Name: Jerome Arsany Mansour Farah Course: Secure Software Development
This project is part of Lab 1 in the Secure Software Development course.
It demonstrates the identification and remediation of a SQL Injection vulnerability in a Node.js + Express application using secure coding principles.
The lab involved:
- Implementing input validation and sanitization
- Replacing unsafe SQL concatenation with parameterized queries
- Hashing passwords using
bcryptfor secure storage - Comparing plaintext vs secure login endpoints
- Verifying fixes through automated demo scripts and database inspection
| Category | Tools / Packages |
|---|---|
| Backend | Node.js, Express |
| Database | SQLite3 |
| Security | bcrypt, express-validator |
| Testing / Demo | Axios, curl |
| Language | JavaScript (ES6) |
| File / Folder | Purpose |
|---|---|
server.js |
Main Express server; includes vulnerable and secure login routes |
init-db.js |
Creates users.db, hashes passwords using bcrypt, and inserts sample users |
show-users.js |
Displays users in the database to verify password hashing |
demo-client.js |
Automated script sending login requests to test SQL injection resilience |
APPENDIX.md |
Collected outputs from demo-client.js and show-users.js |
TESTS.md |
Manual test cases and curl commands |
users.db |
SQLite database (auto-generated) |
package.json |
Dependency configuration |
.gitignore |
Ignores node_modules folder |
README.md |
Documentation (this file) |
Before:
const sql = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;