SSD Project — Securing the App

👥 Team Members

Fonseka S.A.N.P (IT22192400) — Implemented Google OAuth (SSO) & fixed Denial of Service (ReDoS)
Tiny H.D.K (IT22060976) — Fixed Sensitive Data Exposure & implemented Rate Limiting
Perera R.L.S.B (IT22256164) — Fixed CSRF vulnerabilities & removed Hardcoded URLs
Rangika G.K.H (IT22178336) — Fixed SQL Injection & performed Dependency Updates

📂 Original Project

Source (pre-fixes): 🔗 Original GitHub Repository

Note: The original repository commit history predates the semester start date (as required in the assignment brief).

🔐 Secured Project (After Fixes)

Modified Project (with fixes): 🔗 Secured GitHub Repository
Key Branches:
- main → Stable branch (final secured version)
- nuwani-oauth → OAuth + DoS (ReDoS) work branch
- tiny-rate-limit → Sensitive Data Exposure + Rate Limiting
- hasindu-sql → SQL Injection + Dependency updates
- sadeesha-csrf → CSRF + Hardcoded URL fixes

▶️ Demo Video

📽️ YouTube Walkthrough of Vulnerabilities, Fixes & OAuth Implementation

Duration: ≤ 10 minutes
Each member explains their 2 vulnerabilities (or OAuth work)
Shows both before & after fixes with code + tool screenshots

🔎 Identified Vulnerabilities

Across the application, we identified 12 major vulnerabilities using SonarQube and GitHub Security:

Lack of OAuth (implemented via Google)
Regex Injection → DoS (ReDoS)
SQL Injection
Missing Rate Limiting
CSRF (Cross-Site Request Forgery)
Stack Trace Exposure
Double Escaping
Weak Authentication Implementation
Outdated Dependencies
Denial of Service (DoS via resource exhaustion)
Sensitive Data Exposure
Hardcoded URLs

Each of these was fixed or mitigated with secure coding practices, validated through SonarQube Quality Gates, Postman tests, and GitHub’s dependency scans.

🚀 How to Run the Secured App

# Clone repository
git clone <INSERT MODIFIED REPO LINK>
cd mainapp/backend

# Setup environment variables
cp .env
# Required fields in .env:
# PORT=5003
# MONGO_URI=mongodb+srv://<...>
# SESSION_SECRET=<your-secret>
# FRONTEND_URL=http://localhost:3003
# GOOGLE_CLIENT_ID=<your-client-id>
# GOOGLE_CLIENT_SECRET=<your-client-secret>
# GOOGLE_CALLBACK_URL=http://localhost:5003/auth/google/callback

# Install dependencies
npm install

# Start frontend & backend
npm start

## How to run
```bash
cd mainapp/backend
cp .env
# .env requires:
# PORT=5003
# MONGO_URI=mongodb+srv://<...>

Name		Name	Last commit message	Last commit date
Latest commit History 76 Commits
.github/workflows		.github/workflows
budgetapp		budgetapp
developers		developers
eventapp		eventapp
feedbackapp		feedbackapp
guestapp		guestapp
mainapp		mainapp
middleware		middleware
packageapp		packageapp
taskapp		taskapp
vendorapp		vendorapp
.gitignore		.gitignore
README.md		README.md
SECURITY_FIXES_REPORT.md		SECURITY_FIXES_REPORT.md
direct-nosql-injection-test.js		direct-nosql-injection-test.js
env.example		env.example
lerna.json		lerna.json
package-lock.json		package-lock.json
package.json		package.json
security-test.js		security-test.js

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

SSD Project — Securing the App

👥 Team Members

📂 Original Project

🔐 Secured Project (After Fixes)

▶️ Demo Video

🔎 Identified Vulnerabilities

🚀 How to Run the Secured App

About

Uh oh!

Releases

Packages

Contributors 5

Uh oh!

Languages

y4-systems/ssd-project

Folders and files

Latest commit

History

Repository files navigation

SSD Project — Securing the App

👥 Team Members

📂 Original Project

🔐 Secured Project (After Fixes)

▶️ Demo Video

🔎 Identified Vulnerabilities

🚀 How to Run the Secured App

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Contributors 5

Uh oh!

Languages

Packages