VulnNodeApp
A vulnerable application made using node.js, express server and ejs template engine. This application is meant for educational purposes only.
Vulnerability covered
- SQL Injection
- Cross-Site Scripting (XSS)
- Insecure Direct Object Reference (IDOR)
- Command Injection
- Arbitrary File Retrieval
- Regular Expression Injection
- External XML Entity Injection (XXE)
- Node js Deserialization
- Security Misconfiguration
- Insecure Session Management
Setup
Clone this repository
git clone https://github.com/4auvar/VulnNodeApp.git
Application setup:
- Install the latest node.js version with npm.
- Open terminal/command prompt and navigate to the location of the downloaded/cloned repository.
- Run the command: npm install
DB setup
- Install and configure the latest mysql version and start the mysql service/daemon
- Login with root user in mysql and run below sql script:
Set basic environment variable
- The user needs to set the below environment variable.
- DATABASE_HOST (E.g: localhost, 127.0.0.1, etc…)
- DATABASE_NAME (E.g: vuln_node_app_db or DB name you change in above DB script)
- DATABASE_USER (E.g: vulnnodeapp or user name you change in above DB script)
- DATABASE_PASS (E.g: password or password you change in above DB script)
Start the server
- Open the command prompt/terminal and navigate to the location of your repository
- Run command: npm start
- Access the application at http://localhost:3000
Author: @4auvar
