Setup Issues about nodegoat HOT 9 CLOSED

Hi, update your Node version to v0.12.x and it should work. I'm using v0.12.2.

from nodegoat.

@binarymist The errors on npm install appear to be just warnings.

When you ran grunt db-reset:development, did you have a local DB mongod running or have a remote DB path set in config/env/development.js? It is required for db-reset to run properly.
I have updated README.md with "Create and populate Mongo DB" section to make it more clear.

I don't think your node and npm need to be upgraded, but let us know how it goes.

from nodegoat.

ping @binarymist? :)

from nodegoat.

There was a lot of setup work for this to work. I may come back to this, but it's a shame it doesn't work out of the box.

Cheers.

from nodegoat.

@binarymist We can possibly create a VM that comes with everything packaged together. Besides that, based on your experience with other OWASP or external project of similar kind, can you share ideas on how we could minimize the setup part?

With respect to nodegoat, I am sure user would already have or won't mind installing node and required npm packages. Unfortunately, these type of apps need some backend database to demonstrate injection attacks, and I see installing mongo db could be a pain point. To make it easier, the project supports using a remote db, just by adding its url in the config file. One can create a remote mongo db in few minutes on service as mongolab to eliminate local installation.

I am sure, there is always room for improvement, and any suggestion or PR are welcome.

Cheers.

from nodegoat.

Yeah, I think the uptake may be slow without a turn-key solution (bit like owaspbwa). Most people just can't be bothered. I've spent the last couple of weeks in security research and using a bunch of pen test tools. Many of which require some setup and many of which don't even work. This is really frustrating, but sadly quite common. From experience Node projects seem to be even worse.

In saying that, we really do need a Node vulnerable web app and it'd something I'd really like to help with code wise, as I'm fairly intimate with JavaScript and NodeJS. I was hoping to take this to the workshop I just ran at CampJS in Melbourn, but couldn't afford spending the time on this with an unknown outcome. Instead I created the Holistic InfoSec for Web Developers workshop. Time is a problem for me currently though as I'm currently working on my text talk and demo at WDCNZ along with a ton of other stuff. I'll see how much time I get after WDCNZ. I'm thinking of submitting a few more talks this year, but if you think you could use a hand with this, maybe I could help out instead. Thoughts?

from nodegoat.

We use Docker and provide Vagrant (if thats your preferred method of managing docker instances) over at the Railsgoat project. Seems to work well and address the providing a VM issue.

from nodegoat.

@binarymist Yes, I agree that painful setup can be a major barrier for project uptake. Based on your feedback, I have added a One-Click heroku deploy option, which requires zero setup. Please go over updated README and let me know your thoughts.

The workshops you are doing are impressive, and valuable as targeted mainly for developers. Keep it up. Along the way if you feel NodeGoat could be leveraged (with any further improvements), feel free to let us know, or contribute if time permits.

@cktricky , thanks for sharing info on usage of Dockers for RailsGoat. I will check that out. We already have an issue #53 added by @DinisCruz , proposing implementation on similar lines. A discussion is also ongoing on project slack channel. The RailsGoat implementation is useful for reference in this regard, and I will get in touch with you if any more details needed. Thanks!

from nodegoat.

Closing the issue now. Please use slack or gitter chat if any comments / feedback

from nodegoat.