This workshop demonstrates common web application security vulnerabilities, specifically:
- SQL Injection attacks
- Cross-Site Scripting (XSS) attacks
The application is a simple login system built with Node.js, Express, and SQLite that contains deliberate security flaws for educational purposes.
- Node.js (version 14 or higher)
- npm
npm install
npm startThe application will start on http://localhost:3000
- Username:
alice - Password:
password123
const query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'";This code directly concatenates user input into the SQL query without sanitization.
Method 1: Comment-based bypass
- Username:
alice'-- - Password: (anything or leave empty)
- Result:
SELECT * FROM users WHERE username = 'alice'--' AND password = 'anything'
Method 2: Always-true condition
- Username:
alice' OR '1'='1'-- - Password: (anything)
- Result:
SELECT * FROM users WHERE username = 'alice' OR '1'='1'--' AND password = 'anything'
Method 3: Union-based attack
- Username:
' UNION SELECT 1,'admin','fake' -- - Password: (anything)
- Result: Creates a fake admin user in the result set
// Use parameterized queries
const query = "SELECT * FROM users WHERE username = ? AND password = ?";
db.get(query, [username, password], (err, row) => {
// Handle result
});<h1>Welcome, ${username}</h1>User input is directly inserted into HTML without encoding.
- Username:
<script>alert('XSS Attack!')</script> - Password: Use any SQL injection payload to bypass authentication
- Result: JavaScript executes in the browser
// HTML encode user input
const escapeHtml = (unsafe) => {
return unsafe
.replace(/&/g, "&")
.replace(/</g, "<")
.replace(/>/g, ">")
.replace(/"/g, """)
.replace(/'/g, "'");
};
<h1>Welcome, ${escapeHtml(username)}</h1>- Examine the code in
server.js - Find the line where SQL injection is possible
- Understand why this code is vulnerable
- Start the application (
npm start) - Navigate to
http://localhost:3000 - Try the SQL injection payloads listed above
- Observe the console logs to see the malicious SQL queries
- Try to login without knowing the correct password
- Try to access other users' accounts
- Experiment with different SQL injection payloads
- Modify the code to use parameterized queries
- Test that normal login still works
- Verify that SQL injection attacks no longer work
- Try the XSS payload after bypassing authentication
- Implement HTML encoding to prevent script execution
- Test that the fix works
For educational purposes, you can view all users in the database:
- GET
http://localhost:3000/_debug/users
-- Authentication bypass
admin'--
admin'/*
' OR '1'='1'--
' OR 1=1--
-- Union-based information extraction
' UNION SELECT username, password FROM users--
' UNION SELECT 1,2,3--
-- Boolean-based blind injection
' AND '1'='1'--
' AND '1'='2'--SQL injection attacks can lead to:
- Data breaches - Unauthorized access to sensitive data
- Authentication bypass - Login without credentials
- Data manipulation - Modifying or deleting database records
- System compromise - In some cases, executing system commands
- Use parameterized queries/prepared statements
- Input validation - Whitelist acceptable input
- Principle of least privilege - Database users should have minimal permissions
- Regular security audits - Code reviews and penetration testing
- Keep software updated - Apply security patches promptly