Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities. Fixes for vunerabilities OWASP Top 10 2017 vulnerabilities at fixes-2017 branch.
The application is powered by commonly used libraries such as express, passport, sequelize, etc.
The application comes with a developer friendly comprehensive guidebook which can be used to learn, avoid and fix the vulnerabilities. The guide available at https://appsecco.com/books/dvna-developers-security-guide/ covers the following
- Instructions for setting up DVNA
- Instructions on exploiting the vulnerabilities
- Vulnerable code snippets and instructions on fixing vulnerabilities
- Recommendations for avoid such vulnerabilities
- References for learning more
The blog post for this release is at https://blog.appsecco.com/damn-vulnerable-nodejs-application-dvna-by-appsecco-7d782d36dc1e
- Start the application using below docker command
docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite- Access the application at http://127.0.0.1:9090
- Link commits to fixes in documentation
- Add new vulnerabilities from OWASP Top 10 2017
- Improve application features, documentation
In case of bugs in the application, please create an issue on github. Pull requests are highly welcome!
Abhisek Datta - abhisek for application architecture and front-end code
MIT