snoopysecurity/dvws-node snoopysecurity/dvws-node

  • Stars
    star
    346
  • Rank 117,914 (Top 3 %)
  • Language
    JavaScript
  • License
    GNU General Publi...
  • Created about 4 years ago
  • Updated 10 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
snoopysecurity/dvws-node
github

snoopysecurity

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities.

Gitpod Ready-to-Code

dvws-node

Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities. This is a replacement for https://github.com/snoopysecurity/dvws

DVWS

This vulnerable application contains the following API/Web Service vulnerabilities:

  • Insecure Direct Object Reference
  • Horizontal Access Control Issues
  • Vertical Access Control Issues
  • Mass Assignment
  • Cross-Site Scripting
  • NoSQL Injection
  • Server Side Request Forgery
  • JSON Web Token (JWT) Secret Key Brute Force
  • Information Disclosure
  • Hidden API Functionality Exposure
  • Cross-Origin Resource Sharing Misonfiguration
  • JSON Hijacking
  • SQL Injection
  • XML External Entity Injection (XXE)
  • Command Injection
  • XPATH Injection
  • XML-RPC User Enumeration
  • Open Redirect
  • Path Traversal
  • Unsafe Deserialization
  • Sensitive Data Exposure
  • GraphQL Access Control Issues
  • GraphQL Introspection Enabled
  • GraphQL Arbitrary File Write
  • GraphQL Batching Brute Force
  • Client Side Template Injection

Set Up Instructions

Manual (Preferred Method)

Node and NPM is needed to run dvws-node

Tested on:

  • node v16.19.0
  • npm 8.19.3

Set up a mongoDB environment to listen on port 27017. Docker can be used to quickly set this up.

docker run -d -p 27017-27019:27017-27019 --name dvws-mongo mongo:4.0.4

Create a MySQL database which listens of port 3306 Docker can be used as follows

docker run -p 3306:3306 --name dvws-mysql -e MYSQL_ROOT_PASSWORD=mysecretpassword -e MYSQL_DATABASE=dvws_sqldb -d mysql:8

Git clone the DVWS Repository

git clone https://github.com/snoopysecurity/dvws-node.git

Change directory to DVWS

cd dvws-node

npm install all dependencies (build from source is needed for libxmljs, you might also need install libxml depending on your OS: sudo apt-get install -y libxml2 libxml2-dev)

npm install --build-from-source

Run the startup script which create some test data

node startup_script.js

To start the application/API, run (sudo privileges is needed to bind to ports)

sudo npm start

Within your /etc/hosts file, ensure localhost resolves to dvws.local. This ensures URLs from swagger is resolved correctly (optional)

127.0.0.1    dvws.local

Docker Compose

If you have docker compose installed on your system, all you need to execute is :

Clone DVWS

git clone https://github.com/snoopysecurity/dvws-node.git

Change directory to dvws-node

cd dvws-node

Start Docker

`docker-compose up`

This will start the dvws service with the backend MySQL database and the NoSQL database.

If the DVWS web service doesn't start because of delayed MongoDB or MySQL setup, then increase the value of environment variable : WAIT_HOSTS_TIMEOUT

Solutions

To Do

  • Cross-Site Request Forgery (CSRF)
  • XML Bomb Denial-of-Service
  • API Endpoint Brute Forcing
  • Web Socket Security
  • Type Confusion
  • LDAP Injection
  • SOAP Injection
  • XML Injection
  • GRAPHQL Denial Of Service
  • CRLF Injection
  • GraphQL Injection
  • Webhook security

Any Questions

Open a GitHub Issue :)

More Repositories

1

awesome-burp-extensions

A curated list of amazingly awesome Burp Extensions
2,526
star
2

Vulnerable-Code-Snippets

A small collection of vulnerable code snippets
PHP
475
star
3

dvws

Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. NOTE: This project is out of date, please use https://github.com/snoopysecurity/dvws-node
PHP
441
star
4

OSCE-Prep

A list of freely available resources that can be used as a prerequisite before taking OSCE.
211
star
5

Setup-AD-Security-Lab

Scripts to create a Active Directory Lab with security misconfigurations and vulnerabilities.
PowerShell
45
star
6

Public

Archive - Repository contains old publicly released presentations, tools, Proof of Concepts and other junk.
PowerShell
24
star
7

OSWE-Prep

Useful tips and resources for preparing for the AWAE exam.
15
star
8

fuzzpayloads

Collection of fuzzing payloads and corpus from all around added as sub modules
9
star
9

Noopener-Burp-Extension

Find Target="_blank" values within web pages that are set without 'noopener' and 'noreferrer' attributes
Python
3
star
10

snoopysecurity.github.io

Personal Blog
HTML
3
star