Educational code samples demonstrating MITRE ATT&CK techniques and defenses for a conference talk. These samples are designed for security training and awareness.
These samples demonstrate both vulnerable and defended code patterns for common attack techniques, following the MITRE ATT&CK framework.
ATT&CK Technique: T1190 - Exploit Public-Facing Application
Demonstrates:
- ❌ Vulnerable: String concatenation in SQL queries
- ✅ Defended: Parameterized queries and input validation
node sql-injection.js
# Starts a web server on port 3000 with vulnerable and secure endpointsATT&CK Technique: T1185 - Browser Session Hijacking
Demonstrates:
- ❌ Vulnerable: Basic sessions without security controls
- ✅ Defended: Session fingerprinting, rotation, hijack detection, concurrent session limits
node session-security.js
# Shows session hijacking detection and preventionATT&CK Technique: T1110.004 - Credential Stuffing
Demonstrates:
- Rate limiting per IP and account
- Distributed attack detection (many accounts from one IP)
- Bot detection via timing analysis
- Automated blocking
node credential-stuffing-detection.js
# Simulates credential stuffing attacks and shows detectionATT&CK Technique: T1195.001 - Compromise Software Dependencies
Demonstrates:
- Package-lock.json integrity verification
- Typosquatting detection (Levenshtein distance)
- Dangerous install script detection
- npm audit integration
- Dependency tree analysis
node supply-chain-verification.js
# Scans project for supply chain security issuesATT&CK Techniques:
Demonstrates:
- Data volume tracking (per minute/hour/day)
- Bulk download detection
- Chunked exfiltration pattern detection
- Endpoint hopping detection
- Off-hours access monitoring
node data-exfiltration-detection.js
# Shows various data exfiltration patterns and detectionATT&CK Technique: T1552 - Unsecured Credentials
Demonstrates:
- Scanning code for hardcoded secrets
- Pattern-based detection (API keys, tokens, passwords, connection strings)
- Entropy calculation for secret validation
- AWS, GitHub, Slack, Stripe, Google, and other service credentials
node secrets-detection.js
# Creates sample vulnerable file and scans for secretsATT&CK Technique: T1078 - Valid Accounts
Demonstrates:
- Behavioral authentication monitoring
- Impossible travel detection (geolocation anomalies)
- Device fingerprint tracking
- Risk-based authentication decisions
- Privilege escalation monitoring
- Anomalous resource access detection
node auth-monitoring.js
# Shows detection of valid account misuse through behavioral analysisATT&CK Technique: T1110.003 - Password Spraying
Demonstrates:
- Cross-account password pattern detection
- Distributed spray attack detection (multiple IPs)
- Slow-and-low spray detection
- Progressive delays and IP blocking
- IP reputation tracking
- Timing analysis for bot detection
node password-spray-detection.js
# Simulates password spray attacks and shows detection mechanismsATT&CK Technique: T1565 - Data Manipulation
Demonstrates:
- HMAC-based record integrity verification
- Tamper-evident audit trails
- Mass modification detection
- High-sensitivity field monitoring
- Modification velocity tracking
- Audit trail integrity verification
node data-integrity.js
# Shows data tampering detection and integrity verificationAll samples include:
- ✅ Modern ES6+ JavaScript (const/let, arrow functions, template literals)
- ✅ Zero external dependencies (only Node.js built-in modules)
- ✅ JSDoc comments with ATT&CK technique IDs
- ✅ Educational structure (vulnerable vs defended sections)
- ✅ Example usage with demonstrations
- ✅ Comprehensive logging for understanding attack patterns
- Node.js 14+ (no npm packages needed!)
# Navigate to the samples directory
cd samples/javascript
# Run any sample
node sql-injection.js
node session-security.js
node credential-stuffing-detection.js
node supply-chain-verification.js
node data-exfiltration-detection.js
node secrets-detection.js// Import and use in your own code
const { CredentialStuffingDetector } = require('./credential-stuffing-detection.js');
const { SecretsDetector } = require('./secrets-detection.js');
const { SupplyChainVerifier } = require('./supply-chain-verification.js');
const detector = new CredentialStuffingDetector();
const result = detector.checkLoginAttempt('192.168.1.1', 'user@example.com');
console.log(result);- Input Validation: Always validate and sanitize user input
- Parameterized Queries: Never concatenate SQL queries
- Session Security: Implement fingerprinting, rotation, and hijack detection
- Rate Limiting: Protect against brute force and stuffing attacks
- Supply Chain Security: Verify dependencies and detect typosquatting
- Data Loss Prevention: Monitor and limit data transfers
- Secret Management: Never hardcode credentials
| Technique ID | Name | Sample File |
|---|---|---|
| T1190 | Exploit Public-Facing Application | sql-injection.js |
| T1185 | Browser Session Hijacking | session-security.js |
| T1110.004 | Credential Stuffing | credential-stuffing-detection.js |
| T1110.003 | Password Spraying | password-spray-detection.js |
| T1195.001 | Compromise Software Dependencies | supply-chain-verification.js |
| T1567 | Exfiltration Over Web Service | data-exfiltration-detection.js |
| T1020 | Automated Exfiltration | data-exfiltration-detection.js |
| T1552 | Unsecured Credentials | secrets-detection.js |
| T1078 | Valid Accounts | auth-monitoring.js |
| T1565 | Data Manipulation | data-integrity.js |
These samples are provided for educational purposes. Use responsibly and ethically.
Feel free to submit issues or pull requests to improve these educational samples!
Remember: Security is everyone's responsibility. Use these samples to learn, teach, and build more secure applications! 🛡️