Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
kitploitKitPloitKITPLOIT:5569542097963789252
HistoryJun 23, 2024 - 12:30 p.m.

VulnNodeApp - A Vulnerable Node.Js Application

2024-06-2312:30:00
www.kitploit.com
11
node.js
express server
ejs template
mysql
sql injection
cross site scripting
insecure direct object reference
command injection
arbitrary file retrieval
regular expression injection
external xml entity injection
deserialization
security misconfiguration
insecure session management
documentation
bugs
pull request.

8.4 High

AI Score

Confidence

High

JSON

A vulnerable application made using node.js, express server and ejs template engine. This application is meant for educational purposes only.

Setup

Clone this repository

git clone https://github.com/4auvar/VulnNodeApp.git

Application setup:

  • Install the latest node.js version with npm.
  • Open terminal/command prompt and navigate to the location of downloaded/cloned repository.
  • Run command: npm install

DB setup

  • Install and configure latest mysql version and start the mysql service/deamon

  • Login with root user in mysql and run below sql script:

    CREATE USER ‘vulnnodeapp’@‘localhost’ IDENTIFIED BY ‘password’;
    create database vuln_node_app_db;
    GRANT ALL PRIVILEGES ON vuln_node_app_db.* TO ‘vulnnodeapp’@‘localhost’;
    USE vuln_node_app_db;
    create table users (id int AUTO_INCREMENT PRIMARY KEY, fullname varchar(255), username varchar(255),password varchar(255), email varchar(255), phone varchar(255), profilepic varchar(255));
    insert into users(fullname,username,password,email,phone) values(“test1",“test1”,“test1”,"[email protected]”,“976543210”);
    insert into users(fullname,username,password,email,phone) values(“test2",“test2”,“test2”,"[email protected]”,“9887987541”);
    insert into users(fullname,username,password,email,phone) values(“test3",“test3”,“test3”,"[email protected]”,“9876987611”);
    insert into users(fullname,username,password,email,phone) values(“test4",“test4”,“test4”,"[email protected]”,“9123459876”);
    insert into users(fullname,username,password,email,phone) values(“test5”,“test5”,“test 5","[email protected]”,“7893451230”);

Set basic environment variable

  • User needs to set the below environment variable.
    • DATABASE_HOST (E.g: localhost, 127.0.0.1, etc…)
    • DATABASE_NAME (E.g: vuln_node_app_db or DB name you change in above DB script)
    • DATABASE_USER (E.g: vulnnodeapp or user name you change in above DB script)
    • DATABASE_PASS (E.g: password or password you change in above DB script)

Start the server

  • Open the command prompt/terminal and navigate to the location of your repository
  • Run command: npm start
  • Access the application at http://localhost:3000

Vulnerability covered

  • SQL Injection
  • Cross Site Scripting (XSS)
  • Insecure Direct Object Reference (IDOR)
  • Command Injection
  • Arbitrary File Retrieval
  • Regular Expression Injection
  • External XML Entity Injection (XXE)
  • Node js Deserialization
  • Security Misconfiguration
  • Insecure Session Management

TODO

  • Will add new vulnerabilities such as CORS, Template Injection, etc…
  • Improve application documentation

Issues

  • In case of bugs in the application, feel free to create an issues on github.

Contribution

  • Feel free to create a pull request for any contribution.

You can reach me out at @4auvar

Download VulnNodeApp

8.4 High

AI Score

Confidence

High

JSON