Matte23/scolapasta
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(xss): Add stored xss

Browse Source
This commit is contained in:
Matteo Schiff
2025-05-07 16:53:48 +02:00
parent f29d3627e9
commit 98fdc290f4
4 changed files with 110 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
backend/index.js
View File

@@ -55,4 +55,32 @@ app.post('/api/ping', (req, res) => {
}); });
}); });
// Endpoint to add a new post
app.post('/api/posts', (req, res) => {
const { post } = req.body;
if (!post || post.trim() === '') {
return res.status(400).json({ message: 'Post content cannot be empty' });
}
const query = 'INSERT INTO posts (content) VALUES (?)';
db.query(query, [post], (err, results) => {
if (err) {
return res.status(500).json({ message: 'Error adding post', error: err });
}
res.json({ message: 'Post added successfully', postId: results.insertId });
});
});
// Endpoint to get all posts
app.get('/api/posts', (req, res) => {
const query = 'SELECT * FROM posts';
db.query(query, (err, results) => {
if (err) {
return res.status(500).json({ message: 'Error fetching posts', error: err });
}
res.json({ posts: results });
});
});
app.listen(5000, () => console.log('Backend running on port 5000')); app.listen(5000, () => console.log('Backend running on port 5000'));

5
db/init.sql
View File

@@ -4,5 +4,10 @@ CREATE TABLE users (
password VARCHAR(255) password VARCHAR(255)
); );
CREATE TABLE posts (
id INT AUTO_INCREMENT PRIMARY KEY,
content TEXT NOT NULL
);
INSERT INTO users (username, password) VALUES ('admin', 'admin123'); INSERT INTO users (username, password) VALUES ('admin', 'admin123');
INSERT INTO users (username, password) VALUES ('user', 'password'); INSERT INTO users (username, password) VALUES ('user', 'password');

3
frontend/src/App.jsx
View File

@@ -2,6 +2,7 @@ import { BrowserRouter as Router, Route, Routes, Link } from 'react-router-dom';
import SQLInjection from './pages/SQLInjection'; import SQLInjection from './pages/SQLInjection';
import { Navbar, Nav, Container } from 'react-bootstrap'; import { Navbar, Nav, Container } from 'react-bootstrap';
import CommandInjection from './pages/CommandInjection'; import CommandInjection from './pages/CommandInjection';
import XSS from './pages/XSS';
function App() { function App() {
return ( return (
@@ -14,6 +15,7 @@ function App() {
<Nav className="me-auto"> <Nav className="me-auto">
<Nav.Link as={Link} to="/sqli">SQL Injection</Nav.Link> <Nav.Link as={Link} to="/sqli">SQL Injection</Nav.Link>
<Nav.Link as={Link} to="/cmdi">Command Injection</Nav.Link> <Nav.Link as={Link} to="/cmdi">Command Injection</Nav.Link>
<Nav.Link as={Link} to="/xss">XSS</Nav.Link>
</Nav> </Nav>
</Navbar.Collapse> </Navbar.Collapse>
</Container> </Container>
@@ -22,6 +24,7 @@ function App() {
<Routes> <Routes>
<Route path="/sqli" element={<SQLInjection />} /> <Route path="/sqli" element={<SQLInjection />} />
<Route path="/cmdi" element={<CommandInjection />} /> <Route path="/cmdi" element={<CommandInjection />} />
<Route path="/xss" element={<XSS />} />
</Routes> </Routes>
</div> </div>
</Router> </Router>

74
frontend/src/pages/XSS.jsx Normal file
View File

@@ -0,0 +1,74 @@
import React, { useState } from "react";
import { Card, Container, Form, Button, Alert, ListGroup } from "react-bootstrap";
export default function XSS() {
const [posts, setPosts] = useState([]);
const [newPost, setNewPost] = useState("");
const [searchQuery, setSearchQuery] = useState("");
const handleAddPost = () => {
if (newPost.trim()) {
setPosts([...posts, newPost]);
setNewPost("");
}
};
const filteredPosts = posts.filter((post) =>
post.toLowerCase().includes(searchQuery.toLowerCase())
);
return (
<Container className="mt-5">
<Card className="shadow">
<Card.Body>
<Card.Title className="text-center">Posts</Card.Title>
{/* List of Posts */}
<h5>Posts</h5>
<ListGroup className="mb-3">
{filteredPosts.length > 0 ? (
filteredPosts.map((post, index) => (
<ListGroup.Item key={index}>
{/* Rendering posts directly (stored XSS vulnerability) */}
<span dangerouslySetInnerHTML={{ __html: post }} />
</ListGroup.Item>
))
) : (
<ListGroup.Item>No posts available</ListGroup.Item>
)}
</ListGroup>
{/* Add New Post */}
<Form>
<Form.Group className="mb-3" controlId="formNewPost">
<Form.Control
type="text"
placeholder="Enter new post"
value={newPost}
onChange={(e) => setNewPost(e.target.value)}
/>
</Form.Group>
<div className="d-grid">
<Button variant="primary" onClick={handleAddPost}>
Add Post
</Button>
</div>
</Form>
{/* Search Functionality */}
<h5 className="mt-4">Search</h5>
<Form>
<Form.Group className="mb-3" controlId="formSearchQuery">
<Form.Control
type="text"
placeholder="Enter search query"
value={searchQuery}
onChange={(e) => setSearchQuery(e.target.value)}
/>
</Form.Group>
</Form>
</Card.Body>
</Card>
</Container>
);
}