Intentionally vulnerable website that demonstrates beginner-level injection vulnerabilities
JavaScript HTML Shell CSS
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

Let's Talk!

badge GitHub license

Let's Talk! is a quick n' dirty web app that demonstrates simple SQL and JavaScript vulnerabilities. Screenshot of the website

Web Stack

Layer Solution
server node.js + express
database Docker + MySQL
front-end materialize-css + jQuery


Install docker (v17.04.0+) and a recent version of docker-compose (v1.12.0+, the one in Ubuntu artful will not work). On Windows, simply install Docker Toolbox. This is convenient, because Toolbox will install everything you need: the Docker engine, docker-compose, git, and the MINGW shell.

First, clone this repository.

git clone && cd lets-talk

The wrapper script makes it easier to launch this application. It should be cross-compatible with all UNIX environments, such as MacOS, Linux, and fake Windows shells like GIT shell (MinGW).

chmod +x           # executable permission
./ -h               # show usage flags
./                  # connect to host port 8080
sudo PORT=80 ./     # OR connect to host port 80

If you've DOSed the site with XSS, you can reset the database by deleting the letstalk_database docker volume. This is facilitated with the script: ./ -d.

Screenshot of the server output

mysql:latest error

If you are getting mbind: Operation not permitted, edit the compose files to use mysql:5.7 instead.


(that I know of)

Reports are found as multi-line comments in server.js.

awk '/- HACK/,/\*\//{printf("%-4s%s\n", NR":", $0)}' server/server.js | less -p '^.*HACK.*$'

More examples at

Related Wikipedia articles

Too easy?

old man yells at cloud