KosasiDemo

Vulnerabilities on this page (educational) 1. SQL Injection (INSERT) — username: a', 'x@x.com', MD5('x'), 'admin')-- creates an admin
2. Stored XSS — username: <script>alert('xss')</script> stored in DB, fires when displayed
3. Unsalted MD5 — all passwords crackable via rainbow tables
4. No CSRF token — auto-registration from a third-party page
5. No rate limiting — unlimited automated account creation