Let's Talk! is a quick n' dirty web app that demonstrates simple SQL and JavaScript vulnerabilities.
Layer | Solution |
---|---|
server | node.js + express |
database | Docker + MySQL |
front-end | materialize-css + jQuery |
Install docker (v17.04.0+) and a recent version of docker-compose (v1.12.0+, the one in Ubuntu artful will not work). On Windows, simply install Docker Toolbox. This is convenient, because Toolbox will install everything you need: the Docker engine, docker-compose, git, and the MINGW shell.
First, clone this repository.
git clone https://github.com/twlinux/lets-talk.git && cd lets-talk
The wrapper script lets_talk.sh
makes it easier to launch this application. It should be cross-compatible with all UNIX environments, such as MacOS, Linux, and fake Windows shells like GIT shell (MinGW).
chmod +x lets_talk.sh # executable permission
./lets_talk.sh -h # show usage flags
./lets_talk.sh # connect to host port 8080
sudo PORT=80 ./lets_talk.sh # OR connect to host port 80
If you've DOSed the site with XSS, you can reset the database by deleting the letstalk_database
docker volume. This is facilitated with the script: ./lets_talk.sh -d
.
If you are getting mbind: Operation not permitted
, edit the compose files to use mysql:5.7
instead.
(that I know of)
Reports are found as multi-line comments in server.js.
awk '/- HACK/,/\*\//{printf("%-4s%s\n", NR":", $0)}' server/server.js | less -p '^.*HACK.*$'
More examples at https://twlinux.github.io/
Related Wikipedia articles
- Cross-site Scripting (XSS)
- SQL Injection (SQLi)
- Cross-Site Request Forgery (CSRF)
- Man in the Middle (MitM)