Vomitblood/cspj-application
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
34 commits 1 branch 0 tags 3.6 MiB
TypeScript 53.7%
Go 32%
Kotlin 6%
CSS 3.7%
Python 2.3%
Other 2.3%
Go to file
Vomitblood de2a35905e tidy server code
2025-01-14 04:15:32 +08:00
client login and registration unsecured 2025-01-14 03:50:45 +08:00
docker added registration 2025-01-14 02:39:24 +08:00
server tidy server code 2025-01-14 04:15:32 +08:00
server-ml cleanup gitignore 2024-12-02 20:54:51 +08:00
.gitignore cleanup gitignore 2024-12-02 20:54:51 +08:00
.prettierrc asdf 2025-01-13 20:08:15 +08:00
.tool-versions cleanup 2024-11-11 21:19:25 +08:00
README.md removed bcrypt; too secure haha 2025-01-14 04:12:55 +08:00

README.md

cspj application

attacks

  1. sql injection
  2. xss
  3. command injection
  4. file inclusion attacks
  5. csrf
  6. directory traversal
  7. insecure deserialization
  8. session hijacking
  9. xml external entity injection
  10. sever side request forgery
  11. broken authentication and session management
  12. clickjacking

backend

backend-for-frontend server

!remember to set the environment variables !include this in the setup instructions !should we use a .env file and let the user set the variables?

PGHOST=localhost PGPORT=5432 PGDATABASE=asdfdb PGUSER=asdfuser PGPASSWORD=asdfpassword

Server

!only listening on localhost is supported. DO NOT run this on a public ip.

  • /health
  • /health-db
  • /setup-demo-db
  • /nuke-db
  • /fetch-all-users

SQL Injection

Use ' OR 1=1; --

  • /unsecure-register-sql
  • /secure-register-sql
  • /unsecure-login-sql
  • /secure-login-sql

1. Parameterization of Queries

Used pool.Query() with a parameterized query, instead of dynamically constructing the SQL query by directly inserting the user input.
Parameterized queries separate the SQL code from the data, so user input is never directly put into the query's structure. Placeholders are used instead, and the data is passed as parameters. The DB will treat them as data, not executable code.