Go to file

Vomitblood ec31b5318a removed bcrypt; too secure haha		2025-01-14 04:12:55 +08:00
client	login and registration unsecured	2025-01-14 03:50:45 +08:00
docker	added registration	2025-01-14 02:39:24 +08:00
server	removed bcrypt; too secure haha	2025-01-14 04:12:55 +08:00
server-ml	cleanup gitignore	2024-12-02 20:54:51 +08:00
.gitignore	cleanup gitignore	2024-12-02 20:54:51 +08:00
.prettierrc	asdf	2025-01-13 20:08:15 +08:00
.tool-versions	cleanup	2024-11-11 21:19:25 +08:00
README.md	removed bcrypt; too secure haha	2025-01-14 04:12:55 +08:00

README.md

cspj application

attacks

sql injection
xss
command injection
file inclusion attacks
csrf
directory traversal
insecure deserialization
session hijacking
xml external entity injection
sever side request forgery
broken authentication and session management
clickjacking

backend

backend-for-frontend server

!remember to set the environment variables !include this in the setup instructions !should we use a .env file and let the user set the variables?

PGHOST=localhost PGPORT=5432 PGDATABASE=asdfdb PGUSER=asdfuser PGPASSWORD=asdfpassword

Server

!only listening on localhost is supported. DO NOT run this on a public ip.

/health
/health-db
/setup-demo-db
/nuke-db
/fetch-all-users

SQL Injection

Use ' OR 1=1; --

/unsecure-register-sql
/secure-register-sql
/unsecure-login-sql
/secure-login-sql

1. Parameterization of Queries

Used pool.Query() with a parameterized query, instead of dynamically constructing the SQL query by directly inserting the user input.
Parameterized queries separate the SQL code from the data, so user input is never directly put into the query's structure. Placeholders are used instead, and the data is passed as parameters. The DB will treat them as data, not executable code.