owasp / nodegoat Goto Github PK

Hey,

Have you thought about just using npm shrinkwrap instead of committing all modules to version control?

We should have OWASP/NodeGoat on Todofy, I tried it on my fork and there are like 8 todos in the master branch. While around 154 todos in secure_express branch & 148 todos in ckarande-master branch

Here's the link: https://todofy.org/r/mebjas/NodeGoat
This will give clear visibility on what all need to be finished, and platform has various feature to assist the process.

p.s: Todofy is an automated issue tracker!

Update code to use node-easy-config for configuration management.

As Kim reported in #83 (comment) the allocations page doesn't load because because the template layout expects a userId variable to be set when rendering the view, so it can create the link to /allocations/<userId>.

This fixes it and refactor the memos controller accordingly.

Hi folks,
I've been trying to run your project to learn, but can't get it going properly.
The first thing I tried to do, which was to go through the sign-up process to add a user into the db, broke the whole thing. Perhaps I misunderstood, and that page is just there for show? Should I start trying to hack it as one of the pre-loaded users?

Anyway, on filling out the fields in "enter sign up information" and clicking Submit, a error is thrown:

/Users/.../NodeGoat/node_modules/mongodb/lib/mongodb/connection/base.js:242
    throw message;
          ^
TypeError: Cannot read property 'seq' of null
    at /Users/.../NodeGoat/app/data/user-dao.js:105:32
    at findAndModify (/Users/.../NodeGoat/node_modules/mongodb/lib/mongodb/collection/core.js:703:14)

Opening it up in node-inspector, it seems the findAndModify that contains line 105 is called with name="", so it doesn't find anything and upsert isn't set. So then callback(object.seq) breaks, because there's no object.

That's as much as I could find. It does seem to work ok so far if sign in as a pre-loaded user.

What do we think about providing an actual example for the classic noSQL injection with MongoDB, as is demonstrated and documented in the tutorial?

Screenshot from A1 - Injection tutorial:

So while the tutorials show this example, the NodeGoat app actually implements the user login differently with:

usersCol.findOne({
            userName: userName
        }, validateUserDoc);

Do we possibly want to change the login to use the classic style as is documented or maybe provide another login screen just for the sake of demo'ing the example?

Use eval family function to demonstrate execution of system and file system access commands.

Integrate and test ZAP API for all 3 deployment mechanisms.

Based on discussion with @binarymist, Zap API can live in a docker image. Wavsep and Zap API can stay on one machine on AWS, each in their on docker containers. So it seems possible to integrate ZAP APIs with all of the three deployment scenarios of Nodegoat (local , heroku, and docker image). This issue is added to test and verify it.

Following directions on the README.md...

node -v
v0.10.38
npm -v
2.9.0

From within NodeGoat dir I receive errors:

npm install

[email protected] install
NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/kerberos
(node-gyp rebuild 2> builderror.log) || (exit 0)

make: Entering directory NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/kerberos/build' CXX(target) Release/obj.target/kerberos/lib/kerberos.o make: Leaving directoryNodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/kerberos/build'
npm WARN installMany nopt was bundled with [email protected], but bundled package wasn't found in unpacked tree
npm WARN installMany npmlog was bundled with [email protected], but bundled package wasn't found in unpacked tree
npm WARN installMany request was bundled with [email protected], but bundled package wasn't found in unpacked tree
npm WARN installMany semver was bundled with [email protected], but bundled package wasn't found in unpacked tree
npm WARN installMany tar was bundled with [email protected], but bundled package wasn't found in unpacked tree
npm WARN installMany tar-pack was bundled with [email protected], but bundled package wasn't found in unpacked tree
npm WARN installMany mkdirp was bundled with [email protected], but bundled package wasn't found in unpacked tree
npm WARN installMany rc was bundled with [email protected], but bundled package wasn't found in unpacked tree
npm WARN installMany rimraf was bundled with [email protected], but bundled package wasn't found in unpacked tree

[email protected] install NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext
(node-pre-gyp install --fallback-to-build) || (node-gyp rebuild 2> builderror.log) || (exit 0)

make: Entering directory NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/build' CXX(target) Release/obj.target/bson/ext/bson.o make: g++: Command not found make: *** [Release/obj.target/bson/ext/bson.o] Error 127 make: Leaving directoryNodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/build'
gyp ERR! build error
gyp ERR! stack Error: make failed with exit code: 2
gyp ERR! stack at ChildProcess.onExit (/usr/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:269:23)
gyp ERR! stack at ChildProcess.emit (events.js:98:17)
gyp ERR! stack at Process.ChildProcess._handle.onexit (child_process.js:820:12)
gyp ERR! System Linux 3.13.0-24-generic
gyp ERR! command "/usr/bin/nodejs" "/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "build" "--fallback-to-build" "--module=NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/build/Release/bson.node" "--module_name=bson" "--module_path=NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/build/Release"
gyp ERR! cwd NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext
gyp ERR! node -v v0.10.38
gyp ERR! node-gyp -v v1.0.3
gyp ERR! not ok
node-pre-gyp ERR! build error
node-pre-gyp ERR! stack Error: Failed to execute '/usr/bin/nodejs /usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js build --fallback-to-build --module=NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/build/Release/bson.node --module_name=bson --module_path=NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/build/Release' (1)
node-pre-gyp ERR! stack at ChildProcess. (NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/node_modules/node-pre-gyp/lib/util/compile.js:83:29)
node-pre-gyp ERR! stack at ChildProcess.emit (events.js:98:17)
node-pre-gyp ERR! stack at maybeClose (child_process.js:766:16)
node-pre-gyp ERR! stack at Process.ChildProcess._handle.onexit (child_process.js:833:5)
node-pre-gyp ERR! System Linux 3.13.0-24-generic
node-pre-gyp ERR! command "node" "NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/node_modules/.bin/node-pre-gyp" "install" "--fallback-to-build"
node-pre-gyp ERR! cwd NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext
node-pre-gyp ERR! node -v v0.10.38
node-pre-gyp ERR! node-pre-gyp -v v0.6.4
node-pre-gyp ERR! not ok
Failed to execute '/usr/bin/nodejs /usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js build --fallback-to-build --module=NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/build/Release/bson.node --module_name=bson --module_path=Source/NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/build/Release' (1)
make: Entering directory NodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/build' CXX(target) Release/obj.target/bson/ext/bson.o make: Leaving directoryNodeGoat/node_modules/mongodb/node_modules/mongodb-core/node_modules/bson/node_modules/bson-ext/build'
[email protected] node_modules/dont-sniff-mimetype

Then with:
grunt db-reset:development:

Running "db-reset:development" (db-reset) task

db-reset:
Error: Command failed: js-bson: Failed to load c++ bson extension, using pure JS version
js-bson: Failed to load c++ bson extension, using pure JS version
js-bson: Failed to load c++ bson extension, using pure JS version
js-bson: Failed to load c++ bson extension, using pure JS version

NodeGoat/node_modules/mongodb/lib/server.js:228
process.nextTick(function() { throw err; })
^
TypeError: Cannot call method 'dropCollection' of null
at NodeGoat/artifacts/db-reset.js:68:8
at NodeGoat/node_modules/mongodb/lib/mongo_client.js:236:20
at NodeGoat/node_modules/mongodb/lib/db.js:203:14
at null. (NodeGoat/node_modules/mongodb/lib/server.js:226:9)
at g (events.js:180:16)
at emit (events.js:98:17)
at null. (NodeGoat/node_modules/mongodb/node_modules/mongodb-core/lib/topologies/server.js:255:68)
at g (events.js:180:16)
at emit (events.js:98:17)
at null. (NodeGoat/node_modules/mongodb/node_modules/mongodb-core/lib/connection/pool.js:77:12)
js-bson: Failed to load c++ bson extension, using pure JS version
js-bson: Failed to load c++ bson extension, using pure JS version
js-bson: Failed to load c++ bson extension, using pure JS version
js-bson: Failed to load c++ bson extension, using pure JS version

NodeGoat/node_modules/mongodb/lib/server.js:228
process.nextTick(function() { throw err; })
^
TypeError: Cannot call method 'dropCollection' of null
at NodeGoat/artifacts/db-reset.js:68:8
at NodeGoat/node_modules/mongodb/lib/mongo_client.js:236:20
at NodeGoat/node_modules/mongodb/lib/db.js:203:14
at null. (NodeGoat/node_modules/mongodb/lib/server.js:226:9)
at g (events.js:180:16)
at emit (events.js:98:17)
at null. (NodeGoat/node_modules/mongodb/node_modules/mongodb-core/lib/topologies/server.js:255:68)
at g (events.js:180:16)
at emit (events.js:98:17)
at null. (NodeGoat/node_modules/mongodb/node_modules/mongodb-core/lib/connection/pool.js:77:12)

Done, without errors.

npm start

[email protected] start NodeGoat
node server.js

{ [Error: Cannot find module '../build/Release/bson'] code: 'MODULE_NOT_FOUND' }
js-bson: Failed to load c++ bson extension, using pure JS version
{ [Error: Cannot find module '../build/Release/bson'] code: 'MODULE_NOT_FOUND' }
js-bson: Failed to load c++ bson extension, using pure JS version
{ [Error: Cannot find module '../build/Release/bson'] code: 'MODULE_NOT_FOUND' }
js-bson: Failed to load c++ bson extension, using pure JS version
{ [Error: Cannot find module '../build/Release/bson'] code: 'MODULE_NOT_FOUND' }
js-bson: Failed to load c++ bson extension, using pure JS version
Error: DB: connect
{ [MongoError: connect ECONNREFUSED] name: 'MongoError', message: 'connect ECONNREFUSED' }

npm ERR! Linux 3.13.0-24-generic
npm ERR! argv "node" "/usr/bin/npm" "start"
npm ERR! node v0.10.38
npm ERR! npm v2.9.0
npm ERR! code ELIFECYCLE
npm ERR! [email protected] start: node server.js
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] start script 'node server.js'.
npm ERR! This is most likely a problem with the owasp-nodejs-goat package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node server.js
npm ERR! You can get their info via:
npm ERR! npm owner ls owasp-nodejs-goat
npm ERR! There is likely additional logging output above.

npm ERR! Please include the following file with any support request:
npm ERR! NodeGoat/npm-debug.log

There is no npm-debug.log

Any ideas?
I'm running a demo of this the day after tomorrow and will be in-flight tomorrow.
Thanks.

Step 2 : RUN node artifacts/db-reset.js
---> Running in cf4359418eff
ERROR: connect
{"name":"MongoError","message":"connect ECONNREFUSED"}
Connected to the database: mongodb://localhost:27017/nodegoat
/usr/src/app/node_modules/mongodb/lib/server.js:231
process.nextTick(function() { throw err; })
^
TypeError: Cannot read property 'dropCollection' of null
at /usr/src/app/artifacts/db-reset.js:66:7
at /usr/src/app/node_modules/mongodb/lib/mongo_client.js:238:20
at /usr/src/app/node_modules/mongodb/lib/db.js:242:14
at null. (/usr/src/app/node_modules/mongodb/lib/server.js:229:9)
at g (events.js:199:16)
at emit (events.js:110:17)
at null. (/usr/src/app/node_modules/mongodb/node_modules/mongodb-core/lib/topologies/server.js:218:12)
at g (events.js:199:16)
at emit (events.js:110:17)
at null. (/usr/src/app/node_modules/mongodb/node_modules/mongodb-core/lib/connection/pool.js:125:12)
The command '/bin/sh -c node artifacts/db-reset.js' returned a non-zero code: 1

Hi there,

We noticed that your repo has a low severity vulnerability:

• Regular Expression Denial of Service
• Affected package: uglify-js <2.6.0

Here is the test report for this repo.
If you’d like to fix this vulnerability, Snyk lets you generate a pull request that recommends the best upgrade path - there’s a link to fix this vulnerability on the test report.

Stay secure :-)
Snyk Community

Hello,

I have followed the setup guide and I cannot get the server to start. The console output is below

sbehrens@lgml-sbehrens ~/tutorials/NodeGoat$ grunt run                                                                                                             master ‹system›
Running "jsbeautifier:files" (jsbeautifier) task
Beautified 39 files, changed 0 files...OK

Running "jshint:all" (jshint) task
>> 32 files lint free.

Running "concurrent:tasks" (concurrent) task
Running "nodemon:dev" (nodemon) task
Running "watch" task
Waiting...

Mondod is running, database is created, the environment file was also updated. Any ideas on what may be going on?

This is not installing for me. chromedriver is having some sort of failure. I have tried node 4,5,6 and posted the issue to their repository:

giggio/node-chromedriver#46

Which will make the set-up and run of NodeGoat easier (For example when running it in a class environment)

I think if we give the user a choice of selecting the database, that would be far higher implementation of nodegoat as we get Json data if we are opting rethinkdb, over to mongodb(bson). Bulk insertions are an advantage but simplified querying would be a better option ? what is your opinion ?

Build skeleton of the web app

Add in app bootstrap tour to guide users finding vulnerabilities in the target applications

Following discussions from #70, it seems that the db-reset process needs some update to work well (and elegantly) with all the installation options.

What do you think about:

• using seeds?
• using a database.json containing a initial version of the database?

Hi

I get this error message when I follow the instructions of OPTION 3 - Run NodeGoat on Docker:

$sudo docker-compose build
...
npm info linkStuff [email protected]
npm info install [email protected]
npm info postinstall [email protected]
npm info prepublish [email protected]
npm ERR! Linux 4.4.0-31-generic
npm ERR! argv "/usr/local/bin/node" "/usr/local/bin/npm" "install"
npm ERR! node v4.4.7
npm ERR! npm v2.15.8
npm ERR! code EPEERINVALID

npm ERR! peerinvalid The package [email protected] does not satisfy its siblings' peerDependencies requirements!

I realise it's a problem with Docker/npm/Grunt and not NodeGoat itself, but the effect is that I can't use the NodeGoat docker image, so if there were some known tips and tricks, perhaps you can include them in the instructions.

Thanks

Identify business domain and UI design of target application.

Create skeleton tutorial web application

As part of the project dcumentation, add a code review checklist for node.js developers

Demonstrate ReDoS using:

1. Person name check on profile page (use regex ^[a-zA-Z]+(([',. -][a-zA-Z ])?[a-zA-Z])$ to check first name last name on profile form submission)
2. On signup page, add a validation to check if the username is part of the password. Construct Regex using user supplied input for username.

More details at https://groups.google.com/forum/#!topic/nodegoat/nkwQP1ONU-E

Identify business domain and design of target application.

Identify navigation, content organization of tutorial web application

visualization/ charts for each vulnerability based on OWAPS rating (2004, 2007,2010,2013), exploitability, and severity, impact level etc.

Create infrastructure files to build in-app guided tour showing users where vulnerabilities existis

• Clean up code to camel case for variables
• Add a note in contribution guide

Demonstrate CSRF attack using nodegoat app

Build reference secure versions using express, express + passport, MEAN SPA, hapi.js, koa, socket.io, etc

Clean up code for style consistency. Add a note in the contribution guide for this.

Use Bunyan module for logging instead of console.log

Use github pages or gitbook format for tutorial

Install grunt with:
npm install -g grunt
Install required packages on Ubuntu with:
apt-get install nodejs npm mongodb
Fix Ubuntu's node name change
sudo ln -s /usr/bin/nodejs /usr/bin/node

Identify templating engine, database, and npm modules to use, and establish initial project directory structure

"an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them"

sorry but after reading README, all I have achieved is some retire... app.

How shall I use NodeGoat to ""leaner how to how to effectively address OWASP TOP 10 in node.js "

I have not found info on OWASP page, nor in this readme.

HELP ! What can I lear from cloning this repo, setting mongo and other useless work I have done so far ?

It looks like Slack is starting to have momentum on the OWASP dev community, so I propose that NodeGoat devs participate on it (instead or in addition to https://gitter.im/OWASP/NodeGoat )

I created a channel there for NodeGoat: https://owasp.slack.com/messages/project-nodegoat/

Just in case :)

https://gist.github.com/jesusprubio/8f092af4ca252e252eab