Awesome
Let's Talk!
Let's Talk! is a quick n' dirty web app that demonstrates simple SQL and JavaScript vulnerabilities.
Web Stack
| Layer | Solution |
|---|---|
| server | node.js + express |
| database | Docker + MySQL |
| front-end | materialize-css + jQuery |
Deployment
Install docker (v17.04.0+) and a recent version of docker-compose (v1.12.0+, the one in Ubuntu artful will not work). On Windows, simply install Docker Toolbox. This is convenient, because Toolbox will install everything you need: the Docker engine, docker-compose, git, and the MINGW shell.
First, clone this repository.
git clone https://github.com/twlinux/lets-talk.git && cd lets-talk
The wrapper script lets_talk.sh makes it easier to launch this application. It should be cross-compatible with all UNIX environments, such as MacOS, Linux, and fake Windows shells like GIT shell (MinGW).
chmod +x lets_talk.sh # executable permission
./lets_talk.sh -h # show usage flags
./lets_talk.sh # connect to host port 8080
sudo PORT=80 ./lets_talk.sh # OR connect to host port 80
If you've DOSed the site with XSS, you can reset the database by deleting the letstalk_database docker volume. This is facilitated with the script: ./lets_talk.sh -d.
mysql:latest error
If you are getting mbind: Operation not permitted, edit the compose files to use mysql:5.7 instead.
Vulnerabilities
(that I know of)
Reports are found as multi-line comments in server.js.
awk '/- HACK/,/\*\//{printf("%-4s%s\n", NR":", $0)}' server/server.js | less -p '^.*HACK.*$'
More examples at https://twlinux.github.io/
Related Wikipedia articles
- Cross-site Scripting (XSS)
- SQL Injection (SQLi)
- Cross-Site Request Forgery (CSRF)
- Man in the Middle (MitM)
Too easy?
- https://google-gruyere.appspot.com/
- https://github.com/ethicalhack3r/DVWA
- https://information.rapid7.com/metasploitable-download.html
