https://github.com/twlinux/lets-talk
Intentionally vulnerable website that demonstrates beginner-level injection vulnerabilities
https://github.com/twlinux/lets-talk
sqli vulnerabilities xss
Last synced: 19 days ago
JSON representation
Intentionally vulnerable website that demonstrates beginner-level injection vulnerabilities
- Host: GitHub
- URL: https://github.com/twlinux/lets-talk
- Owner: twlinux
- License: mit
- Created: 2018-01-14T01:27:46.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2019-03-28T05:04:26.000Z (about 6 years ago)
- Last Synced: 2024-11-18T11:40:53.528Z (6 months ago)
- Topics: sqli, vulnerabilities, xss
- Language: JavaScript
- Homepage:
- Size: 10.3 MB
- Stars: 10
- Watchers: 2
- Forks: 1
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-security-collection - **10**ζ - level injection vulnerabilities (<a id="8c5a692b5d26527ef346687e047c5c21"></a>ζΆι)
README
# Let's Talk!
[](https://github.com/twlinux/lets-talk/blob/master/LICENSE)
*Let's Talk!* is a quick n' dirty web app that demonstrates simple SQL and JavaScript vulnerabilities.
## Web Stack
| Layer | Solution |
|------------|---------------------------------------------------------------------------------|
| server | [node.js + express](https://expressjs.com/) |
| database | [Docker + MySQL](https://hub.docker.com/r/mysql/mysql-server/) |
| front-end | [materialize-css](http://materializecss.com/) + [jQuery](https://jquery.com/) |
## Deployment
Install [docker](https://www.docker.com/what-container) (v17.04.0+) and a recent version of [**docker-compose**](https://github.com/docker/compose) (v1.12.0+, the one in Ubuntu artful will not work). On **Windows**, simply install [**Docker Toolbox**](https://docs.docker.com/toolbox/toolbox_install_windows/). This is convenient, because *Toolbox* will install everything you need: the Docker engine, docker-compose, git, and the MINGW shell.
First, clone this repository.
```bash
git clone https://github.com/twlinux/lets-talk.git && cd lets-talk
```
The wrapper script `lets_talk.sh` makes it easier to launch this application. It should be cross-compatible with all UNIX environments, such as MacOS, Linux, and fake Windows shells like GIT shell (MinGW).
```bash
chmod +x lets_talk.sh # executable permission
./lets_talk.sh -h # show usage flags
./lets_talk.sh # connect to host port 8080
sudo PORT=80 ./lets_talk.sh # OR connect to host port 80
```
If you've DOSed the site with XSS, you can reset the database by deleting the `letstalk_database` docker volume. This is facilitated with the script: `./lets_talk.sh -d`.
### mysql:latest error
If you are getting `mbind: Operation not permitted`, edit the compose files to use `mysql:5.7` instead.
## Vulnerabilities
*(that I know of)*
Reports are found as multi-line comments in server.js.
```bash
awk '/- HACK/,/\*\//{printf("%-4s%s\n", NR":", $0)}' server/server.js | less -p '^.*HACK.*$'
```
More examples at https://twlinux.github.io/
- [JavaScript XSS Payloads](https://twlinux.github.io/2018-02-06-js-payloads/)
- [Cookie Theft](https://twlinux.github.io/2018-02-18-hijacking/)
- [Cross-site Request Forgery](https://twlinux.github.io/2018-02-19-csrf/)
Related Wikipedia articles
- [Cross-site Scripting (XSS)](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS))
- [SQL Injection (SQLi)](https://www.owasp.org/index.php/SQL_Injection)
- [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))
- [Man in the Middle (MitM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)
## Too easy?
- https://google-gruyere.appspot.com/
- https://github.com/ethicalhack3r/DVWA
- https://information.rapid7.com/metasploitable-download.html
