Let's Talk! is a quick n' dirty web app that demonstrates simple SQL and JavaScript vulnerabilities.

Install docker (v17.04.0+) and a recent version of docker-compose (v1.12.0+, the one in Ubuntu artful will not work). On Windows, simply install Docker Toolbox. This is convenient, because Toolbox will install everything you need: the Docker engine, docker-compose, git, and the MINGW shell.

First, clone this repository.

git clone https://github.com/twlinux/lets-talk.git && cd lets-talk

The wrapper script lets_talk.sh makes it easier to launch this application. It should be cross-compatible with all UNIX environments, such as MacOS, Linux, and fake Windows shells like GIT shell (MinGW).

chmod +x lets_talk.sh           # executable permission
./lets_talk.sh -h               # show usage flags
./lets_talk.sh                  # connect to host port 8080
sudo PORT=80 ./lets_talk.sh     # OR connect to host port 80

If you've DOSed the site with XSS, you can reset the database by deleting the letstalk_database docker volume. This is facilitated with the script: ./lets_talk.sh -d.

If you are getting mbind: Operation not permitted, edit the compose files to use mysql:5.7 instead.

(that I know of)

Reports are found as multi-line comments in server.js.

awk '/- HACK/,/\*\//{printf("%-4s%s\n", NR":", $0)}' server/server.js | less -p '^.*HACK.*$'

More examples at https://twlinux.github.io/

• JavaScript XSS Payloads
• Cookie Theft
• Cross-site Request Forgery

Related Wikipedia articles

• Cross-site Scripting (XSS)
• SQL Injection (SQLi)
• Cross-Site Request Forgery (CSRF)
• Man in the Middle (MitM)

• https://google-gruyere.appspot.com/
• https://github.com/ethicalhack3r/DVWA
• https://information.rapid7.com/metasploitable-download.html