{"id":22540232,"url":"https://github.com/dmamakas2000/sql-injection-spring-security","last_synced_at":"2025-07-27T06:06:07.608Z","repository":{"id":188124229,"uuid":"678148111","full_name":"dmamakas2000/sql-injection-spring-security","owner":"dmamakas2000","description":"This repository implements the scenario of a SQL injection attack on a custom web server, using the Spring-Security Framework version 6.1.2, Spring-Web, Gradle, PostgreSQL for the management of the created database, Lombok, Thymeleaf, and Guava.","archived":false,"fork":false,"pushed_at":"2024-12-02T18:38:55.000Z","size":2881,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-09T21:45:36.660Z","etag":null,"topics":["gradle","guava","lombok","postgresql","spring-boot","spring-security","spring-web","thymeleaf"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dmamakas2000.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-13T20:53:41.000Z","updated_at":"2024-12-02T17:32:08.000Z","dependencies_parsed_at":"2024-12-02T18:39:57.991Z","dependency_job_id":null,"html_url":"https://github.com/dmamakas2000/sql-injection-spring-security","commit_stats":null,"previous_names":["dmamakas2000/sql-injection-spring-security"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/dmamakas2000/sql-injection-spring-security","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmamakas2000%2Fsql-injection-spring-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmamakas2000%2Fsql-injection-spring-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmamakas2000%2Fsql-injection-spring-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmamakas2000%2Fsql-injection-spring-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dmamakas2000","download_url":"https://codeload.github.com/dmamakas2000/sql-injection-spring-security/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmamakas2000%2Fsql-injection-spring-security/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267312259,"owners_count":24067774,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-27T02:00:11.917Z","response_time":82,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gradle","guava","lombok","postgresql","spring-boot","spring-security","spring-web","thymeleaf"],"created_at":"2024-12-07T12:10:12.770Z","updated_at":"2025-07-27T06:06:07.586Z","avatar_url":"https://github.com/dmamakas2000.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SQL Injection Scenario Using Spring\nThis repository implements the scenario of a **SQL injection attack** on a custom web server, using the [#Spring-Security](https://spring.io/projects/spring-security) Framework version 6.1.2, [#Spring-Web](https://spring.io/web-applications), [#Gradle](https://gradle.org/), [#PostgreSQL](https://www.postgresql.org/) for the management of the created database, [#Lombok](https://projectlombok.org/), [#Thymeleaf](https://www.thymeleaf.org/), and [#Guava](https://github.com/google/guava). \n\nBelow, we are going to have a brief look at the exact SQL commands used to set up the demo database, along with detailed descriptions of each table. After that, we will demonstrate the use of the app using a step-by-step presentation of a malicious attack scenario!\n\n\u003cbr\u003e\n\n## 📢Note📢\n🎯Please, clone this repository before reading the description. Don't forget to like👍and share your thoughts😊.\n\n\u003cbr\u003e\n\u003cbr\u003e\n\n## Database Set Up\nAssuming PostgreSQL is properly installed on the end-system, we used the following command to create a demo database called GDPR.\n\n````sql\nCREATE DATABASE GDPR;\n````\n\n### Users Table\nThe users table contains the *id* field, which is the primary key, and uniquely identifies each record contained in the table. The *username* field refers to each user's username, and *salt* is a random string of 10 characters and is used to maximize security in case of password file theft. The *password* field holds the hashed password of the user using the [MD5](https://en.wikipedia.org/wiki/MD5) activation function. The *last_modified* field is also used and for future reference refers to the date the password field was last modified. Finally, the *description* field refers to a string representing a short description of each user. To create the table, the following SQL command was used.\n\n````sql\nCREATE TABLE users (id SERIAL PRIMARY KEY, username VARCHAR(100) NOT NULL, salt VARCHAR(50) NOT NULL,\npassword VARCHAR(1000) NOT NULL, last_modified VARCHAR(100) NOT NULL, description VARCHAR(1000) NOT NULL);\n````\n\nAnd for demonstration reasons, we could insert the following two initial users.\n\n````sql\nINSERT INTO users (username, salt, password, last_modified, description)\nVALUES('p3180102', 'zZzCylMVZq', '41e0d439817897cd9f6b50af0f4c1ab1', '2022-01-18T18:21:32.599599Z', 'None');\n````\n\n````sql\nINSERT INTO users (username, salt, password, last_modified, description)\nVALUES('admin', 'ViMwLywO8w', '2ddf79a32b82f2649b3c1add1553d9f3', '2022-01-18T18:23:09.567006Z', 'None');\n````\n\n### Logging Table\nEach row in this table refers to a log attempt. Each attempt is characterized by a unique identifier *id*, the *username* that attempted to log into the application, the corresponding hashed *password*, the field indicating whether the login was successful (*boolean*), and a *timestamp* field to track the exact date and time the attempt was made.\nAt this point, note that if one of the attempts uses one of the two usernames stored in the database (p3180102 or admin), the password field will record the MD5 hash of the password typed in the form \u0026 the corresponding salt retrieved from the database. Otherwise, obviously, the connection is rejected. To create the table, the following code was used.\n\n````sql\nCREATE TABLE logging (id SERIAL PRIMARY KEY, username VARCHAR(100) NOT NULL, password VARCHAR(1000)\nNOT NULL, successful boolean NOT NULL, date VARCHAR(100) NOT NULL);\n````\n\n\u003cbr\u003e\n\u003cbr\u003e\n\n## User Lock Feature 🔐\nThe application is designed in a way that blocks (for security reasons) the IP addresses of the users who attempt to login to the application, in case they perform more than two consecutive failed login attempts. The reason why choosing to block the addresses, and not the user account, has to do with the fact that by design assumptions, it is desired to completely exclude the possibility of brute force attacks, as the attacker can continuously try to log in with multiple usernames, and different passwords. In this way, even if the attackers use brute force attack software in an attempt to perform a SQL injection attack, the application will lock them out (and no login attempts will be recorded from a certain point onwards). The ability to log in after being blocked becomes available again after a day passes (24 hours), and during that time, the user is constantly updated with alerts in the front-end section of the website while login attempts are not even recorded in the database!\n\n\u003cbr\u003e\n\u003cbr\u003e\n\n## Change Password Feature 🗝\nFor this particular functionality, after a successful user login, the back-end checks if ten days have passed since the last time the password was changed. If so, then it redirects the user to a new window and asks for the password to be changed again for security reasons.\n\n\u003cbr\u003e\n\u003cbr\u003e\n\n## Demo Scenarios\n📌 You can click [here](scenarios/ip_block_scenario.md) to view an IP blocking demo scenario (after failed consistent attempts).\n\n\u003cbr\u003e\n\n📌 You can click [here](scenarios/sql_injection_scenario.md) to view a SQL injection demo scenario. \n\n\u003cbr\u003e\n\u003cbr\u003e\n\n## License\nThis project is licensed under the **MIT License** - see the **[LICENSE](LICENSE)** file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdmamakas2000%2Fsql-injection-spring-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdmamakas2000%2Fsql-injection-spring-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdmamakas2000%2Fsql-injection-spring-security/lists"}