GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → cr0hn → Vulnerable Node

cr0hn / Vulnerable Node

Licence: other
A very vulnerable web site written in NodeJS with the purpose of have a project with identified vulnerabilities to test the quality of security analyzers tools tools

Programming Languages

javascript
184084 projects - #8 most used programming language

Labels

nodejsvulnerabilityanalyzer

Projects that are alternatives of or similar to Vulnerable Node

external-protocol-flooding
Scheme flooding vulnerability: how it works and why it is a threat to anonymous browsing
Stars: ✭ 603 (+113.83%)
Mutual labels:  vulnerability
XSS-Cheatsheet
XSS Cheatsheet - A collection of XSS attack vectors https://xss.devwerks.net/
Stars: ✭ 26 (-90.78%)
Mutual labels:  vulnerability
Droid Hunter
(deprecated) Android application vulnerability analysis and Android pentest tool
Stars: ✭ 256 (-9.22%)
Mutual labels:  vulnerability
Exploits
Real world and CTFs exploiting web/binary POCs.
Stars: ✭ 69 (-75.53%)
Mutual labels:  vulnerability
DataAnalyzer.app
✨🚀 DataAnalyzer.app - Convert JSON/CSV to Typed Data Interfaces - Automatically!
Stars: ✭ 23 (-91.84%)
Mutual labels:  analyzer
klustair
(Deprecated) Submit all images in your Kubernetes cluster to Anchore for a vulnerability check and check your configuration with kubeaudit
Stars: ✭ 15 (-94.68%)
Mutual labels:  vulnerability
SQL Injection Payload
SQL Injection Payload List
Stars: ✭ 62 (-78.01%)
Mutual labels:  vulnerability
Hackrf Spectrum Analyzer
Stars: ✭ 276 (-2.13%)
Mutual labels:  analyzer
mondoo
🕵️‍♀️ Mondoo Cloud-Native Security & Vulnerability Risk Management
Stars: ✭ 60 (-78.72%)
Mutual labels:  vulnerability
Shiro exploit
Apache Shiro 反序列化漏洞检测与利用工具
Stars: ✭ 252 (-10.64%)
Mutual labels:  vulnerability
xsymlink
Xbox One Symbolic Link Exploit: Access restricted/encrypted volumes using the Xbox File Explorer.
Stars: ✭ 18 (-93.62%)
Mutual labels:  vulnerability
waithax
An implementation of the waithax / slowhax 3DS Kernel11 exploit.
Stars: ✭ 64 (-77.3%)
Mutual labels:  vulnerability
SQL-XSS
A few SQL and XSS attack tools
Stars: ✭ 29 (-89.72%)
Mutual labels:  vulnerability
log4jscanwin
Log4j Vulnerability Scanner for Windows
Stars: ✭ 142 (-49.65%)
Mutual labels:  vulnerability
Fastnetmon
FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
Stars: ✭ 2,860 (+914.18%)
Mutual labels:  analyzer
Chimay-Red-tiny
This is a minified exploit for mikrotik routers. It does not require any aditional modules to run.
Stars: ✭ 25 (-91.13%)
Mutual labels:  vulnerability
elastic-search-analyzer
基于elasticsearch,ik, 分词,全文搜索,使用demo
Stars: ✭ 41 (-85.46%)
Mutual labels:  analyzer
Faraday
Faraday introduces a new concept - IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distributing, indexing, and analyzing the data generated during a security audit.
Stars: ✭ 3,198 (+1034.04%)
Mutual labels:  vulnerability
Application Security Engineer Interview Questions
Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer
Stars: ✭ 267 (-5.32%)
Mutual labels:  vulnerability
Cloud Reports
Scans your AWS cloud resources and generates reports. Check out free hosted version:
Stars: ✭ 255 (-9.57%)
Mutual labels:  analyzer
View All Similar Projects ➔

Vulnerable Node

Logo

Vulnerable Node: A very vulnerable web site written in NodeJS

Codename PsEA
Version 1.0
Code https://github.com/cr0hn/vulnerable-node
Issues https://github.com/cr0hn/vulnerable-node/issues/
Author Daniel Garcia (cr0hn) - @ggdaniel

Support this project

Support this project (to solve issues, new features...) by applying the Github "Sponsor" button.

What's this project?

The goal of this project is to be a project with really vulnerable code in NodeJS, not simulated.

Why?

Similar project, like OWASP Node Goat, are pretty and useful for learning process but not for a real researcher or studding vulnerabilities in source code, because their code is not really vulnerable but simulated.

This project was created with the purpose of have a project with identified vulnerabilities in source code with the finality of can measure the quality of security analyzers tools.

Although not its main objective, this project also can be useful for:

  • Pentesting training.
  • Teaching: learn how NOT programming in NodeJS.

The purpose of project is to provide a real app to test the quality of security source code analyzers in white box processing.

How?

This project simulates a real (and very little) shop site that has identifiable sources points of common vulnerabilities.

Installation

The most simple way to run the project is using docker-compose, doing this:

# git clone https://github.com/cr0hn/vulnerable-node.git vulnerable-node
# cd vulnerable-node/
# docker-compose build && docker-compose up
Building postgres_db
Step 1 : FROM library/postgres
---> 247a11721cbd
Step 2 : MAINTAINER "Daniel Garcia aka (cr0hn)" <[email protected]>
---> Using cache
---> d67c05e9e2d5
Step 3 : ADD init.sql /docker-entrypoint-initdb.d/
....

Running

Once docker compose was finished, we can open a browser and type the URL: 127.0.0.1:3000 (or the IP where you deployed the project):

Login screen

To access to website you can use displayed in landing page:

  • admin : admin
  • roberto : asdfpiuw981

Here some images of site:

home screen

shopping

purchased products

Vulnerabilities

Vulnerability list:

This project has the most common vulnerabilities of OWASP Top 10 <https://www.owasp.org/index.php/Top_10_2013-Top_10>:

  • A1 - Injection
  • A2 - Broken Authentication and Session Management
  • A3 - Cross-Site Scripting (XSS)
  • A4 - Insecure Direct Object References
  • A5 - Security Misconfiguration
  • A6 - Sensitive Data Exposure
  • A8 - Cross-Site Request Forgery (CSRF)
  • A10 - Unvalidated Redirects and Forwards

Vulnerability code location

The exactly code location of each vulnerability is pending to write

References

I took ideas and how to explode it in NodeJS using these references:

License

This project is released under license BSD.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].