This is the back-end repository for a full-stack application I built to demonstrate how SQL Injection attacks can be performed. The code in this project has been written with deliberate vulnerabilities to SQL Injection attacks. This is primarily accomplished through a lack of parameterised queries, which enables users on the front end to maliciously retrieve data through the login page of the application.
The concept of this app is a fake banking website that deliberately lacks proper authentication and includes sql vulnerabilities on the backend. I also delivered a presentation on this project, the slides for which can be found in the link below:
Presentation SlidesFollow the link below (you may need to wait momentarily as the server wakes up)
LBM BankingTry to login without a password. Type 'Username' into the username field (this is a verified username in the database). In the same field, without any spaces, append an inverted comma and two hyphens. Your username field should look look like this: Username'--
Next, fill the password field with any input you want. If you have filled the username field correctly, the database will be queried without a password. See my presentation slides for visualisation on how this works
Before you click 'Login', open the browser's console (right click -> 'Inspect' -> 'Console'). Now click 'Login' and watch what happens.
Because the authentication only requires some form of user data to be returned, you will be verified for entry, and should see the user data for the 'Username' user. Further logins could now be done with their actual password!
You can also break into website with absolutely zero knowledge of any user data to begin with. This time, by manipulating the conditions of the SQL query from the login page, we can retrieve all user data AND enter the website. Use the following entry for the username field to execute this: 'OR 1=1 --
Once again, the password field requires an input, but this can be anything you want.
And voila! If you check your console, you should see the data for all the users! And if you were really sneaky, you might even now login with the admin account to see if there are any extra privileges...
**DISCLAIMER: All data used in this project is completely fake and was only created for the purposes of this demonstrative application. No real user data/money is at risk in the use of this app.