cr0hn / vulnerable-node Goto Github PK

A very vulnerable web site written in NodeJS with the purpose of have a project with identified vulnerabilities to test the quality of security analyzers tools tools

License: Other

JavaScript 79.12% CSS 1.06% Shell 1.69% Dockerfile 0.59% EJS 17.54%

analyzer vulnerability nodejs common-vulnerabilities whitebox identified-vulnerabilities security-analyzers

vulnerable-node's Introduction

Vulnerable Node

Vulnerable Node: A very vulnerable web site written in NodeJS

Codename	PsEA
Version	1.0
Code	https://github.com/cr0hn/vulnerable-node
Issues	https://github.com/cr0hn/vulnerable-node/issues/
Author	Daniel Garcia (cr0hn) - @ggdaniel

Support this project

Support this project (to solve issues, new features...) by applying the Github "Sponsor" button.

What's this project?

The goal of this project is to be a project with really vulnerable code in NodeJS, not simulated.

Why?

Similar project, like OWASP Node Goat, are pretty and useful for learning process but not for a real researcher or studding vulnerabilities in source code, because their code is not really vulnerable but simulated.

This project was created with the purpose of have a project with identified vulnerabilities in source code with the finality of can measure the quality of security analyzers tools.

Although not its main objective, this project also can be useful for:

Pentesting training.
Teaching: learn how NOT programming in NodeJS.

The purpose of project is to provide a real app to test the quality of security source code analyzers in white box processing.

How?

This project simulates a real (and very little) shop site that has identifiable sources points of common vulnerabilities.

Installation

The most simple way to run the project is using docker-compose, doing this:

# git clone https://github.com/cr0hn/vulnerable-node.git vulnerable-node
# cd vulnerable-node/
# docker-compose build && docker-compose up
Building postgres_db
Step 1 : FROM library/postgres
---> 247a11721cbd
Step 2 : MAINTAINER "Daniel Garcia aka (cr0hn)" <[email protected]>
---> Using cache
---> d67c05e9e2d5
Step 3 : ADD init.sql /docker-entrypoint-initdb.d/
....

Running

Once docker compose was finished, we can open a browser and type the URL: 127.0.0.1:3000 (or the IP where you deployed the project):

To access to website you can use displayed in landing page:

admin : admin
roberto : asdfpiuw981

Here some images of site:

Vulnerabilities

Vulnerability list:

This project has the most common vulnerabilities of OWASP Top 10 <https://www.owasp.org/index.php/Top_10_2013-Top_10>:

A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A8 - Cross-Site Request Forgery (CSRF)
A10 - Unvalidated Redirects and Forwards

Vulnerability code location

The exactly code location of each vulnerability is pending to write

References

I took ideas and how to explode it in NodeJS using these references:

License

This project is released under license BSD.

vulnerable-node's People

Contributors

Stargazers

Watchers

Forkers

xsuperbug yield-c isp1r0 wflk labssec pombredanne paran0ids0ul jbarcia magicbane darg0001 solobike sabinthomas bollwarm deelmind ganglongguni 0x13337 forstylewell jijicanyu open-sec nsydia yas3r beeva-manueldepaz stevenchen0x01 windshock saya327 jeo-kerr akpotter selfevo dttast shali-mor ololo-ololo yaoyi2008 aliadnanaslam ypeng2012 pats krashman radiotaiso lengyun123456 nawien-sharma luooob dawood9920 zkasdla111 staticscala joshpavel highpressure oneplus-x seanadipose gixxyboy klee94 confz shouamy danilocaruso raoulodc helloexp ccf19881030 timip pwneddesal shehir12 jkinville-test-org cnmeier gitbxq jiandandan 02bx amr-reda tjee-snyk tiagolb ahkrichards levmoran nulldreams rhicksiii91 rezaduty codecheckdemo testinguser883 guybargil spyangel reshift-projects saucec0de git04112019 fallard84 mdktch wguyenacollins whackur i160209 jzck-ty zoranpandovski w4rgames oxyo matthewmccullough diegotc aab641 rygorazd sayrahmat41 silverpandacve michaelaharon tamirverthim swapneil happygongzhuo 3453-315h pingyangcst mxm-tools

vulnerable-node's Issues

Error: Database is uninitialized and superuser password is not specified.

Hi!
Thanks for your project! Can you please help me with problem after execution docker-compose up:
Docker Compose version v2.14.0

vulnerable-node-postgres_db-1      | Error: Database is uninitialized and superuser password is not specified.
vulnerable-node-postgres_db-1      |        You must specify POSTGRES_PASSWORD to a non-empty value for the
vulnerable-node-postgres_db-1      |        superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
vulnerable-node-postgres_db-1      |
vulnerable-node-postgres_db-1      |        You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
vulnerable-node-postgres_db-1      |        connections without a password. This is *not* recommended.
vulnerable-node-postgres_db-1      |
vulnerable-node-postgres_db-1      |        See PostgreSQL documentation about "trust":
vulnerable-node-postgres_db-1      |        https://www.postgresql.org/docs/current/auth-trust.html
vulnerable-node-postgres_db-1 exited with code 1
vulnerable-node-vulnerable_node-1  | postgres_db: forward host lookup failed: Host name lookup failure : Resource temporarily unavailable

purchase doesnt work

message 'You haven't purchased any product yet.'

inspect_network version<1.21

root@ubuntu:/home/v0benv/vulnerable-node# docker-compose build && docker-compose up
Building postgres_db
ERROR: client and server don't have same version (client : 1.21, server: 1.18)
root@ubuntu:/home/v0benv/vulnerable-node# export COMPOSE_API_VERSION=1.18 root@ubuntu:/home/v0benv/vulnerable-node# docker-compose build && docker-compose up
Building postgres_db
Step 0 : FROM library/postgres
---> 0e216ea7ceac
.....
Successfully built 700673523e55
Traceback (most recent call last):
File "", line 3, in
File "compose/cli/main.py", line 61, in main
File "compose/cli/main.py", line 113, in perform_command
File "compose/cli/main.py", line 835, in up
File "compose/project.py", line 374, in up
File "compose/project.py", line 415, in initialize
File "compose/network.py", line 162, in initialize
File "compose/network.py", line 47, in ensure
File "compose/network.py", line 82, in inspect
File "site-packages/docker/utils/decorators.py", line 32, in wrapper
docker.errors.InvalidVersion: inspect_network is not available for version < 1.21
docker-compose returned -1

Error Postgres

the postgres db not configured properly ?

docker-compose up fails after "Attaching to vulnerable-node_postgres_db_1, vulnerable-node_vulnerable_node_1"

Having an issue starting the container. Here is the output after it tries to start the postgres database

postgres_db_1 | Error: Database is uninitialized and superuser password is not specified.
postgres_db_1 | You must specify POSTGRES_PASSWORD to a non-empty value for the
postgres_db_1 | superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
postgres_db_1 |
postgres_db_1 | You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
postgres_db_1 | connections without a password. This is *not* recommended.
postgres_db_1 |
postgres_db_1 | See PostgreSQL documentation about "trust":
postgres_db_1 | https://www.postgresql.org/docs/current/auth-trust.html
vulnerable-node_postgres_db_1 exited with code 1

I tried adding the postgres_password, then the host auth method trust value to the docker-compose.yaml but then I started getting:

Attaching to vulnerable-node_postgres_db_1, vulnerable-node_vulnerable_node_1
postgres_db_1 |
postgres_db_1 | PostgreSQL Database directory appears to contain a database; Skipping initialization
postgres_db_1 |
postgres_db_1 | 2022-03-26 02:19:48.762 UTC [1] LOG: starting PostgreSQL 14.2 (Debian 14.2-1.pgdg110+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
postgres_db_1 | 2022-03-26 02:19:48.762 UTC [1] LOG: listening on IPv4 address "0.0.0.0", port 5432
postgres_db_1 | 2022-03-26 02:19:48.762 UTC [1] LOG: listening on IPv6 address "::", port 5432
postgres_db_1 | 2022-03-26 02:19:48.764 UTC [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
postgres_db_1 | 2022-03-26 02:19:48.767 UTC [26] LOG: database system was shut down at 2022-03-26 02:19:07 UTC
postgres_db_1 | 2022-03-26 02:19:48.770 UTC [1] LOG: database system is ready to accept connections
vulnerable_node_1 |
vulnerable_node_1 | > [email protected] start /app
vulnerable_node_1 | > node ./bin/www
vulnerable_node_1 |
vulnerable_node_1 | Sat, 26 Mar 2022 02:19:49 GMT body-parser deprecated bodyParser: use individual json/urlencoded middlewares at app.js:38:9
vulnerable_node_1 | Sat, 26 Mar 2022 02:19:49 GMT body-parser deprecated undefined extended: provide extended option at node_modules/body-parser/index.js:105:29
vulnerable_node_1 | Sat, 26 Mar 2022 02:19:49 GMT express-session deprecated undefined resave option; provide resave option at app.js:43:9
vulnerable_node_1 | Sat, 26 Mar 2022 02:19:49 GMT express-session deprecated undefined saveUninitialized option; provide saveUninitialized option at app.js:43:9
vulnerable_node_1 | [2022-03-26 02:19:49.472] [INFO] vnode - Building database
vulnerable_node_1 | /app/node_modules/pg/lib/connection.js:426
vulnerable_node_1 | throw new Error("Unknown authenticationOk message type" + util.inspect(msg));
vulnerable_node_1 | ^
vulnerable_node_1 |
vulnerable_node_1 | Error: Unknown authenticationOk message type{ name: 'authenticationOk', length: 23 }
vulnerable_node_1 | at Connection.parseR (/app/node_modules/pg/lib/connection.js:426:9)
vulnerable_node_1 | at Connection.parseMessage (/app/node_modules/pg/lib/connection.js:345:17)
vulnerable_node_1 | at Socket.<anonymous> (/app/node_modules/pg/lib/connection.js:105:22)
vulnerable_node_1 | at emitOne (events.js:77:13)
vulnerable_node_1 | at Socket.emit (events.js:169:7)
vulnerable_node_1 | at readableAddChunk (_stream_readable.js:146:16)
vulnerable_node_1 | at Socket.Readable.push (_stream_readable.js:110:10)
vulnerable_node_1 | at TCP.onread (net.js:523:20)
postgres_db_1 | 2022-03-26 02:19:49.497 UTC [36] LOG: could not receive data from client: Connection reset by peer
postgres_db_1 | 2022-03-26 02:19:49.498 UTC [35] LOG: could not receive data from client: Connection reset by peer
vulnerable_node_1 |
vulnerable_node_1 | npm ERR! Linux 5.16.0-kali5-amd64
vulnerable_node_1 | npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "start"
vulnerable_node_1 | npm ERR! node v4.2.6
vulnerable_node_1 | npm ERR! npm v3.5.2
vulnerable_node_1 | npm ERR! code ELIFECYCLE
vulnerable_node_1 | npm ERR! [email protected] start: node ./bin/www
vulnerable_node_1 | npm ERR! Exit status 1
vulnerable_node_1 | npm ERR!
vulnerable_node_1 | npm ERR! Failed at the [email protected] start script 'node ./bin/www'.
vulnerable_node_1 | npm ERR! Make sure you have the latest version of node.js and npm installed.
vulnerable_node_1 | npm ERR! If you do, this is most likely a problem with the vulnerable-node-source package,
vulnerable_node_1 | npm ERR! not with npm itself.
vulnerable_node_1 | npm ERR! Tell the author that this fails on your system:
vulnerable_node_1 | npm ERR! node ./bin/www
vulnerable_node_1 | npm ERR! You can get information on how to open an issue for this project with:
vulnerable_node_1 | npm ERR! npm bugs vulnerable-node-source
vulnerable_node_1 | npm ERR! Or if that isn't available, you can get their info via:
vulnerable_node_1 | npm ERR! npm owner ls vulnerable-node-source
vulnerable_node_1 | npm ERR! There is likely additional logging output above.
vulnerable_node_1 |
vulnerable_node_1 | npm ERR! Please include the following file with any support request:
vulnerable_node_1 | npm ERR! /app/npm-debug.log

Not really sure where to go here. Any help is greatly appreciated! docker-compose is version 1.29.2

No data returned from the query.

I was setup docker and run docker-compose build && docker-compose up

After that i tried to logged in but the website return No data returned from the query.

And the console of give this error
vulnerable_node_1 | Error: Can't set headers after they are sent. vulnerable_node_1 | at ServerResponse.OutgoingMessage.setHeader (_http_outgoing.js:335:11) vulnerable_node_1 | at ServerResponse.header (/app/node_modules/express/lib/response.js:718:10) vulnerable_node_1 | at ServerResponse.send (/app/node_modules/express/lib/response.js:163:12) vulnerable_node_1 | at done (/app/node_modules/express/lib/response.js:957:10) vulnerable_node_1 | at /app/node_modules/ejs-locals/index.js:134:7 vulnerable_node_1 | at Object.exports.renderFile (/app/node_modules/ejs-locals/node_modules/ejs/lib/ejs.js:318:3) vulnerable_node_1 | at View.module.exports [as engine] (/app/node_modules/ejs-locals/index.js:85:7) vulnerable_node_1 | at View.render (/app/node_modules/express/lib/view.js:126:8) vulnerable_node_1 | at tryRender (/app/node_modules/express/lib/application.js:639:10) vulnerable_node_1 | at EventEmitter.render (/app/node_modules/express/lib/application.js:591:3) vulnerable_node_1 | [2020-02-05 06:44:18.904] [ERROR] vnode - Tried to login attempt from user = admin

please help with that

Maintainer instruction in Docker file

MAINTAINER "Daniel Garcia aka (cr0hn)" [email protected]

"MAINTAINER" This instruction has been deprecated in favor of LABEL.

I think you can set the Author field of the generated images.

Docker image doesn't build due to lax version fixing

The app doesn't build from the docker file.

vulnerable-node-vulnerable_node-1  | > [email protected] start /app
vulnerable-node-vulnerable_node-1  | > node ./bin/www
vulnerable-node-vulnerable_node-1  |
vulnerable-node-vulnerable_node-1  | Sat, 21 Jan 2023 12:16:02 GMT body-parser deprecated bodyParser: use individual json/urlencoded middlewares at app.js:38:9
vulnerable-node-vulnerable_node-1  | Sat, 21 Jan 2023 12:16:02 GMT body-parser deprecated undefined extended: provide extended option at node_modules/body-parser/index.js:105:29
vulnerable-node-vulnerable_node-1  | Sat, 21 Jan 2023 12:16:02 GMT express-session deprecated undefined resave option; provide resave option at app.js:43:9
vulnerable-node-vulnerable_node-1  | Sat, 21 Jan 2023 12:16:02 GMT express-session deprecated undefined saveUninitialized option; provide saveUninitialized option at app.js:43:9
vulnerable-node-vulnerable_node-1  | [2023-01-21 12:16:02.112] [INFO] vnode - Building database
vulnerable-node-vulnerable_node-1  | /app/node_modules/pg/lib/connection.js:426
vulnerable-node-vulnerable_node-1  |   throw new Error("Unknown authenticationOk message type" + util.inspect(msg));
vulnerable-node-vulnerable_node-1  |   ^
vulnerable-node-vulnerable_node-1  |
vulnerable-node-vulnerable_node-1  | Error: Unknown authenticationOk message type{ name: 'authenticationOk', length: 23 }
vulnerable-node-vulnerable_node-1  |     at Connection.parseR (/app/node_modules/pg/lib/connection.js:426:9)
vulnerable-node-vulnerable_node-1  |     at Connection.parseMessage (/app/node_modules/pg/lib/connection.js:345:17)
vulnerable-node-vulnerable_node-1  |     at Socket.<anonymous> (/app/node_modules/pg/lib/connection.js:105:22)
vulnerable-node-vulnerable_node-1  |     at emitOne (events.js:77:13)
vulnerable-node-vulnerable_node-1  |     at Socket.emit (events.js:169:7)
vulnerable-node-vulnerable_node-1  |     at readableAddChunk (_stream_readable.js:146:16)
vulnerable-node-vulnerable_node-1  |     at Socket.Readable.push (_stream_readable.js:110:10)
vulnerable-node-vulnerable_node-1  |     at TCP.onread (net.js:523:20)
vulnerable-node-postgres_db-1      | 2023-01-21 12:16:02.145 UTC [117] LOG:  could not receive data from client: Connection reset by peer
vulnerable-node-postgres_db-1      | 2023-01-21 12:16:02.145 UTC [116] LOG:  could not receive data from client: Connection reset by peer
vulnerable-node-vulnerable_node-1  |
vulnerable-node-vulnerable_node-1  | npm ERR! Linux 6.1.7-arch1-1
vulnerable-node-vulnerable_node-1  | npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "start"
vulnerable-node-vulnerable_node-1  | npm ERR! node v4.2.6
vulnerable-node-vulnerable_node-1  | npm ERR! npm  v3.5.2
vulnerable-node-vulnerable_node-1  | npm ERR! code ELIFECYCLE
vulnerable-node-vulnerable_node-1  | npm ERR! [email protected] start: `node ./bin/www`
vulnerable-node-vulnerable_node-1  | npm ERR! Exit status 1
vulnerable-node-vulnerable_node-1  | npm ERR!
vulnerable-node-vulnerable_node-1  | npm ERR! Failed at the [email protected] start script 'node ./bin/www'.
vulnerable-node-vulnerable_node-1  | npm ERR! Make sure you have the latest version of node.js and npm installed.
vulnerable-node-vulnerable_node-1  | npm ERR! If you do, this is most likely a problem with the vulnerable-node-source package,
vulnerable-node-vulnerable_node-1  | npm ERR! not with npm itself.
vulnerable-node-vulnerable_node-1  | npm ERR! Tell the author that this fails on your system:
vulnerable-node-vulnerable_node-1  | npm ERR!     node ./bin/www
vulnerable-node-vulnerable_node-1  | npm ERR! You can get information on how to open an issue for this project with:
vulnerable-node-vulnerable_node-1  | npm ERR!     npm bugs vulnerable-node-source
vulnerable-node-vulnerable_node-1  | npm ERR! Or if that isn't available, you can get their info via:
vulnerable-node-vulnerable_node-1  | npm ERR!     npm owner ls vulnerable-node-source
vulnerable-node-vulnerable_node-1  | npm ERR! There is likely additional logging output above.
vulnerable-node-vulnerable_node-1  |
vulnerable-node-vulnerable_node-1  | npm ERR! Please include the following file with any support request:
vulnerable-node-vulnerable_node-1  | npm ERR!     /app/npm-debug.log
vulnerable-node-vulnerable_node-1 exited with code 1

I guess it's because the dockerfile doesn't fix any version and that the app is not compatible with the current nodejs / npm provided by the image.

#FROM library/node:6
FROM ubuntu:xenial

MAINTAINER "Daniel Garcia aka (cr0hn)" <[email protected]>

ENV STAGE "DOCKER"

RUN apt-get update && apt-get -y upgrade && \
    apt-get install -y nodejs npm netcat

# Fix node links
RUN ln -s /usr/bin/nodejs /usr/bin/node

# Build app folders
RUN mkdir /app
WORKDIR /app

# Install depends
COPY package.json /app/
RUN npm install

# Bundle code
COPY . /app

RUN chmod +x /app/start.sh

EXPOSE 3000

CMD [ "/app/start.sh" ]
#CMD [ "npm", "start" ]

Provide "Expected Issues" list so users can compared SAST products

In order to assess the maturity of a SAST product, it's important to know which issues are hidden in benchmark such as this repo.
It would be great to provide the list of expected issues, including their location + the corresponding CWE identifier.
The goal for sure it's not to hard code the finding but to save time and re-invent the wheel for every SAST products.

Recently, I work with the author of https://github.com/SasanLabs/VulnerableApp/ to provide such list for his project. Here is the file: https://github.com/SasanLabs/VulnerableApp/blob/master/scanner/sast/expectedIssues.csv

It's as simple as a CSV file with the following information:

CWE | Vulnerability Type | File | Line | Number of Sources

If you are OK with the idea, I can contribute a first version and we iterate on it.