Skip to content
    Back to all Bounties

    Earn 7,650 ($76.50)

    Time Remainingdue 2 years ago
    Canceled

    Build a simple SQL Injection Simulation and Defense App using Scala

    AbhayBhargav1
    AbhayBhargav1
    Posted 2 years ago

    Bounty Description

    Project Overview:

    Develop a web application in Scala using the Play Framework(slick) that simulates and defends against SQL injection attacks. This application will serve as a platform for both testing SQL injection vulnerabilities and showcasing how to protect against them.

    Project Objectives:

    SQL Injection Attack Simulation:

    • Create a module for emulating SQL injection attacks on a basic music retrieval application and its associated database.
    • Implement various types of SQL injection attacks (e.g., classic SQL injection, blind SQL injection with conditional errors/conditional responses,union attack) to test the application’s vulnerability.
    • Populate the database with approx. 30 records of songs

    Defense Mechanisms:

    • Implement security measures to defend against SQL injection attacks.
    • Utilize prepared statements, parameterized queries, and input validation to prevent SQL injection vulnerabilities.
    • Implement web application firewall rules to detect and block malicious SQL injection attempts.

    User Interface (UI):

    Create an intuitive user interface for users to interact with the application in real-time. Use separate URLs for secure and insecure variants. The UI should include the following elements:

    • A search box to input song-name but is vulnerable to SQL injection.
    • An area to display the results of the SQL queries.
    • The area must contain song name, release year, artist’s name, and duration
    Sl NoSong NameRelease YearArtist’s NameDuration
    1FliesFire2003CityOwl169

    Real-Time Scenario:

    • Create a real-time scenario where users can interact with the application.
    • Users should be able to input SQL queries through the UI and observe the application’s response.
    • Create a Music Searching application that constructs SQL queries based on an user input string.
    • An attacker can input crafted statements into the search form to access the database directly
    • An attacker can tamper with the URL to inject malicious SQL code in real-time.
    • Make results of the crafted queries visible through the same UI elements as a regular song query. For example: If the following query is passed
    fakesongname' UNION ALL SELECT null,@@GLOBAL.default_authentication_plugin,null,null,null'

    Then, the UI must reflect thusly

    Sl NoSong NameRelease YearArtist’s NameDuration
    1mysql_native_passwordnullnullnull

    Docker Containerization:

    • Dockerize the entire application, including all dependencies and configurations, into a Docker container.
    • Provide Dockerfile(s) and docker-compose.yml (if applicable) for building the Docker image.
    • Ensure the application can be easily deployed and run in any environment using Docker containers

    Deliverables

    Source Code:

    • Clean, well-documented, and organized Scala and Play Framework source code implementing SQL Injection simulation and prevention mechanisms.
    • A relational database system (e.g., PostgreSQL or MySQL).
    • Appropriate front-end files (e.g., HTML, JavaScript, and CSS) for building the user interface.

    Docker Containerization:

    • Dockerfile(s) and docker-compose.yml (if applicable) for building the Docker image.
    • Instructions for building the Docker image:
    docker build -t scala-sqli-app .
    • Instructions for running the Docker container:
    docker run -p 8080:8080 scala-sqli-app

    Documentation:

    • Detailed technical documentation explaining the implemented SQL Injection simulation and prevention strategies.
    • User guide describing how to interact with the UI and understand the application responses.
    • Clear instructions for Docker build and run steps.
    • List of payloads that can retrieve a variety of privileged information

    Evaluation Criteria:

    • Successful implementation of SQL Injection simulation and prevention mechanisms.
    • User interface design and interactivity.
    • Quality of documentation and clarity of Docker build and run instructions.
    • Usage of specified tech stack (Scala and SQL DB)

    Additional Notes:

    • Contractors are encouraged to collaborate and communicate regularly with the project manager to ensure alignment with project goals.
    • Regular progress updates and demonstrations of the application’s functionality are expected.