Carlos Gutierrez
b374c3b93e
This project is designed to help developers understand and mitigate code injection and XSS vulnerabilities. It includes a backend API and a frontend interface for testing various attack vectors in a controlled environment.
Secure Software Development Code Injection and XSS practices
This project is with aiming to help developers understand and mitigate code injection and cross-site scripting (XSS) vulnerabilities in their applications. It provides best practices, examples, and tools to enhance the security of software development.
Project Structure
. ├── backend │ └── src │ ├── api │ │ ├── controller │ │ │ ├── controller.js │ │ │ └── secureController.js │ │ └── network │ │ ├── network.js │ │ └── secureNetwork.js │ ├── config │ │ └── config.js │ ├── index.js │ ├── query │ │ ├── database.js │ │ └── secureDatabase.js │ └── routes │ └── routes.js ├── frontend │ ├── index.html │ ├── src │ │ ├── api │ │ │ ├── auth.ts │ │ │ └── playground.ts │ │ ├── App.tsx │ │ ├── assets │ │ │ └── logo.png │ │ ├── components │ │ │ ├── atoms │ │ │ │ ├── InputField.tsx │ │ │ │ ├── PasswordField.tsx │ │ │ │ └── SubmitButton.tsx │ │ │ ├── molecules │ │ │ │ ├── EvalPlayground.tsx │ │ │ │ └── LoginFormFields.tsx │ │ │ ├── organisms │ │ │ │ └── LoginForm.tsx │ │ │ └── pages │ │ │ ├── CodePlayground.tsx │ │ │ ├── Header.tsx │ │ │ └── Login.tsx │ │ ├── constants │ │ │ └── app.ts │ │ ├── interfaces │ │ │ ├── auth.ts │ │ │ └── playground.ts │ │ ├── main.tsx │ │ ├── styles │ │ │ ├── App.module.scss │ │ │ ├── Header.module.scss │ │ │ └── Login.module.scss └── └── └── vite-env.d.ts
Endpoints
The backend exposes the following endpoints:
| Method | Endpoint | Description |
|---|---|---|
| GET | / | Home endpoint |
| POST | /api/login | SQL Injection vulnerable login endpoint |
| POST | /api/secure/login | Secure login endpoint preventing SQL Injection |
| POST | /api/execute | eval() vulnerable code execution endpoint |
| POST | /api/secure/execute | Secure code execution endpoint preventing code injection |
Getting Started
Prerequisites
- Node.js
- npm or yarn
- A database (PostgreSQL)
Installation
-
Clone the repository:
git clone https://github.com/CarGDev/CodeInjectionAssigment cd CodeInjectionAssigment -
Install backend dependencies:
cd backend npm install -
Install frontend dependencies:
cd ../frontend npm install
Running the Application
-
Start the backend server:
cd backend npm run dev -
Start the frontend development server:
cd ../frontend npm run dev -
Open your browser and navigate to
http://localhost:5173to access the application.
Security Practices
The project implements the following security practices to mitigate code injection and XSS vulnerabilities:
- Parameterized Queries: All database queries use parameterized statements to prevent SQL injection attacks.
- Input Validation and Sanitization: User inputs are validated and sanitized to ensure they do not contain malicious code.
- Avoiding eval(): The playground feature is sanitized to prevent the execution of arbitrary code.