Vulnerability Analysis

VulnNodeApp – Exploring Web Vulnerabilities With A Node.js Educational Tool

A vulnerable application made using node.js, express server and ejs template engine. This application is meant for educational purposes only.

Setup

Clone This Repository

git clone https://github.com/4auvar/VulnNodeApp.git

Application Setup:

  • Install the latest node.js version with npm.
  • Open terminal/command prompt and navigate to the location of downloaded/cloned repository.
  • Run command: npm install

DB Setup

  • Install and configure latest mysql version and start the mysql service/deamon
  • Login with root user in mysql and run below sql script:
CREATE USER 'vulnnodeapp'@'localhost' IDENTIFIED BY 'password';
create database vuln_node_app_db;
GRANT ALL PRIVILEGES ON vuln_node_app_db.* TO 'vulnnodeapp'@'localhost';
USE vuln_node_app_db;
create table users (id int AUTO_INCREMENT PRIMARY KEY, fullname varchar(255), username varchar(255),password varchar(255), email varchar(255), phone varchar(255), profilepic varchar(255));
insert into users(fullname,username,password,email,phone) values("test1","test1","test1","test1@test.com","976543210");
insert into users(fullname,username,password,email,phone) values("test2","test2","test2","test2@test.com","9887987541");
insert into users(fullname,username,password,email,phone) values("test3","test3","test3","test3@test.com","9876987611");
insert into users(fullname,username,password,email,phone) values("test4","test4","test4","test4@test.com","9123459876");
insert into users(fullname,username,password,email,phone) values("test5","test5","test5","test5@test.com","7893451230");

Set Basic Environment Variable

  • User needs to set the below environment variable.
    • DATABASE_HOST (E.g: localhost, 127.0.0.1, etc…)
    • DATABASE_NAME (E.g: vuln_node_app_db or DB name you change in above DB script)
    • DATABASE_USER (E.g: vulnnodeapp or user name you change in above DB script)
    • DATABASE_PASS (E.g: password or password you change in above DB script)

Start The Server

  • Open the command prompt/terminal and navigate to the location of your repository
  • Run command: npm start
  • Access the application

Vulnerability Covered

  • SQL Injection
  • Cross Site Scripting (XSS)
  • Insecure Direct Object Reference (IDOR)
  • Command Injection
  • Arbitrary File Retrieval
  • Regular Expression Injection
  • External XML Entity Injection (XXE)
  • Node js Deserialization
  • Security Misconfiguration
  • Insecure Session Management
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Configure a Static IP Address on Ubuntu 18.04: Netplan Guide

Setting a static IP address on your server is a smart move. It ensures your…

57 minutes ago

Install Xrdp on Ubuntu 18.04: Remote Desktop Setup Guide

Xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP). It lets you access…

1 hour ago

Add and Delete Users on Ubuntu 18.04: A Practical Guide

Managing user accounts is one of the most basic system administration tasks on any Linux…

1 hour ago

Install Wine on Ubuntu 18.04: Run Windows Apps on Linux

Wine (short for "Wine Is Not an Emulator") is a compatibility layer that lets you run…

2 hours ago

Install KVM on Ubuntu 18.04: Setup, Network, and Create VMs

KVM (Kernel-based Virtual Machine) is an open-source virtualization technology built into the Linux kernel. It lets…

2 hours ago

Upgrade to Ubuntu 20.04 LTS: Prepare, Update, and Confirm

Ubuntu 20.04 LTS (code name Focal Fossa) was released on April 23, 2020. It is a…

1 day ago