Script Valley
Web Security Fundamentals for Developers
Injection Attacks: SQL, Command, and LDAP/Assessment

Practice & Assessment

Test your understanding of Injection Attacks: SQL, Command, and LDAP

Multiple Choice Questions

6
1

Which of the following correctly uses a parameterized query with the `pg` PostgreSQL driver in Node.js?

2

An attacker submits `{ "password": { "$gt": "" } }` as a JSON body to your login endpoint. What does this exploit?

3

Why is `child_process.execFile('convert', [userFile, 'out.png'])` safer than `child_process.exec('convert ' + userFile + ' out.png')`?

4

You check for path traversal by doing: `if (filename.includes('../')) { return res.status(400); }`. An attacker sends `%2e%2e%2fpasswd`. Does your check stop the attack?

5

A user profile page renders a bio with: `<div>{user.bio}</div>` in React JSX. Is this vulnerable to XSS?

6

Which validation strategy is more secure: blocking known bad characters (denylist) or allowing only expected characters (allowlist)?

Coding Challenges

1
1

Fix Four Injection Vulnerabilities in a User Management API

You are given an Express + MySQL2 API in `vulnerable-api.js` with four endpoints, each containing one injection flaw: (1) GET /users?name= — SQL injection via string concatenation; (2) POST /exec — OS command injection via exec(); (3) GET /files?name= — path traversal; (4) POST /mongo-login — NoSQL injection via unsanitized body. For each endpoint, rewrite it to be secure using parameterized queries, execFile with allowlisting, path.resolve validation, and express-mongo-sanitize respectively. Include a comment above each fix explaining what the original vulnerability was and why your fix works. Time estimate: 25–30 minutes.

Medium

Mini Project

1

Secure File Upload and Processing Service

Build a Node.js/Express service that accepts file uploads and processes them safely. Requirements: (1) Accept only PDF and image files — validate MIME type using the `file-type` library (not just the extension) and reject others with 400. (2) Store uploads in `./uploads/` with a UUID filename (never the original user filename). (3) Accept an optional `action` query param with allowed values: `resize` for images (use sharp, not ImageMagick via shell) and `count-pages` for PDFs (use pdf-parse, not shell). Reject any other action value. (4) Serve processed files via GET /file/:id where :id is the UUID. Use path.resolve and a startsWith check to prevent traversal. (5) Write a test script that attempts a path traversal on the GET endpoint and verifies it receives a 403.

Medium