🛡️ Web Application Vulnerabilities Lab

This lab teaches common web vulnerabilities through safe, browser-based simulations.

1. SQL Injection (Simulation)

Description: SQL Injection occurs when user input is improperly handled in database queries.

SELECT * FROM users WHERE username = 'input' AND password = 'input';

Exercise: Try entering a username that bypasses authentication.

Try something like ' OR '1'='1

2. Cross-Site Scripting (XSS)

Description: XSS allows attackers to inject malicious scripts into web pages.

Exercise: Enter input that executes JavaScript.

Try: <script>alert('XSS')</script>

3. Broken Authentication

Description: Weak credential handling can allow account compromise.

Exercise: Notice how credentials are validated.

if (password === "admin123") grantAccess();

Hardcoded credentials are insecure.

4. Insecure Direct Object Reference (IDOR)

Description: IDOR occurs when users can access data by modifying object IDs.

Change the user ID in the URL simulation:

5. Security Misconfiguration

Leaving debug features enabled exposes sensitive information.

DEBUG = true stackTrace = visible

6. Sensitive Data Exposure

Data transmitted without encryption can be intercepted.

POST /login username=admin&password=admin123

7. Cross-Site Request Forgery (CSRF)

CSRF tricks users into performing actions without consent.

Why is this dangerous?

<img src="https://bank/transfer?amount=1000">

8. Secure Coding Fixes