A lesson on web application security
Hack This is a simple fullstack web application that contains several security vulnerabilities. The application can be used to demonstrate how mistakes by the developers can lead to compromised security.
Warning
Do not use the code found in this repository in production. Also, do not use it to do anything illegal or exploit systems that you do not own or have a permission to enter. For educational purposes only.
Note
For a fixed (secure) version of the application, see the fixed branch. If you want to run the fixed version locally, switch to the branchfixed
, reinstall dependencies and reinitialize the database.
Follow the instructions to set up the project.
node
version 18.7.0 or highernpm
version 9.8.0 or highersqlite3
should be installedgit
should be installedlinux
is recommended
An installation script has been written to automate the installation process. Install the application by running the script or follow the instructions below for a manual installation.
# Move to a directory where you wish to install the application
$ cd Downloads
# Get the script
$ wget https://raw.githubusercontent.com/rikurauhala/hack-this/main/scripts/install.sh
# Make it executable
$ chmod +x install.sh
# Run the script
$ ./install.sh
To install the application, start by downloading the source code from the project repository. You may use your preferred method but for this example I am using the git clone
command using ssh.
Change directory to the newly created folder containing the source code.
# Move into an appropriate directory where you want to store the source code
$ cd Downloads
# Get the source code
$ git clone git@github.com:rikurauhala/hack-this.git
# Move into the project directory
$ cd ./hack-this
The repository contains the source code of both the frontend and the backend. Let's set up the backend first.
See below for a list of commands to run. Fill in the environment variables DATABASE_URL
, LOG_FILE_PATH
and SECRET
with your own values.
# Change directory into the backend folder
$ cd ./server
# Install dependencies
$ npm install
# Create and initialize the database
$ cd ./data
$ touch database.db
$ sqlite3 database.db < init.sql
# Create the .env file
$ cd ..
$ touch .env
$ echo DATABASE_URL="$(pwd)/data/database.db" >> .env
$ echo LOG_FILE_PATH="$(pwd)/data/log.txt" >> .env
$ echo SECRET="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 25 | head -n 1)" >> .env
Now let's install the frontend.
# Change directory into the frontend folder
$ cd ../web
# Install dependencies
$ npm install
Use the following commands to run the backend and frontend separately. Make sure you are in the correct directories for each command.
# Run the backend
$ npm run dev
# Run the frontend
$ npm start