⚠️ WARNING: This is an intentionally vulnerable demo project for teaching input validation and injection defense. DO NOT USE IN PRODUCTION.
PulseClinic.IntakeApi is a demo ASP.NET Core Web API (.NET 10) built for Udemy Section 8: "Input Validation & Injection Defense". This is the Start project that contains various security vulnerabilities for educational purposes.
This project demonstrates common security vulnerabilities:
- Missing input validation
- SQL injection attacks
- Cross-Site Scripting (XSS)
- Path traversal vulnerabilities
- Unrestricted file upload issues
- Regular Expression Denial of Service (ReDoS)
- Information disclosure through error messages
Each vulnerability is clearly marked with // VULNERABLE (Lecture XX) comments for easy reference during course recordings.
- .NET 10 SDK
- Any code editor (Visual Studio 2025, VS Code, JetBrains Rider)
# Clone or navigate to the repository
cd PulseClinic.IntakeApi
# Restore dependencies
dotnet restore
# Build the solution
dotnet build
# Run the API
dotnet run --project src/PulseClinic.Api
# Or run from the API directory
cd src/PulseClinic.Api
dotnet runThe API will start on:
- HTTP: http://localhost:5000
- HTTPS: https://localhost:5001
Open your browser to: https://localhost:5001/swagger
- Type: SQLite
- Location:
./src/PulseClinic.Api/app_data/pulseclinic.db - Migrations: Auto-applied on startup
- Seed Data: Automatically populated with sample records
dotnet testPulseClinic.IntakeApi/
├── src/
│ ├── PulseClinic.Api/ # Main Web API project
│ │ ├── Controllers/ # API controllers (all vulnerable)
│ │ ├── Models/ # DTOs (minimal validation)
│ │ └── Program.cs # Startup configuration
│ │
│ └── PulseClinic.Data/ # Data access layer
│ ├── Entities/ # EF Core entities
│ ├── Migrations/ # EF Core migrations
│ ├── PulseClinicDbContext.cs # DbContext
│ └── DatabaseSeeder.cs # Sample data seeder
│
├── tests/
│ └── PulseClinic.Api.IntegrationTests/ # Basic integration tests
│
├── docs/
│ └── Section8-Runbook.md # Detailed attack demo guide
│
├── PulseClinic.IntakeApi.sln # Solution file
└── README.md # This file
POST /api/intakes- Create new patient intakeGET /api/intakes/{id}- Get single intake by IDGET /api/intakes/search?q={query}&sort={field}- Search intakes (⚠️ SQL Injection)
POST /api/appointments- Create appointment requestGET /api/appointments/{id}- Get single appointmentGET /api/appointments/search?q={query}- Search appointments (⚠️ SQL Injection)
POST /api/staffnotes- Create staff note (⚠️ Stores XSS payloads)GET /api/staffnotes/{id}- Get staff note as JSONGET /api/staffnotes/preview/{id}- Preview note as HTML (⚠️ XSS vulnerability)GET /api/staffnotes/patient/{patientId}- List notes for patient
POST /api/files/upload- Upload file (⚠️ Path traversal, no validation)GET /api/files/{id}/download- Download file (⚠️ No scan check)GET /api/files/{id}- Get file metadataGET /api/files- List all uploaded files
Patient intake record with personal and medical information.
Appointment booking linked to a patient intake.
Clinical notes written by medical staff about patients.
Metadata for uploaded files (lab results, medical images, etc.).
See docs/Section8-Runbook.md for detailed attack demos and remediation strategies.
- Missing Input Validation - DTOs lack validation attributes
- ReDoS - Regex patterns with catastrophic backtracking
- SQL Injection - Raw SQL with string concatenation in search endpoints
- Stored XSS - Staff notes preview renders unsanitized HTML
- Path Traversal - File upload uses original filenames without sanitization
- Unrestricted Upload - No file size, type, or malware checks
- Information Disclosure - Error messages expose stack traces
- Semantic Validation Gaps - Status fields accept any string value
Each vulnerability is tagged with lecture numbers for easy cross-reference during course development.
The database seeds with:
- 3 sample patients
- 2 appointment requests
- 3 staff notes
- 2 uploaded file records
All records use deterministic GUIDs (11111111-1111-..., 22222222-2222-..., etc.) for predictable testing.
- .NET 10 - Latest .NET version
- ASP.NET Core Web API - RESTful API framework
- Entity Framework Core 10 - ORM for data access
- SQLite - Embedded database for easy setup
- Swagger/OpenAPI - API documentation and testing
- xUnit - Testing framework
After working through this project, students will understand:
- How to identify common input validation vulnerabilities
- The mechanics of injection attacks (SQL, XSS, path traversal)
- Performance attacks using ReDoS
- File upload security risks
- Proper error handling without information leakage
- Defense-in-depth validation strategies
- Secure coding practices in .NET 10
This is the Start project. During the course, you'll:
- Identify each vulnerability using tools and manual testing
- Learn the security principles behind each issue
- Implement proper fixes using modern .NET security features
- Build a Finished version with all vulnerabilities remediated
This is a teaching project. If you're a student taking this course:
- Practice exploiting these vulnerabilities in a safe environment
- Document your findings
- Try creating additional test cases
- Do not fix the vulnerabilities in this "Start" project - that's for the course!
This project is for educational purposes only. Use at your own risk.
For questions about the course content, please refer to:
- The Udemy course Q&A section
- docs/Section8-Runbook.md for detailed attack examples
Remember: This code is intentionally insecure. Never use these patterns in real applications! 🛡️