/lets-talk

Intentionally vulnerable website that demonstrates beginner-level injection vulnerabilities

Primary LanguageJavaScriptMIT LicenseMIT

Let's Talk!

badge GitHub license

Let's Talk! is a quick n' dirty web app that demonstrates simple SQL and JavaScript vulnerabilities. Screenshot of the website

Web Stack

Layer Solution
server node.js + express
database Docker + MySQL
front-end materialize-css + jQuery

Deployment

Install docker (v17.04.0+) and a recent version of docker-compose (v1.12.0+, the one in Ubuntu artful will not work). On Windows, simply install Docker Toolbox. This is convenient, because Toolbox will install everything you need: the Docker engine, docker-compose, git, and the MINGW shell.

First, clone this repository.

git clone https://github.com/twlinux/lets-talk.git && cd lets-talk

The wrapper script lets_talk.sh makes it easier to launch this application. It should be cross-compatible with all UNIX environments, such as MacOS, Linux, and fake Windows shells like GIT shell (MinGW).

chmod +x lets_talk.sh           # executable permission
./lets_talk.sh -h               # show usage flags
./lets_talk.sh                  # connect to host port 8080
sudo PORT=80 ./lets_talk.sh     # OR connect to host port 80

If you've DOSed the site with XSS, you can reset the database by deleting the letstalk_database docker volume. This is facilitated with the script: ./lets_talk.sh -d.

Screenshot of the server output

mysql:latest error

If you are getting mbind: Operation not permitted, edit the compose files to use mysql:5.7 instead.

Vulnerabilities

(that I know of)

Reports are found as multi-line comments in server.js.

awk '/- HACK/,/\*\//{printf("%-4s%s\n", NR":", $0)}' server/server.js | less -p '^.*HACK.*$'

More examples at https://twlinux.github.io/

Related Wikipedia articles

Too easy?

old man yells at cloud