Initial Commit

axelspringer · Nov 14, 2017 · d59ad99 · d59ad99
commit d59ad99
Show file tree

Hide file tree

Showing 128 changed files with 11,126 additions and 0 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,2 @@
+node_modules
+npm-debug.log
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+node_modules/
+npm-debug.log
+.env
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,10 @@
+FROM node:carbon
+LABEL MAINTAINER "Subash SN"
+
+WORKDIR /app
+
+COPY . .
+
+RUN npm install
+
+CMD ["npm", "start"]
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2017 Appsecco Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/README.md b/README.md
@@ -0,0 +1,56 @@
+# Damn Vulnerable NodeJS Application (DVNA) 
+
+Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate [**OWASP Top 10 Vulnerabilities**](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#OWASP_Top_10_for_2013) and guide on fixing and avoiding these vulnerabilities.
+
+The application is powered by commonly used libraries such as [express](https://www.npmjs.com/package/express), [passport](https://www.npmjs.com/package/passport), [sequelize](https://www.npmjs.com/package/sequelize), etc.
+
+A detailed guide on exploiting, fixing and avoiding OWASP Top 10 Vulnerabilities can be found at https://appsecco.github.io/dvna which will contain
+
+1. How to exploit the vulnerability
+2. Vulnerable code snippets and fixes
+3. Recommendations on how to avoid such bugs
+4. References for learning more
+
+## Dockerized Setup
+
+Clone this repository
+```
+git clone https://github.com/appsecco/dvna; cd dvna
+```
+
+Create a `.env` file like the with desired database configuration
+```
+MYSQL_USER=dvna
+MYSQL_DATABASE=dvna
+MYSQL_PASSWORD=passw0rd
+MYSQL_RANDOM_ROOT_PASSWORD=yes
+```
+
+And run `docker-compose up` to start the application and database using docker.
+
+## Manual Setup
+
+For this, you will need to create a new database on a MySQL Server and a user with write access on it
+
+Clone this repository
+```
+git clone https://github.com/appsecco/dvna; cd dvna
+```
+
+Set the environment variables with your database information 
+```bash
+export MYSQL_USER=dvna
+export MYSQL_DATABASE=dvna
+export MYSQL_PASSWORD=passw0rd
+export MYSQL_HOST=127.0.0.1
+export MYSQL_PORT=3306
+```
+
+Then run `npm install` to install the dependencies and `npm start` to start the application
+
+## Thanks
+[Abhisek Datta - abhisek](https://github.com/abhisek) for application architecture and front-end code
+
+## License
+
+MIT
diff --git a/config/db.js b/config/db.js
@@ -0,0 +1,8 @@
+module.exports = {
+  username: process.env.MYSQL_USER,
+  password: process.env.MYSQL_PASSWORD,
+  database: process.env.MYSQL_DATABASE,
+  host: process.env.MYSQL_HOST || 'mysql-db',
+  port: process.env.MYSQL_PORT || 3306,
+  dialect: 'mysql'
+}
diff --git a/config/vulns.js b/config/vulns.js
@@ -0,0 +1,12 @@
+module.exports = {
+	'a1_injection': 'A1: Injection',
+	'a2_broken_auth': 'A2: Broken Authentication and Session Management',
+	'a3_xss': 'A3: Cross-site Scripting',
+	'a4_idor': 'A4: Insecure Direct Object Reference',
+	'a5_sec_misconf': 'A5: Security Misconfiguration',
+	'a6_sensitive_data': 'A6: Sensitive Data Exposure',
+	'a7_missing_access_control': 'A7: Missing Function Level Access Control',
+	'a8_csrf': 'A8: Cross-site Request Forgery',
+	'a9_vuln_component': 'A9: Using Components with Known Vulnerability',
+	'a10_redirect': 'A10: Unvalidated Redirects and Forwards'
+}
diff --git a/core/appHandler.js b/core/appHandler.js
@@ -0,0 +1,156 @@
+var db = require('../models')
+var bCrypt = require('bcrypt')
+const exec = require('child_process').exec;
+var mathjs = require('mathjs')
+const Op = db.Sequelize.Op
+
+module.exports.userSearch = function (req,res){
+    // SQL Injection
+    var query = "SELECT name FROM Users WHERE login='" + req.body.login + "'";
+    db.sequelize.query(query,{ model: db.User }).then(user => {
+    	if(user.length){
+	    	var output ={
+	    		user: {
+	    			name: user[0].name
+	    		}
+	    	}
+    		res.render('app/usersearch',{output:output})
+    	}else{
+	    	var output ={
+	    		user: 'none'
+	    	}    		
+    		res.render('app/usersearch',{output:output})
+    	}
+    }).catch(err => {
+    	var output ={
+    		user: 'none'
+    	}    	
+    	req.flash('error','Internal Error')
+    	res.render('app/usersearch',{output:output})
+    })
+}
+
+module.exports.ping = function (req,res){
+	exec('ping -c 2 ' + req.body.address, function(err,stdout,stderr){
+		console.log(err)
+		output = stdout + stderr
+		res.render('app/ping',{authenticated:true, output: output})
+	})
+}
+
+module.exports.listProducts = function (req,res){
+    db.Product.findAll().then(products => {
+    	output ={
+    		products : products
+    	}
+    	res.render('app/products', {authenticated:true, output: output})
+    })
+}
+
+module.exports.productSearch = function (req,res){
+    db.Products.findAll({where:{name:{[Op.like]:req.body.name}}}).then( products => {
+    	output ={
+    		products : products,
+    		searchTerm: req.body.name
+    	}
+    	console.log(output)
+    	res.render('app/products', {output: output})		
+	})
+}
+
+module.exports.modifyProduct = function (req,res){
+	if(!req.query.id||req.query.id==''){
+		output ={
+			product : {}
+		}
+	res.render('app/modifyproduct', {output: output})		
+	}else{
+	    db.Product.find({where:{'id': req.query.id}}).then(product => {
+	    	if(!product) {
+	    		product ={}
+	    	}
+	    	output ={
+	    		product : product
+	    	}
+	    	res.render('app/modifyproduct', {output: output})
+	    })		
+	}
+
+}
+
+module.exports.modifyProductSubmit = function (req,res){
+	if (!req.body.id||req.body.id==''){
+		req.body.id=0
+	}
+    db.Product.find({where:{'id': req.body.id}}).then(product => {
+    	if(!product){
+    		product = new db.Product()
+    	}
+		product.code= req.body.code
+		product.name = req.body.name
+		product.description = req.body.description
+		product.tags = req.body.tags
+		product.save().then(p => {
+			if(p){
+				req.flash('message','Product added/modified!')
+				res.redirect('/app/products')
+			}
+		}).catch(err => {
+			output = {
+				product: product,
+				error: err
+			}
+			res.render('app/modifyproduct', {output: output})			
+		})	
+    })
+}
+
+module.exports.userEdit = function(req,res){
+	res.render('app/useredit',{userId:req.user.id,userEmail:req.user.email})
+}
+
+module.exports.userEditSubmit = function(req,res){
+	if(req.body.password==req.body.cpassword){
+		db.User.find({where:{'id':req.body.id}}).then(user=>{
+			if(user){
+				user.password = bCrypt.hashSync(req.body.password, bCrypt.genSaltSync(10), null)
+				user.save().then(function(){
+					res.redirect('/app/products')
+				})
+			}else{
+				req.flash('error','Non Existant User')
+				res.render('app/useredit',{userId:req.user.id,userEmail:req.user.email})
+			}
+		})
+	}else{
+		req.flash('error','Passwords dont match')
+		res.render('app/useredit',{userId:req.user.id,userEmail:req.user.email})
+	}
+}
+
+module.exports.redirect = function(req,res){
+	if(req.query.url){
+		res.redirect(req.query.url)
+	}else{
+		res.send('invalid redirect url')
+	}
+}
+
+module.exports.calc = function(req,res){
+	if(req.body.eqn){
+		req.flash('result',mathjs.eval(req.body.eqn))
+		res.render('app/calc')
+	}else{
+		req.flash('result','Enter a valid math string like (3+3)*2')
+		res.render('app/calc')
+	}
+}
+
+module.exports.listUsersAPI = function(req,res){
+	db.User.findAll({}).then(users => {
+		res.status(200).json({
+			success: true,
+			users: users
+		})
+	})
+}
diff --git a/core/authHandler.js b/core/authHandler.js
@@ -0,0 +1,87 @@
+var db = require('../models')
+var bCrypt = require('bcrypt')
+var md5 = require('md5')
+
+module.exports.isAuthenticated = function (req, res, next) {
+	if (req.isAuthenticated()){
+		req.flash('authenticated',true)
+		return next();
+	}
+	res.redirect('/login');
+}
+
+module.exports.isNotAuthenticated = function (req, res, next) {
+	if (!req.isAuthenticated())
+		return next();
+	res.redirect('/learn');
+}
+
+module.exports.forgotPw = function(req,res){
+	if(req.body.login){
+		db.User.find({where: {'login': req.body.login}}).then(user => {
+			if(user){
+				// Send reset link via email
+				req.flash('error','Check email for reset link')
+				res.redirect('/login')
+			}else{
+				req.flash('error',"Invalid login username")
+				res.redirect('/forgotpw')				
+			}
+		})
+	}else{
+		req.flash('error',"Invalid login username")
+		res.redirect('/forgotpw')
+	}
+}
+
+module.exports.resetPw = function(req,res){
+	if(req.query.login) {
+		db.User.find({where: {'login': req.query.login}}).then(user => {
+			if(user){
+				if(req.query.token == md5(req.query.login)){
+					res.render('resetpw',{login:req.query.login,token:req.query.token})				
+				}else{
+					req.flash('error',"Invalid reset token")
+					res.redirect('/forgotpw')	
+				}
+			}else{
+				req.flash('error',"Invalid login username")
+				res.redirect('/forgotpw')				
+			}
+		})
+	}else{
+		req.flash('error',"Invalid login username")
+		res.redirect('/forgotpw')
+	}
+}
+
+module.exports.resetPwSubmit = function(req,res){
+	if(req.body.password&&req.body.cpassword&&req.body.login&&req.body.token){
+		if(req.body.password==req.body.cpassword){
+			db.User.find({where: {'login': req.body.login}}).then(user => {
+				if(user){
+					if(req.body.token == md5(req.body.login)){
+						user.password = bCrypt.hashSync(req.body.password, bCrypt.genSaltSync(10), null)
+						user.save().then(function(){
+							req.flash('message',"Passowrd successfully reset")
+							res.redirect('/login')		
+						})		
+					}else{
+						req.flash('error',"Invalid reset token")
+						res.redirect('/forgotpw')	
+					}
+				}else{
+					req.flash('error',"Invalid login username")
+					res.redirect('/forgotpw')				
+				}
+			})
+		}else{
+			req.flash('error',"Passowords do not match")
+			res.render('resetpw',{login:req.query.login,token:req.query.token})				
+		}
+
+	}else{
+		req.flash('error',"Invalid request")
+		res.redirect('/forgotpw')
+	}
+}