• Stars
    star
    686
  • Rank 65,892 (Top 2 %)
  • Language SCSS
  • License
    MIT License
  • Created almost 7 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Damn Vulnerable NodeJS Application

Damn Vulnerable NodeJS Application (DVNA)

dvna-logo

Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities. Fixes for vunerabilities OWASP Top 10 2017 vulnerabilities at fixes-2017 branch.

The application is powered by commonly used libraries such as express, passport, sequelize, etc.

Developer Security Guide book

The application comes with a developer friendly comprehensive guidebook which can be used to learn, avoid and fix the vulnerabilities. The guide available at https://appsecco.com/books/dvna-developers-security-guide/ covers the following

  1. Instructions for setting up DVNA
  2. Instructions on exploiting the vulnerabilities
  3. Vulnerable code snippets and instructions on fixing vulnerabilities
  4. Recommendations for avoid such vulnerabilities
  5. References for learning more

The blog post for this release is at https://blog.appsecco.com/damn-vulnerable-nodejs-application-dvna-by-appsecco-7d782d36dc1e

Quick start

Try DVNA using a single command with Docker. This setup uses an SQLite database instead of MySQL.

docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite

Access the application at http://127.0.0.1:9090/

Getting Started

DVNA can be deployed in three ways

  1. For Developers, using docker-compose with auto-reload on code updates
  2. For Security Testers, using the Official image from Docker Hub
  3. For Advanced Users, using a fully manual setup

Detailed instructions on setup and requirements are given in the Guide Gitbook

Development Setup

Clone this repository

git clone https://github.com/appsecco/dvna; cd dvna

Create a vars.env with the desired database configuration

MYSQL_USER=dvna
MYSQL_DATABASE=dvna
MYSQL_PASSWORD=passw0rd
MYSQL_RANDOM_ROOT_PASSWORD=yes

Start the application and database using docker-compose

docker-compose up

Access the application at http://127.0.0.1:9090/

The application will automatically reload on code changes, so feel free to patch and play around with the application.

Using Official Docker Image

Create a file named vars.env with the following configuration

MYSQL_USER=dvna
MYSQL_DATABASE=dvna
MYSQL_PASSWORD=passw0rd
MYSQL_RANDOM_ROOT_PASSWORD=yes
MYSQL_HOST=mysql-db
MYSQL_PORT=3306

Start a MySQL container

docker run --name dvna-mysql --env-file vars.env -d mysql:5.7

Start the application using the official image

docker run --name dvna-app --env-file vars.env --link dvna-mysql:mysql-db -p 9090:9090 appsecco/dvna

Access the application at http://127.0.0.1:9090/ and start testing!

Manual Setup

Clone the repository

git clone https://github.com/appsecco/dvna; cd dvna

Configure the environment variables with your database information

export MYSQL_USER=dvna
export MYSQL_DATABASE=dvna
export MYSQL_PASSWORD=passw0rd
export MYSQL_HOST=127.0.0.1
export MYSQL_PORT=3306

Install Dependencies

npm install

Start the application

npm start

Access the application at http://localhost:9090

TODO

  • Link commits to fixes in documentation
  • Add new vulnerabilities from OWASP Top 10 2017
  • Improve application features, documentation

Contributing

In case of bugs in the application, please create an issue on github. Pull requests are highly welcome!

Thanks

Abhisek Datta - abhisek for application architecture and front-end code

License

MIT

More Repositories

1

breaking-and-pwning-apps-and-servers-aws-azure-training

Course content, lab setup instructions and documentation of our very popular Breaking and Pwning Apps and Servers on AWS and Azure hands on training!
CSS
920
star
2

the-art-of-subdomain-enumeration

This repository contains all the supplement material for the book "The art of sub-domain enumeration"
Python
633
star
3

bugcrowd-levelup-subdomain-enumeration

This repository contains all the material from the talk "Esoteric sub-domain enumeration techniques" given at Bugcrowd LevelUp 2017 virtual conference
Python
632
star
4

vulnerable-apps

Python
214
star
5

spaces-finder

A tool to hunt for publicly accessible DigitalOcean Spaces
Python
154
star
6

attacking-cloudgoat2

A step-by-step walkthrough of CloudGoat 2.0 scenarios.
133
star
7

dvja

Damn Vulnerable Java (EE) Application
CSS
128
star
8

defcon24-infra-monitoring-workshop

Defcon24 Workshop Contents : Ninja Level Infrastructure Monitoring
124
star
9

defcon-26-workshop-attacking-and-auditing-docker-containers

DEF CON 26 Workshop - Attacking & Auditing Docker Containers Using Open Source
107
star
10

sqlinjection-training-app

A simple PHP application to learn SQL Injection detection and exploitation techniques.
PHP
95
star
11

VyAPI

VyAPI - A cloud based vulnerable hybrid Android App
Java
85
star
12

using-docker-kubernetes-for-automating-appsec-and-osint-workflows

Repository for all the workshop content delivered at nullcon X on 1st of March 2019
CSS
81
star
13

json-flash-csrf-poc

This repo contains the files required to perform a CSRF attack using Flash and HTTP 307 redirections.
ActionScript
75
star
14

dvcsharp-api

Damn Vulnerable C# Application (API)
C#
70
star
15

practical-recon-levelup0x02

This repository contains all the material from the talk "Practical recon techniques for bug hunters & pentesters" given at Bugcrowd LevelUp 0x02 virtual conference
CSS
61
star
16

winmanipulate

A simple tool to manipulate window objects inย Windows
Visual Basic
44
star
17

opa-traefik-microservice-authz

Proof of concept implementation of a scenario using Open Policy Agent for microservices authorization in API Gateway (Traefik).
JavaScript
41
star
18

raneto-docker

Docker container for Markdown based Raneto Knowledgebase
JavaScript
38
star
19

osint-viz-platform-reconvillage

The repository for Building visualisation platforms for OSINT data using open source solutions
Python
31
star
20

docker-data-science-toolbox

Data Science Command Line Toolbox in a docker container
Shell
28
star
21

docker-datasploit

Docker container for datasploit framework
Shell
26
star
22

sqlinjectionloginbypass

A simple app to demo SQL Injection login bypass
PHP
25
star
23

owasp-threat-dragon-gitlab

OWASP Threat Dragon with Gitlab Integration
JavaScript
23
star
24

kubeseco

Application Security Workflow Automation using Docker and Kubernetes
JavaScript
22
star
25

alldaydevops-aism

All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)
Python
22
star
26

devsecops-using-cloudnative-workshop

This repo contains workshop material delivered at #nullcon2020
HTML
15
star
27

datasploit-ansible

Ansible Playbook for setting up Datasploit
14
star
28

ansible-module-owasp-zap

Ansible module for OWASP ZAP using Python API to scan web targets for security issues
HTML
13
star
29

alldaydevops-shua

This repository contains all the talk materials and ebook from the talk System Hardening Using Ansible given at All Day DevOps 2016 online conference
12
star
30

owasp-webgoat-dot-net-docker

Docker container for running OWASP WebGoat.NET application
11
star
31

nullblr-bachaav-aismd

null Bangalore Public Bachaav 10 December 2016 Automated Infrastructure Security Monitoring & Defence
HTML
10
star
32

prowler-aws-securityhub-integration

Using Prowler to Automate Compliance Checks for AWS CIS Benchmarks
Python
7
star
33

c0c0n-2019-ctf-writeups

CTF write-ups from c0c0n 2019 CTF challenges that we participated
7
star
34

bsides-delhi-recon

This repository contains all the material from the talk "Doing recon like it's 2017" given at Bsides Delhi 2017 conference
Python
5
star
35

django-rev-shell

A simple django app to provide a reverse shell when deployed and invoked.
Python
4
star
36

nodejs-google-idp-sample

Presentation with proof of concept code on using Google as Identity Provider for Web API authentication using NodeJS as backend and VueJS as frontend
JavaScript
3
star
37

container-image-scanner-api

A minimalist Go API to scan Docker images for security vulnerabilities and weaknesses
Go
2
star
38

automated-defence-ssh-bruteforce-aws

Source code for Automated Defence - Blocking SSH bruteforce attacks in AWS
JavaScript
2
star
39

secrets-in-google-cloud-run-with-google-cloud-build

Baking secrets in Google Cloud Run containers using Google Cloud Build
Python
2
star
40

owasp-bayarea-adef

Visual Basic
2
star
41

asn-search-api

A Golang API over MaxMind ASN database
Go
2
star
42

kubernetes-ptaas-scripts

Scripts to generate kubeconfig files required to perform a PT.
Shell
2
star
43

http-basics-docker

PHP
1
star