QA Security Training Simulator

Compare "Vulnerable Code" (Bug) vs "Secure Code" (Not Bug)

Current Application Mode: VULNERABLE (Has Bugs)

1. Data Exposure

2. IDOR (Insecure Direct Object Reference)

3. XSS (Cross Site Scripting)

4. SQL Injection

Scenario B: Sensitive Data Exposure

Test: Login and inspect the Network Response (F12) or the box below.
🔴 Vulnerable: Returns SSN & Passwords (hidden in JSON).
🟢 Secure: Returns only Username & Role (Clean JSON).

Username (guest) Password (12345)

API Response Preview:

// Waiting for login...

Scenario A: Broken Access Control (IDOR)

Test: You are logged in as ID 101. Change URL to ID 102.
🔴 Vulnerable: Displays User 102's private data.
🟢 Secure: Shows "403 Forbidden" Access Denied.

Address:

User Profile

Name: Alice (User 101)

Email: alice@company.com

Private Note: "I love my cat."

Scenario C: Stored XSS

Test: Enter payload: <img src=x onerror=alert('HACKED')>
🔴 Vulnerable: Browser Alert Box pops up (Code executed).
🟢 Secure: The text is displayed literally (Code sanitized).

Write a comment:

Comments Feed:

System: Welcome to the blog!

Scenario D: SQL Injection (Login Bypass)

Context: A login form vulnerable to SQL Injection.
Backend Logic (Hidden): SELECT * FROM users WHERE username = '[USER]' AND password = '[PASS]'
Test: Try to login as admin without knowing the password.
Attack Payload: User: admin' -- (Bypass password check)

🔴 Vulnerable: Logs you in as Admin!
🟢 Secure: "Invalid Credentials" (treated as username "admin' --").

Username Password

Login Status:

// Waiting...