VulnNodeApp – A Vulnerable Node.Js Application

VulnNodeApp – A Vulnerable Node.Js Application



A vulnerable application made using node.js, express server and ejs template engine. This application is meant for educational purposes only.

Clone this repository

git clone https://github.com/4auvar/VulnNodeApp.git

Application setup:

  • Install the latest node.js version with npm.
  • Open terminal/command prompt and navigate to the location of downloaded/cloned repository.
  • Run command: npm install

DB setup

  • Install and configure latest mysql version and start the mysql service/deamon
  • Login with root user in mysql and run below sql script:
CREATE USER 'vulnnodeapp'@'localhost' IDENTIFIED BY 'password';
create database vuln_node_app_db;
GRANT ALL PRIVILEGES ON vuln_node_app_db.* TO 'vulnnodeapp'@'localhost';
USE vuln_node_app_db;
create table users (id int AUTO_INCREMENT PRIMARY KEY, fullname varchar(255), username varchar(255),password varchar(255), email varchar(255), phone varchar(255), profilepic varchar(255));
insert into users(fullname,username,password,email,phone) values("test1","test1","test1","[email protected]","976543210");
insert into users(fullname,username,password,email,phone) values("test2","test2","test2","[email protected]","9887987541");
insert into users(fullname,username,password,email,phone) values("test3","test3","test3","[email protected]","9876987611");
insert into users(fullname,username,password,email,phone) values("test4","test4","test4","[email protected]","9123459876");
insert into users(fullname,username,password,email,phone) values("test5","test5","test 5","[email protected]","7893451230");

Set basic environment variable

  • User needs to set the below environment variable.
    • DATABASE_HOST (E.g: localhost, 127.0.0.1, etc…)
    • DATABASE_NAME (E.g: vuln_node_app_db or DB name you change in above DB script)
    • DATABASE_USER (E.g: vulnnodeapp or user name you change in above DB script)
    • DATABASE_PASS (E.g: password or password you change in above DB script)
  • Open the command prompt/terminal and navigate to the location of your repository
  • Run command: npm start
  • Access the application at http://localhost:3000
  • SQL Injection
  • Cross Site Scripting (XSS)
  • Insecure Direct Object Reference (IDOR)
  • Command Injection
  • Arbitrary File Retrieval
  • Regular Expression Injection
  • External XML Entity Injection (XXE)
  • Node js Deserialization
  • Security Misconfiguration
  • Insecure Session Management
  • Will add new vulnerabilities such as CORS, Template Injection, etc…
  • Improve application documentation
  • In case of bugs in the application, feel free to create an issues on github.
  • Feel free to create a pull request for any contribution.

You can reach me out at @4auvar

(more…)

Vulnerable-Drone – An Intentionally Vulnerable Drone Hacking Simulator Based On The Popular ArduPilot/MAVLink Architecture, Providing A Realistic Environment For Hands-On Drone Hacking

Vulnerable-Drone – An Intentionally Vulnerable Drone Hacking Simulator Based On The Popular ArduPilot/MAVLink Architecture, Providing A Realistic Environment For Hands-On Drone Hacking The Damn Vulnerable Drone is an intentionally vulnerable drone hacking simulator based on the popular ArduPilot/MAVLink architecture, providing a realistic environment for hands-on drone hacking. What is the Read more…

GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack

GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack Cybersecurity researchers have discovered a new cryptojacking campaign that employs vulnerable drivers to disable known security solutions (EDRs) and thwart detection in what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack. Elastic Security Labs is tracking the campaign under the name Read more…

Popular Android Apps Like Xiaomi, WPS Office Vulnerable to File Overwrite Flaw

Popular Android Apps Like Xiaomi, WPS Office Vulnerable to File Overwrite Flaw

Popular Android Apps Like Xiaomi, WPS Office Vulnerable to File Overwrite Flaw Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app’s home directory. “The implications of this vulnerability pattern include arbitrary Read more…