Share
## https://sploitus.com/exploit?id=FDA11F73-F96C-54AC-A13E-1645F1AFE068
# ๐ Secure Auth API โ Built โ Broken โ Fixed
A hands-on security-focused Express.js API demonstrating real-world authentication and authorization vulnerabilities intentionally introduced, exploited, and then properly fixed.
This project was built to showcase practical backend security skills including JWT handling, access control, SQL injection prevention, rate limiting, and secure authorization design.
---
# ๐ Project Overview
This API supports:
- User registration and login
- JWT-based authentication
- Protected routes
- Notes CRUD operations
- Admin-only endpoint
It includes **five intentionally introduced vulnerabilities**, each documented with:
- Root cause
- Exploitation steps
- Security impact
- Proper fix implementation
---
# ๐ Architecture
```
secure-auth-api/
โโโ src/
โ โโโ app.js
โ โโโ db.js
โ โโโ config.js
โ โโโ auth/
โ โ โโโ jwt.js
โ โ โโโ middleware.js
โ โโโ routes/
โ โ โโโ auth.routes.js
โ โ โโโ users.routes.js
โ โ โโโ notes.routes.js
โ โโโ util/
โ โโโ logger.js
โ โโโ rateLimit.js
โ
โโโ attacks/
โ โโโ 01-idor.md
โ โโโ 02-sqli.md
โ โโโ 03-weak-jwt.md
โ โโโ 04-missing-rate-limit.md
โ โโโ 05-authz-bypass.md
โ
โโโ fixes/
โ โโโ 01-idor.md
โ โโโ 02-sqli.md
โ โโโ 03-weak-jwt.md
โ โโโ 04-rate-limit.md
โ โโโ 05-authz.md
โ
โโโ docker-compose.yml
โโโ README.md
```
---
# ๐งฑ Technology Stack
- Node.js
- Express.js
- PostgreSQL
- JWT (JSON Web Tokens)
- Docker
- PowerShell test scripts
---
# โถ๏ธ How to Run
### 1๏ธโฃ Clone Repository
```
git clone
cd secure-auth-api
```
### 2๏ธโฃ Configure Environment
Create `.env`:
```
JWT_SECRET=
JWT_EXPIRES_IN=15m
```
### 3๏ธโฃ Start with Docker
```
docker compose down -v
docker compose up --build
```
API runs at:
```
[http://localhost:3000](http://localhost:3000)
```
Login:
```
$respA = Invoke-RestMethod -Method Post -Uri "http://localhost:3000/auth/login" `
-ContentType "application/json" `
-Body (@{ email="a@example.com"; password="Passw0rd!" } | ConvertTo-Json)
$TOKEN_A = $respA.token
```
Health check:
```
GET /health
curl http://localhost:3000/health
```
---
# ๐ Authentication Flow
1. `POST /auth/register`
2. `POST /auth/login`
3. Receive JWT
4. Use JWT in:
```
Authorization: Bearer
```
Protected routes:
- `GET /me`
- `GET /notes`
- `POST /notes`
- `GET /notes/:id`
- `DELETE /notes/:id`
- `GET /admin/stats`
---
# ๐ฏ Vulnerabilities Demonstrated
## 1๏ธโฃ IDOR (Insecure Direct Object Reference)
- Accessing notes by ID without verifying ownership
- Fixed by enforcing owner validation in SQL query
---
## 2๏ธโฃ SQL Injection
- String concatenation in search query
- Exploitable via `OR 1=1`
- Fixed using parameterized queries
---
## 3๏ธโฃ Weak JWT Secret
- Hardcoded weak secret (`secret`)
- Tokens could be forged
- Fixed by enforcing strong environment-based secret
---
## 4๏ธโฃ Missing Rate Limiting
- Unlimited login attempts
- Enabled brute-force attacks
- Fixed with request throttling middleware
---
## 5๏ธโฃ Authorization Bypass (Privilege Escalation)
- Trusted `role` inside JWT
- Allowed forged admin tokens
- Fixed by verifying role from database
---
# ๐ก Security Principles Applied
- Proper JWT verification
- Strong secret management
- Parameterized SQL queries
- Rate limiting
- Server-side authorization enforcement
- Least privilege
- Defense in depth
- Do not trust client claims
---
# ๐งช Testing Attacks
Each vulnerability includes:
- Step-by-step reproduction
- Exploit commands
- Expected vulnerable behavior
- Post-fix validation
See:
```
/attacks
/fixes
```
---
# ๐ Threat Model (Simplified)
Assumed attacker capabilities:
- Authenticated user
- Ability to modify JWT payload
- Ability to send crafted HTTP requests
- No direct database access
Goals:
- Access other users' data
- Escalate privileges
- Extract unintended records
- Brute-force login
Mitigations implemented accordingly.
---
# ๐ What This Project Demonstrates
- Practical backend security awareness
- Ability to intentionally create and analyze vulnerabilities
- Understanding of OWASP Top 10
- Secure coding practices
- Strong debugging and verification methodology
- Clear documentation skills
---
# ๐ท OWASP Coverage
- A01 โ Broken Access Control
- A03 โ Injection
- A07 โ Identification & Authentication Failures
---
# ๐จโ๐ป Author
Security-focused backend project built to demonstrate real-world vulnerability identification, exploitation, and remediation using modern Node.js architecture.
---
# ๐ Final Note
This project is intentionally educational.
It shows not only how vulnerabilities happen but how to fix them correctly.
Security is not about writing code.
It is about enforcing trust boundaries.