A Full-Stack web application built to demonstrate real-world web vulnerabilities and their professional mitigations. This project goes beyond standard development by implementing strict security layers based on OWASP guidelines.
To prove the effectiveness of the security measures, this project includes a unique "Hacker's Playground": an intentionally vulnerable version of the server that can be actively exploited, contrasted with the fully secured production server.
(Note: This repository contains the Backend Node.js/Express server. The React Client can be found here)
- Authentication & Brute Force Protection: Passwords are mathematically hashed and salted using
Bcrypt(preventing Rainbow Table attacks). Repeated failed login attempts trigger an automatic account Lockout mechanism. - SQL Injection (SQLi) Prevention: Transitioned from insecure string concatenation to strict Prepared Statements (Parameterized Queries) using
?, entirely separating executable logic from user input. - Session & XSS Security: JSON Web Tokens (JWT) are not stored in easily accessible local storage. Instead, they are wrapped in httpOnly Cookies, making them invisible to malicious JavaScript (XSS) attempting to steal user sessions.
- CORS & Access Control: Implemented strict Cross-Origin Resource Sharing rules and dynamic port validation.
The project includes a VulnerableServer.js file. This was built specifically to test exploits like:
- Bypassing login screens using classic SQL injection (
' OR '1'='1). - Extracting the entire database user list via unvalidated input fields.
- The Secure Server perfectly blocks all these identical attacks.
- Backend: Node.js, Express.js
- Database: MySQL
- Security & Auth: JWT, Bcrypt, httpOnly Cookies
- Frontend: React, Vite, Material UI
- Clone the repository.
- Run
npm installto install dependencies. - To run the Secure Server:
node app - To run the Vulnerable Server (for testing):
npm run start-vulnerable(Check your package.json scripts).