NodeGoat: learn how OWASP Top 10 security risks apply to web applications
OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
OWASP Top 10 for Node.js web applications:
Know it!
Tutorial Guide explaining how each of the OWASP Top 10 vulnerabilities can manifest in Node.js web apps and how to prevent it.
Do it!
A Vulnerable Node.js App for Ninjas to exploit, toast, and fix. You may like to set up your own copy of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.
Default user accounts
The database comes pre-populated with these user accounts created as part of the seed data –
- Admin Account – u:admin p:Admin_123
- User Accounts (u:user1 p:User1_123), (u:user2 p:User2_123)
- New users can also be added using the sign-up page.
Install
- Install Node.js – NodeGoat requires Node v4.4 or above
- Clone the github repository
git clone https://github.com/OWASP/NodeGoat.git
cd NodeGoat
npm install - Create Mongo DB: You can create a remote MongoDB instance or use local mongod installation
- A. Using Remote MongoDB
- Create a sandbox mongoDB instance (free) at MongoLab
- Create a new database.
- Create a user.
- Update the
db
property in fileconfig/env/development.js
to reflect your DB setup. (in format:mongodb://<username>:<password>@<databasename>
)
- OR B.Using local MongoDB
- If using local Mongo DB instance, start mongod.
- Update the
db
property in fileconfig/env/development.js
to reflect your DB setup. (in format:mongodb://localhost:27017/<databasename>
)
- A. Using Remote MongoDB
- Populate MongoDB with seed data required for the app
- Run the npm-script below to populate the DB with seed data required for the application. Pass the desired environment as argument. If not passed, “development” is the default:
npm run db:seed
- Run the npm-script below to populate the DB with seed data required for the application. Pass the desired environment as argument. If not passed, “development” is the default:
- Start server, this starts the NodeGoat application at url http://localhost:4000/
npm start
Copyright 2014 ckarande
Source: https://github.com/OWASP/