A deliberately vulnerable web application designed to demonstrate SQL injection vulnerabilities for educational purposes.
DWSecurity-SQLi-Lab is a lightweight web app built for a university project to demonstrate SQL injection vulnerabilities. Unlike most existing tools that require complex setups with external databases, multiple dependencies, or Docker, this app uses only Node.js and an embedded SQLite database, making it easy to run in under a minute.
it features a simple blog system with user authentication, posting and search functionality, all vulnerable to SQL injection attacks. and it shows both vulnerable code and secure alternatives side-by-side.
- Intentionally vulnerable login system
- Blog and vulnerable post creation
- Search functionality vulnerable to SQL injection
- SQLite database (pre-configured)
- JWT authentication with HTTP-only cookies
- Node.js v22.14.0
-
Clone the repository:
git clone https://github.com/mehdi-zerouak/DWSecurity-SQLi-Lab.git cd DWSecurity-SQLi-Lab -
Install dependencies:
npm install -
Start the application:
node server.js -
Access the application at:
http://localhost:3000
- Username:
admin - Password:
admin
If you need to reset the database to its default state, simply:
- Open
server.js - Uncomment the
seedDatabase()function call at the beginning - Run the server once to rebuild the database
- Comment out the line again to prevent recreating the database on future starts (if u don't want data to be reset each time)
├── server.js # Main application file with routes and controllers
├── database.js # Database configuration and setup
├── database.db # SQLite database file
├── views/ # HTML templates
│ ├── login.html # Login page
│ └── blog.ejs # Blog page
├── LICENSE # License file
└── package.json # Node project configuration
This app prints the raw SQL query being executed to the terminal when login/search is attempted. This helps demonstrate how user input affects the query structure and allows for easier debugging and learning.
This application intentionally demonstrates insecure coding practices:
- Direct inclusion of user input in SQL queries
- Lack of input sanitization
The code includes commented out examples of secure alternatives (parameterized queries) for educational comparison, but these alternative implementations are not tested and may require adjustments to work properly.
- Authentication Bypass: Try using
' OR '1'='1in the password field - UNION Attacks: Use the search function with
' UNION SELECT users.id, 'leaked', username, password FROM users --
This is free and unencumbered software released into the public domain.
Anyone is free to copy, modify, publish, use, compile, sell, or distribute this software, either in source code form or as a compiled binary, for any purpose, commercial or non-commercial, and by any means.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.
The author's knowledge in security practices is limited. While comments in the code suggest secure alternatives, they are not guaranteed to be complete or error-free. This project should be viewed as a learning tool, not a reference for production security practices.