecurity
  6. Client

Presentation Flow

  1. [video] start postgres: postgres docker compose -> start pg docker
  2. [video] start backend: show main.go -> http.go -> db.go -> go build . -> ./server
  3. [video] setup db: postman -> /nuke-db -> /setup-demo-db
  4. skip account registration
  5. [video] login account normally -> show normal login
  6. [video] do sql injection on unsecure endpoint -> show success
  7. [video] do sql injection on secure endpoint -> show unsuccess
  8. [slides] show backend code, unsecure login endpoint -> show concatenation of sql query
  9. [slides] show backend code, secure login endpoint -> parameterization of sql query
  10. [video] start apache reverse proxy + modsecurity: docker compose file -> start docker
  11. [video] change server url on client to reverse proxy -> do sql injection -> show rejection
  12. [video] zaproxy scan endpoint: start zaproxy -> send first request to unsecure server endpoint with arguments -> include context -> start attack -> show breached
    1. Content-Type: application/json
    2. same as on top
  13. [video] zaproxy scan reverse proxy: send first request to unsecure reverse proxy endpoint with argumens -> include context -> start attack -> show unbreached

Server

!only listening on localhost is supported. DO NOT run this on a public ip.

  • /health
  • /health-db
  • /setup-demo-db
  • /nuke-db
  • /fetch-all-users

SQL Injection

Use ' OR 1=1; --
Use tohyouxuan@gmail.com' UNION SELECT id, email, password FROM users WHERE email = 'tohyouxuan@gmail.com'; --

  • /unsecure-register-sql
  • /secure-register-sql
  • /unsecure-login-sql
  • /secure-login-sql

1. Parameterization of Queries

Used pool.Query() with a parameterized query, instead of dynamically constructing the SQL query by directly inserting the user input.
Parameterized queries separate the SQL code from the data, so user input is never directly put into the query's structure. Placeholders are used instead, and the data is passed as parameters. The DB will treat them as data, not executable code.

ZAP

Content-Type: application/json

{
  "email": "tohyouxuan@gmail.com",
  "password": "testpassword"
}