← Back to Experiments

Lab shelf

Security Playground

Interactive demos for common web security mistakes and safer implementation patterns.

Safety Note

  • These are safe educational simulations.
  • They do not attack real systems and are designed not to execute real payloads.
  • They are intended to teach secure thinking for frontend and full-stack developers.

XSS Demo

XSS & Unsafe HTML Rendering

Why rendering untrusted HTML is dangerous.

Shows how a frontend rendering choice can introduce script injection risk.

Unsafe rendering concept

v-html binding (simulated)

Waiting for input...

Safe escaped rendering

Standard interpolation

Waiting for input...
Takeaways:
  • Never trust user input.
  • Avoid rendering raw HTML from users.
  • Always escape output (default in Vue/React).
  • If HTML is required, sanitize it with trusted libraries and apply strict CSP.

Token Storage Demo

Browser Storage & Token Exposure

Why storing sensitive tokens in localStorage is risky.

Demonstrates how any script on the page can read localStorage — including injected ones.

Simulated localStorage state:

{ "auth_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.simulated_mock_token_ots5heyx" }
Takeaways:
  • localStorage is accessible to any JavaScript on the page.
  • If an XSS vulnerability exists, attackers can steal stored tokens.
  • Prefer httpOnly secure cookies for sensitive session identifiers.
  • Always reduce token lifetime and scope.

Phishing Awareness Demo

Phishing & Fake Login Recognition

Why visual familiarity is not proof of authenticity.

https://secuure-login-update.com/auth

Sign in to your account

Action Required: Verify within 24 hours

Verification Checklist

Before entering credentials, verify:

  • Check the domain: secuure-login-update.com is clearly suspicious.
  • Beware urgency: "Verify within 24 hours" is a classic social engineering tactic.
  • Check HTTPS: Present, but a secure connection to a fake site does not make it legitimate.
  • Use a password manager: It will refuse to autofill on an unrecognized domain.
Takeaways:

Phishing often relies on urgency and visual imitation. An interface that looks identical to a trusted service is trivial to create. UI familiarity is never proof of authenticity. Always verify the domain and trust your password manager's autofill signals.

SQL Injection Concept Demo

SQL Injection Concept

Why string-concatenated SQL is dangerous and parameterized queries are safer.

Unsafe string concatenation

SELECT * FROM users WHERE username = 'admin';

Safe parameterized query

SELECT * FROM users WHERE username = $1;

$1 ="admin"
Takeaways:
  • Never concatenate untrusted input into database queries.
  • Always use parameterized queries or trusted ORMs.
  • Validate and constrain input data types on the server side.