Skip to content

code-14.md

Latest commit

 

History

History
76 lines (57 loc) · 2.47 KB

code-14.md

File metadata and controls

76 lines (57 loc) · 2.47 KB

Vulnerable Code

const express = require("express");
const sqlite3 = require("sqlite3").verbose();
const app = express();

const db = new sqlite3.Database("users.db");

app.use(express.urlencoded({ extended: true }));

app.get("/profile", (req, res) => {
    const id = req.query.id;

    db.all(`SELECT * FROM users WHERE id = ${id}`, (err, rows) => {
        if (err) {
            return res.send("Database error");
        }
        res.send(rows);
    });
});

app.post("/login", (req, res) => {
    const username = req.body.username;
    const password = req.body.password;

    db.get(
        `SELECT * FROM users WHERE username='${username}' AND password='${password}'`,
        (err, row) => {
            if (row) {
                res.cookie("user", username);
                res.send("Logged in");
            } else {
                res.send("Invalid credentials");
            }
        }
    );
});

app.get("/redirect", (req, res) => {
    const next = req.query.next;
    res.redirect(next);
});

app.get("/search", (req, res) => {
    const q = req.query.q;
    res.send(`<h1>Results for: ${q}</h1>`);
});

app.listen(3000);
Reveal Solution

Findings

1. SQL Injection in /profile The id parameter is directly concatenated into the SQL query without validation or parameterization. An attacker can manipulate the query to retrieve unauthorized data from the database.

2. SQL Injection in /login Both username and password are inserted directly into the SQL statement. This can allow authentication bypass using payloads such as ' OR 1=1--.

3. Reflected Cross-Site Scripting (XSS) in /search The q parameter is reflected into the HTML response without sanitization or output encoding. An attacker can execute arbitrary JavaScript in the victim's browser.

4. Open Redirect in /redirect The application redirects users to the value supplied in the next parameter without validation. This can be abused for phishing attacks or redirecting users to malicious websites.

5. Insecure Cookie Configuration The application sets a user cookie without security attributes such as HttpOnly, Secure, or SameSite, increasing the impact of XSS and other client-side attacks.

6. Plaintext Password Verification The login functionality appears to compare passwords directly against database values, suggesting passwords may be stored in plaintext rather than using a secure hashing algorithm.