Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities.
The application is powered by commonly used libraries such as express, passport, sequelize, etc.
The application comes with a developer friendly comprehensive guide which can be used to learn, avoid and fix the vulnerabilities. The guide will be available at https://appsecco.github.io/dvna and will contain the following
- Instructions for setting up DVNA
- Instructions on exploiting the vulnerabilities
- Vulnerable code snippets and instructions on fixing vulnerabilities
- Recommendations for avoid such vulnerabilities
- References for learning more
Setting up the application using docker is the recommended procedure. For detailed instructions and manual setup and please refer to the guide.
Clone this repository
git clone https://github.com/appsecco/dvna; cd dvnaCreate a vars.env with the desired database configuration
MYSQL_USER=dvna
MYSQL_DATABASE=dvna
MYSQL_PASSWORD=passw0rd
MYSQL_RANDOM_ROOT_PASSWORD=yes
Start the application and database using docker-compose
docker-compose upAccess the application at http://127.0.0.1:9090/
The application will automatically reload on code changes, so feel free to patch and play around with the application.
- Add CONTRIBUTING.md
- Link commits to fixes in documentation
- Add new vulnerabilities from OWASP Top 10 2017
- Improve application features, documentation
Abhisek Datta - abhisek for application architecture and front-end code
MIT