Chatsploit: A simple chat server used to demonstrate security problems in code
Chatsploit was developed specifically to help illustrate the issues discussed in the Open Application Security Project (OWASP) Top 10 2017 security problems. The application is used in conjunction with persentations on each of the security issues. The presentations have been included in this repository as well:
- Injection
- Broken Authentication (TODO)
- Sensitive Data Exposure (TODO)
- XML External Entities (XXE) (TODO)
- Broken Access Control (TODO)
- Security Misconfiguration (TODO)
- Cross-Site Scripting (TODO)
- Insecure Deserialization (TODO)
- Using components with known vulnerabilities (TODO)
- Insufficient Logging and Monitoring (TODO)
Please note: Chatsploit is only used for demonstrations of security vulnerabilities. You shouldn't use the code for anything other than learning about those issues.
- Download and install Node.js unless you have it already: https://nodejs.org/en/
- Clone the repository:
git clone https://github.com/johnhaldeman/chatsploit.git
- Install javascript dependancies:
npm install
- Install MS SQL Server. SQL Express is free to use: https://www.microsoft.com/en-us/sql-server/sql-server-editions-express
- Connect to your SQL Server instance, create a database and db login, then create the required tables:
CREATE TABLE dbo.users(
username char(255),
name char(255),
email char(255),
timejoined datetime
);
CREATE TABLE dbo.messages(
from_user char(255),
to_user char(255),
message varchar(max),
sent datetime NULL
);
Provide the connection parameters to the SQL Server database you created by filling out the config.js file.
Execute: npm start
At this time, until we get to demonstrations about authentication, chatsploit uses very basic file authentication. The credentials for the application are located in authdb/users.js