testers.ai

Security Vulnerabilities Demonstration

Vulnerabilities Secure Examples About

⚠️ Important Notice

This page contains intentional security vulnerabilities for testing and educational purposes only. These examples demonstrate common security mistakes that should NEVER be implemented in production code. Always follow security best practices and OWASP guidelines.

Security Vulnerabilities

The following examples demonstrate common security vulnerabilities:

1. Cross-Site Scripting (XSS) - Reflected

User input is directly inserted into HTML without sanitization:

// VIOLATION: Directly inserting user input document.getElementById('output').innerHTML = userInput;
Output will appear here...

2. Cross-Site Scripting (XSS) - Stored

User input stored and displayed without sanitization:

3. SQL Injection

User input directly concatenated into SQL queries:

// VIOLATION: SQL Injection const query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"; // Try: username = "admin' OR '1'='1"

4. Exposed API Keys and Credentials

API keys and credentials hardcoded in client-side code:

VIOLATION - Exposed in JavaScript:
const API_KEY = "sk_live_51HqJ2KpQ7mN8xYz9AbC3dE4fG5hI6jK7lM8nO9pQ0rS1tU2vW3xY4z";
const AWS_SECRET = "AKIAIOSFODNN7EXAMPLE";
const DB_PASSWORD = "SuperSecretPassword123!";
const STRIPE_KEY = "sk_test_4eC39HqLyjWDarjtT1zdp7dc";
// VIOLATION: Credentials in source code const credentials = { username: 'admin', password: 'admin123', apiKey: 'sk_live_51HqJ2KpQ7mN8xYz9AbC3dE4fG5hI6jK7lM8nO9pQ0rS1tU2vW3xY4z' };

5. Missing Security Headers

Critical security headers not set:

// VIOLATION: Missing security headers // No Content-Security-Policy // No X-Frame-Options // No X-Content-Type-Options // No Strict-Transport-Security // No Referrer-Policy

6. Insecure Cookies

Cookies set without Secure, HttpOnly, or SameSite attributes:

// VIOLATION: Insecure cookie document.cookie = "sessionId=abc123xyz"; // Missing: Secure, HttpOnly, SameSite

Check Application tab → Cookies to see insecure cookie

7. Clickjacking Vulnerability

Page can be embedded in iframe without protection:

<!-- VIOLATION: No X-Frame-Options header --> <iframe src="https://vulnerable-site.com/login"></iframe>

8. Insecure Password Storage

Passwords stored in plain text or with weak hashing:

// VIOLATION: Plain text password storage const users = { 'admin': { password: 'admin123' }, 'user1': { password: 'password123' } }; // VIOLATION: Weak MD5 hashing const hashedPassword = md5(password);

9. Missing Input Validation

No validation or sanitization of user input:

// VIOLATION: No file type/size validation const file = document.getElementById('file-upload').files[0]; // No check for file type, size, or malicious content

10. Exposed Sensitive Information in Error Messages

Error messages reveal system information:

Database Error:
SQLSTATE[42S02]: Base table or view not found: 1146 Table 'production.users' doesn't exist
Stack trace: /var/www/html/database.php:45
Database: production_db
User: db_admin
Connection string: mysql://db_admin:password123@localhost:3306/production_db

11. Insecure Direct Object References (IDOR)

Direct access to resources without authorization check:

// VIOLATION: No authorization check GET /api/users/12345 // Anyone can access any user ID by changing the number

12. Missing CSRF Protection

Forms submitted without CSRF tokens:

<!-- VIOLATION: No CSRF token --> <form action="/api/transfer" method="POST"> <input name="amount" value="1000"> <input name="toAccount" value="attacker-account"> </form>

13. Insecure Random Number Generation

Using predictable random number generators:

// VIOLATION: Predictable random const sessionId = Math.random().toString(36); const token = Date.now().toString();

14. Missing Rate Limiting

No protection against brute force attacks:

// VIOLATION: No rate limiting function login(username, password) { // Can be called unlimited times return authenticate(username, password); }

Secure Examples

The following examples demonstrate proper security practices:

1. XSS Prevention - Input Sanitization

// Compliant: Sanitize and escape user input function escapeHtml(text) { const map = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' }; return text.replace(/[&<>"']/g, m => map[m]); } document.getElementById('output').textContent = userInput;

2. SQL Injection Prevention - Parameterized Queries

// Compliant: Parameterized queries const query = "SELECT * FROM users WHERE username = ? AND password = ?"; db.query(query, [username, password]);

3. Secure API Key Management

// Compliant: API keys stored server-side only // Never expose in client-side code // Use environment variables or secure key management services const apiKey = process.env.API_KEY; // Server-side only

4. Security Headers Set

// Compliant: Security headers Content-Security-Policy: default-src 'self' X-Frame-Options: DENY X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Referrer-Policy: strict-origin-when-cross-origin

5. Secure Cookies

// Compliant: Secure cookie Set-Cookie: sessionId=abc123xyz; HttpOnly; Secure; SameSite=Strict; Path=/

6. Input Validation and Sanitization

// Compliant: Validate and sanitize input function validateFile(file) { const allowedTypes = ['image/jpeg', 'image/png']; const maxSize = 5 * 1024 * 1024; // 5MB if (!allowedTypes.includes(file.type)) { throw new Error('Invalid file type'); } if (file.size > maxSize) { throw new Error('File too large'); } // Additional virus scanning... }

7. Secure Password Storage

// Compliant: Strong password hashing const bcrypt = require('bcrypt'); const saltRounds = 12; const hashedPassword = await bcrypt.hash(password, saltRounds);

8. CSRF Protection

// Compliant: CSRF token <form action="/api/transfer" method="POST"> <input type="hidden" name="csrf_token" value="${csrfToken}"> <input name="amount"> </form>

9. Secure Random Number Generation

// Compliant: Cryptographically secure random const crypto = require('crypto'); const sessionId = crypto.randomBytes(32).toString('hex'); const token = crypto.randomBytes(16).toString('base64');

10. Rate Limiting

// Compliant: Rate limiting const rateLimit = require('express-rate-limit'); const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5 // limit each IP to 5 requests per windowMs }); app.use('/api/login', limiter);

11. Authorization Checks

// Compliant: Check authorization function viewProfile(userId) { if (currentUser.id !== userId && !currentUser.isAdmin) { throw new Error('Unauthorized'); } return getUserProfile(userId); }

12. Secure Error Handling

// Compliant: Generic error messages try { // database operation } catch (error) { console.error('Database error:', error); // Log server-side only return { error: 'An error occurred. Please try again.' }; // Generic message }

About This Page

This page is designed for:

Remember: Never implement these vulnerabilities in production code. Always follow security best practices and OWASP guidelines.