From f68467a7d79d52bc9204c6f7e3a41e975393560c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 15 Jul 2025 18:25:22 +0000 Subject: [PATCH] Complete security demonstration website with educational vulnerabilities Co-authored-by: EmrageGHC <121496375+EmrageGHC@users.noreply.github.com> --- .gitignore | 2 + security-demo/README.md | 141 +++++++++++++++++ security-demo/dashboard.html | 72 +++++++++ security-demo/dashboard.js | 198 ++++++++++++++++++++++++ security-demo/index.html | 54 +++++++ security-demo/login.js | 119 +++++++++++++++ security-demo/styles.css | 286 +++++++++++++++++++++++++++++++++++ 7 files changed, 872 insertions(+) create mode 100644 security-demo/README.md create mode 100644 security-demo/dashboard.html create mode 100644 security-demo/dashboard.js create mode 100644 security-demo/index.html create mode 100644 security-demo/login.js create mode 100644 security-demo/styles.css diff --git a/.gitignore b/.gitignore index 84c048a..e9b4b48 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ /build/ +.gradle/ +.idea/ diff --git a/security-demo/README.md b/security-demo/README.md new file mode 100644 index 0000000..b2ad6c4 --- /dev/null +++ b/security-demo/README.md @@ -0,0 +1,141 @@ +# Security Demonstration Website + +⚠️ **WARNING: This website contains intentional security vulnerabilities for educational purposes only. DO NOT use any of these patterns in production applications!** + +## Overview + +This demonstration website shows common security vulnerabilities that can compromise login credentials and user data. It's designed to educate developers about what NOT to do when building web applications. + +## How to Use + +1. Open `index.html` in a web browser +2. Use the demo credentials: `admin` / `password123` +3. Explore the dashboard to see various vulnerabilities in action +4. Open browser developer tools (F12) to see console logs exposing sensitive data + +## Security Vulnerabilities Demonstrated + +### 1. Plain Text Password Storage +- **Location**: `login.js` and localStorage +- **Issue**: Passwords stored in plain text in localStorage and JavaScript variables +- **Real-world impact**: Anyone with access to the device can see passwords + +### 2. Client-Side Authentication +- **Location**: `login.js` +- **Issue**: Authentication logic runs entirely in the browser +- **Real-world impact**: Can be easily bypassed by modifying JavaScript + +### 3. XSS (Cross-Site Scripting) Vulnerabilities +- **Location**: `dashboard.js` - command execution function +- **Issue**: User input directly inserted into HTML using innerHTML +- **Demo**: Try entering `` in the command field +- **Real-world impact**: Attackers can execute malicious scripts + +### 4. SQL Injection Simulation +- **Location**: `dashboard.js` - user search function +- **Issue**: User input directly concatenated into SQL query +- **Demo**: Try searching for `' OR 1=1 --` +- **Real-world impact**: Database compromise, data theft + +### 5. Information Disclosure +- **Location**: Throughout the application +- **Issues**: + - Credentials exposed in console logs + - Session data visible in browser + - Error messages reveal system information + - Debug functions exposed globally + +### 6. No Brute Force Protection +- **Location**: `login.js` +- **Issue**: No rate limiting or account lockout +- **Real-world impact**: Attackers can try unlimited password combinations + +### 7. Insecure Data Transmission +- **Location**: URL parameters in dashboard redirect +- **Issue**: Credentials passed in URL parameters +- **Real-world impact**: Passwords visible in browser history, server logs + +### 8. CSRF (Cross-Site Request Forgery) Vulnerability +- **Location**: `dashboard.js` - admin functions +- **Issue**: No CSRF tokens or verification +- **Real-world impact**: Malicious sites can perform actions on behalf of users + +### 9. Eval() Injection +- **Location**: `dashboard.js` - command execution +- **Issue**: Using eval() with user input +- **Demo**: Try command `eval:alert('Code injection')` +- **Real-world impact**: Arbitrary code execution + +### 10. Exposed Debug Functions +- **Location**: `dashboard.js` - global window functions +- **Issue**: Administrative functions accessible via browser console +- **Demo**: Try `window.adminFunctions.deleteAllUsers()` in console + +## Educational Points + +### What Developers Should Do Instead: + +1. **Password Security**: + - Hash passwords with strong algorithms (bcrypt, Argon2) + - Never store plain text passwords + - Use secure session management + +2. **Authentication**: + - Implement server-side authentication + - Use secure session tokens + - Implement proper logout procedures + +3. **Input Validation**: + - Sanitize all user inputs + - Use parameterized queries + - Implement proper output encoding + +4. **Access Controls**: + - Implement rate limiting + - Use CSRF tokens + - Require proper authorization for admin functions + +5. **Data Protection**: + - Use HTTPS for all communications + - Implement proper error handling + - Don't expose sensitive data in logs or console + +## Testing the Vulnerabilities + +### XSS Testing: +1. Go to the dashboard +2. In the "Execute Command" field, enter: `` +3. Click Execute to see the XSS in action + +### SQL Injection Testing: +1. In the "User Search" field, enter: `admin'; DROP TABLE users; --` +2. See how the vulnerable query construction is exposed + +### Authentication Bypass: +1. Open browser console (F12) +2. Type: `window.bypassLogin()` and press Enter +3. See how client-side authentication can be bypassed + +### Session Data Exposure: +1. Open browser console +2. Type: `localStorage` to see stored credentials +3. Type: `window.currentSessionData` to see exposed session information + +## Files Structure + +- `index.html` - Login page with vulnerable authentication +- `dashboard.html` - Admin dashboard with multiple vulnerabilities +- `styles.css` - Styling for the demonstration +- `login.js` - Vulnerable login logic +- `dashboard.js` - Vulnerable dashboard functionality +- `README.md` - This documentation + +## Disclaimer + +This code is provided for educational purposes only. The vulnerabilities demonstrated here are intentional and should never be implemented in production applications. Always follow security best practices when developing real applications. + +## Learning Resources + +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [Web Security Academy](https://portswigger.net/web-security) +- [Mozilla Developer Network Security](https://developer.mozilla.org/en-US/docs/Web/Security) \ No newline at end of file diff --git a/security-demo/dashboard.html b/security-demo/dashboard.html new file mode 100644 index 0000000..c24f1fe --- /dev/null +++ b/security-demo/dashboard.html @@ -0,0 +1,72 @@ + + + + + + Admin Dashboard - Vulnerable Demo + + + +
+
+ ⚠️ EDUCATIONAL DEMO - INTENTIONALLY VULNERABLE ⚠️ +
+ +
+
+

Admin Dashboard

+ +
+ +
+
+
+

Users

+

1,234

+
+
+

Active Sessions

+

56

+
+
+

Security Alerts

+

⚠️ MANY

+
+
+ +
+

Admin Actions

+
+

Execute Command (XSS Vulnerable):

+ + +
+
+ +
+

User Search (SQL Injection Vulnerable Simulation):

+ + +
+
+ +
+

System Information:

+
+

Server: vulnerable-demo.local

+

Database: mysql://admin:password123@localhost/users

+

Session ID:

+

Stored Credentials:

+
+
+
+
+
+
+ + + + \ No newline at end of file diff --git a/security-demo/dashboard.js b/security-demo/dashboard.js new file mode 100644 index 0000000..05dab9e --- /dev/null +++ b/security-demo/dashboard.js @@ -0,0 +1,198 @@ +// VULNERABLE DASHBOARD SCRIPT - FOR EDUCATIONAL PURPOSES ONLY +// This script contains intentional security vulnerabilities + +// Check if user is "authenticated" (vulnerability: client-side check only) +window.addEventListener('DOMContentLoaded', function() { + const urlParams = new URLSearchParams(window.location.search); + const userCredentials = JSON.parse(localStorage.getItem('userCredentials') || '{}'); + + // Vulnerability 1: Authentication data in URL parameters + const urlUser = urlParams.get('user'); + const urlPass = urlParams.get('pass'); + + if (!userCredentials.username && !urlUser) { + alert('Access denied! Redirecting to login...'); + window.location.href = 'index.html'; + return; + } + + // Vulnerability 2: Display sensitive information + const currentUser = userCredentials.username || urlUser || 'Unknown'; + document.getElementById('currentUser').textContent = currentUser; + + // Vulnerability 3: Expose session information + const sessionId = userCredentials.sessionId || urlParams.get('session') || 'no-session'; + document.getElementById('sessionId').textContent = sessionId; + + // Vulnerability 4: Display stored credentials in plain text + document.getElementById('storedCreds').innerHTML = + `Username: ${userCredentials.username || 'N/A'}, + Password: ${userCredentials.password || 'N/A'}`; + + // Vulnerability 5: Log sensitive data to console + console.log('User logged in:', { + username: currentUser, + credentials: userCredentials, + urlParams: Object.fromEntries(urlParams) + }); +}); + +// Vulnerability 6: XSS in command execution +function executeCommand() { + const command = document.getElementById('commandInput').value; + const output = document.getElementById('commandOutput'); + + // NEVER use innerHTML with user input! + output.innerHTML = `Executing: ${command}
`; + + // Simulate command execution with XSS vulnerability + if (command.toLowerCase().includes('alert')) { + // This allows XSS attacks + output.innerHTML += `
+ Command result: ${command} + +
`; + } else if (command.toLowerCase().includes('script')) { + // Another XSS vector + output.innerHTML += `
${command}
`; + } else { + output.innerHTML += `
+ Command "${command}" executed successfully!
+ Output: System response for ${command} +
`; + } + + // Vulnerability 7: Eval injection + if (command.startsWith('eval:')) { + try { + const code = command.substring(5); + eval(code); // NEVER do this! + output.innerHTML += `
⚠️ Eval executed: ${code}
`; + } catch (e) { + output.innerHTML += `
Eval error: ${e.message}
`; + } + } +} + +// Vulnerability 8: SQL Injection simulation +function searchUsers() { + const searchTerm = document.getElementById('searchInput').value; + const results = document.getElementById('searchResults'); + + // Simulate SQL injection vulnerability + let query = `SELECT * FROM users WHERE username LIKE '%${searchTerm}%'`; + + results.innerHTML = `SQL Query:
${query}

`; + + // Show how SQL injection might work + if (searchTerm.includes("'") || searchTerm.includes(';') || searchTerm.includes('--')) { + results.innerHTML += `
+ ⚠️ SQL INJECTION DETECTED!
+ Malicious query detected: ${searchTerm}
+ In a real application, this could expose the entire database!

+ Simulated exposed data:
+ • admin:password123
+ • user1:123456
+ • user2:qwerty
+ • All credit card numbers
+ • All personal information +
`; + } else { + // Normal search simulation + const fakeResults = [ + 'admin (Administrator)', + 'testuser (Test User)', + 'guest (Guest User)' + ].filter(user => user.toLowerCase().includes(searchTerm.toLowerCase())); + + if (fakeResults.length > 0) { + results.innerHTML += 'Results:
' + + fakeResults.map(user => `• ${user}`).join('
'); + } else { + results.innerHTML += 'No users found.'; + } + } +} + +// Vulnerability 9: Insecure logout +function logout() { + // Vulnerability: Not properly clearing sensitive data + localStorage.removeItem('userCredentials'); + + // Vulnerability: Sensitive data still in memory/console + console.log('User logged out, but session data may still be accessible'); + + // Vulnerability: No server-side session invalidation + alert('Logged out! (Note: In a real app, server-side session should be invalidated)'); + + window.location.href = 'index.html'; +} + +// Vulnerability 10: Expose admin functions globally +window.adminFunctions = { + deleteAllUsers: function() { + console.log('🔓 VULNERABILITY: Admin function exposed!'); + alert('All users deleted! (Simulated)'); + }, + + resetPasswords: function() { + console.log('🔓 VULNERABILITY: Password reset function exposed!'); + alert('All passwords reset to "123456"! (Simulated)'); + }, + + exportData: function() { + console.log('🔓 VULNERABILITY: Data export function exposed!'); + const sensitiveData = { + users: ['admin', 'user1', 'user2'], + passwords: ['password123', '123456', 'qwerty'], + creditCards: ['4111-1111-1111-1111', '4222-2222-2222-2222'], + ssn: ['123-45-6789', '987-65-4321'] + }; + console.log('Exported sensitive data:', sensitiveData); + alert('Sensitive data exported to console!'); + } +}; + +// Vulnerability 11: Automatic data exposure +setInterval(function() { + // Continuously expose sensitive information + window.currentSessionData = { + user: document.getElementById('currentUser').textContent, + sessionId: document.getElementById('sessionId').textContent, + loginTime: new Date().toISOString(), + permissions: ['read', 'write', 'admin', 'delete'], + apiKeys: { + database: 'db_key_12345', + payment: 'pay_key_67890', + admin: 'admin_key_abcde' + } + }; +}, 1000); + +// Vulnerability 12: Debug panel +if (window.location.search.includes('debug=true')) { + document.body.insertAdjacentHTML('beforeend', ` +
+ 🔓 DEBUG MODE
+
+
+
+ +
+ `); +} + +// Vulnerability 13: CSRF vulnerability +window.performAdminAction = function(action) { + // No CSRF protection + console.log(`Performing admin action: ${action}`); + alert(`Admin action "${action}" executed! (No CSRF protection)`); +}; + +// Auto-expose vulnerabilities in console +console.log('🔓 Available vulnerability demonstrations:'); +console.log('• Try: executeCommand() with XSS payload like '); +console.log('• Try: searchUsers() with SQL injection like \' OR 1=1 --'); +console.log('• Try: window.adminFunctions.deleteAllUsers()'); +console.log('• Try: Add ?debug=true to URL for debug panel'); +console.log('• Check: window.currentSessionData for exposed session info'); \ No newline at end of file diff --git a/security-demo/index.html b/security-demo/index.html new file mode 100644 index 0000000..7364261 --- /dev/null +++ b/security-demo/index.html @@ -0,0 +1,54 @@ + + + + + + Vulnerable Login Demo - Educational Purpose + + + +
+
+ ⚠️ EDUCATIONAL DEMO - INTENTIONALLY VULNERABLE ⚠️ +

This website contains deliberate security vulnerabilities for educational purposes only.

+
+ +
+

Admin Login

+
+
+ + +
+
+ + +
+ +
+ +
+ +
+

Demo Credentials:

+

Username: admin

+

Password: password123

+

Try different combinations to see vulnerabilities in action!

+
+
+ +
+

Security Vulnerabilities Demonstrated:

+ +
+
+ + + + \ No newline at end of file diff --git a/security-demo/login.js b/security-demo/login.js new file mode 100644 index 0000000..2a8914f --- /dev/null +++ b/security-demo/login.js @@ -0,0 +1,119 @@ +// VULNERABLE LOGIN SCRIPT - FOR EDUCATIONAL PURPOSES ONLY +// This script contains intentional security vulnerabilities + +// Vulnerability 1: Plain text password storage +const STORED_CREDENTIALS = { + username: 'admin', + password: 'password123' // NEVER store passwords in plain text! +}; + +// Vulnerability 2: Expose credentials in global scope +window.adminCredentials = STORED_CREDENTIALS; + +// Vulnerability 3: No rate limiting - allows brute force attacks +let loginAttempts = 0; + +document.getElementById('loginForm').addEventListener('submit', function(e) { + e.preventDefault(); + + const username = document.getElementById('username').value; + const password = document.getElementById('password').value; + const messageDiv = document.getElementById('loginMessage'); + + loginAttempts++; + + // Vulnerability 4: Expose attempt count in console (information disclosure) + console.log(`Login attempt #${loginAttempts} for user: ${username}`); + console.log('Stored credentials:', STORED_CREDENTIALS); + + // Vulnerability 5: Client-side authentication (easily bypassed) + if (username === STORED_CREDENTIALS.username && password === STORED_CREDENTIALS.password) { + // Vulnerability 6: Store credentials in localStorage (insecure) + localStorage.setItem('userCredentials', JSON.stringify({ + username: username, + password: password, // NEVER store passwords! + loginTime: new Date().toISOString(), + sessionId: Math.random().toString(36).substr(2, 9) + })); + + // Vulnerability 7: Store session in URL parameters + window.location.href = `dashboard.html?user=${username}&pass=${password}&session=${Math.random().toString(36)}`; + + } else { + // Vulnerability 8: Information disclosure - revealing valid usernames + if (username === STORED_CREDENTIALS.username) { + messageDiv.innerHTML = `
+ Incorrect password for user "${username}". Try again! +
`; + } else { + messageDiv.innerHTML = `
+ User "${username}" not found. Valid username is "admin". +
`; + } + + // Vulnerability 9: XSS vulnerability - using innerHTML with user input + setTimeout(() => { + messageDiv.innerHTML = `
+ Failed login attempt for: ${username}
+ + Attempts: ${loginAttempts} +
`; + }, 1000); + } +}); + +// Vulnerability 10: Expose sensitive functions globally +window.bypassLogin = function() { + console.log('🔓 VULNERABILITY: Login bypass function exposed!'); + localStorage.setItem('userCredentials', JSON.stringify({ + username: 'admin', + password: 'password123', + loginTime: new Date().toISOString(), + sessionId: 'bypassed-session' + })); + window.location.href = 'dashboard.html?bypassed=true'; +}; + +// Vulnerability 11: Debug mode exposure +window.DEBUG_MODE = true; +if (window.DEBUG_MODE) { + console.log('🔓 DEBUG MODE ENABLED - Security features disabled!'); + console.log('🔓 Use window.bypassLogin() to bypass authentication!'); + console.log('🔓 Stored credentials:', STORED_CREDENTIALS); +} + +// Vulnerability 12: Eval injection vulnerability +window.executeUserCode = function(code) { + try { + // NEVER use eval() with user input! + eval(code); + } catch (e) { + console.error('Code execution error:', e); + } +}; + +// Vulnerability 13: Expose localStorage contents +setInterval(() => { + if (window.DEBUG_MODE) { + console.log('Current localStorage:', localStorage); + } +}, 5000); + +// Vulnerability 14: CSRF token simulation (but it's predictable) +window.csrfToken = 'csrf_' + Date.now(); // Predictable token +console.log('CSRF Token:', window.csrfToken); + +// Add some visual feedback for demo purposes +document.addEventListener('DOMContentLoaded', function() { + const usernameField = document.getElementById('username'); + const passwordField = document.getElementById('password'); + + // Show credential hints on focus (bad practice) + usernameField.addEventListener('focus', function() { + console.log('Hint: Try "admin"'); + }); + + passwordField.addEventListener('focus', function() { + console.log('Hint: Try "password123"'); + }); +}); \ No newline at end of file diff --git a/security-demo/styles.css b/security-demo/styles.css new file mode 100644 index 0000000..3941e94 --- /dev/null +++ b/security-demo/styles.css @@ -0,0 +1,286 @@ +/* CSS Styles for Vulnerable Demo */ +* { + margin: 0; + padding: 0; + box-sizing: border-box; +} + +body { + font-family: 'Arial', sans-serif; + background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); + min-height: 100vh; + display: flex; + align-items: center; + justify-content: center; +} + +.container { + width: 100%; + max-width: 800px; + margin: 20px; +} + +.warning-banner { + background: #ff4444; + color: white; + padding: 15px; + text-align: center; + border-radius: 8px; + margin-bottom: 20px; + font-weight: bold; + box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1); +} + +.warning-banner p { + margin-top: 5px; + font-size: 14px; + font-weight: normal; +} + +.login-form { + background: white; + padding: 40px; + border-radius: 12px; + box-shadow: 0 10px 30px rgba(0, 0, 0, 0.2); + margin-bottom: 20px; +} + +.login-form h2 { + text-align: center; + margin-bottom: 30px; + color: #333; + font-size: 28px; +} + +.form-group { + margin-bottom: 20px; +} + +.form-group label { + display: block; + margin-bottom: 8px; + color: #555; + font-weight: bold; +} + +.form-group input { + width: 100%; + padding: 12px; + border: 2px solid #ddd; + border-radius: 6px; + font-size: 16px; + transition: border-color 0.3s; +} + +.form-group input:focus { + outline: none; + border-color: #667eea; +} + +button { + width: 100%; + padding: 12px; + background: #667eea; + color: white; + border: none; + border-radius: 6px; + font-size: 16px; + cursor: pointer; + transition: background 0.3s; +} + +button:hover { + background: #5a6fd8; +} + +#loginMessage { + margin-top: 15px; + padding: 10px; + border-radius: 4px; + text-align: center; +} + +.demo-credentials { + background: #f8f9fa; + padding: 20px; + border-radius: 8px; + margin-top: 20px; + text-align: center; +} + +.demo-credentials h3 { + color: #333; + margin-bottom: 10px; +} + +.vulnerability-info { + background: white; + padding: 30px; + border-radius: 12px; + box-shadow: 0 10px 30px rgba(0, 0, 0, 0.2); +} + +.vulnerability-info h3 { + color: #d73527; + margin-bottom: 15px; +} + +.vulnerability-info ul { + list-style-type: none; + padding-left: 0; +} + +.vulnerability-info li { + padding: 8px 0; + border-bottom: 1px solid #eee; +} + +.vulnerability-info li:before { + content: "🔓 "; + margin-right: 8px; +} + +/* Dashboard Styles */ +.dashboard { + background: white; + border-radius: 12px; + box-shadow: 0 10px 30px rgba(0, 0, 0, 0.2); + overflow: hidden; +} + +.dashboard-header { + background: #667eea; + color: white; + padding: 20px 30px; + display: flex; + justify-content: space-between; + align-items: center; +} + +.dashboard-header h1 { + font-size: 24px; +} + +.user-info { + display: flex; + align-items: center; + gap: 15px; +} + +.user-info button { + width: auto; + padding: 8px 16px; + background: #ff4444; + font-size: 14px; +} + +.dashboard-content { + padding: 30px; +} + +.stats-grid { + display: grid; + grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); + gap: 20px; + margin-bottom: 30px; +} + +.stat-card { + background: #f8f9fa; + padding: 20px; + border-radius: 8px; + text-align: center; + border: 1px solid #e9ecef; +} + +.stat-card h3 { + color: #495057; + margin-bottom: 10px; +} + +.stat-number { + font-size: 24px; + font-weight: bold; + color: #667eea; +} + +.admin-panel { + border-top: 2px solid #e9ecef; + padding-top: 30px; +} + +.admin-panel h3 { + color: #333; + margin-bottom: 20px; +} + +.action-section { + background: #f8f9fa; + padding: 20px; + border-radius: 8px; + margin-bottom: 20px; +} + +.action-section h4 { + color: #495057; + margin-bottom: 15px; +} + +.action-section input { + width: calc(100% - 120px); + margin-right: 10px; + margin-bottom: 10px; +} + +.action-section button { + width: 100px; + padding: 12px; +} + +#commandOutput, #searchResults { + margin-top: 15px; + padding: 15px; + background: #fff; + border: 1px solid #ddd; + border-radius: 4px; + min-height: 50px; +} + +#systemInfo { + background: #fff; + padding: 15px; + border-radius: 4px; + border: 1px solid #ddd; +} + +#systemInfo p { + margin-bottom: 8px; + font-family: monospace; +} + +/* Mobile Responsiveness */ +@media (max-width: 768px) { + .container { + margin: 10px; + } + + .login-form, .dashboard-content { + padding: 20px; + } + + .dashboard-header { + flex-direction: column; + gap: 15px; + text-align: center; + } + + .action-section input { + width: 100%; + margin-right: 0; + margin-bottom: 10px; + } + + .action-section button { + width: 100%; + } +} \ No newline at end of file