Skip to content

ratprogrammer45/tsp-vulnerable-app-nodejs-express

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
views
views
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.js
index.js
 
 
package.json
package.json
 
 

Repository files navigation

A sample application with known vulnerabilities - JavaScript, Express

A sample application with known issues for testing various linters, scanners, and scan automation.

This project uses:

Component In Use
Platform NodeJS
Language(s) JavaScript (ECMAScript)
Build npm
Framework Express

Security issues

Vulnerability Type Description Location PoC Command
Cross Site Scripting (XSS) The /hello endpoint generates page output in code. It expects a name as a parameter to say "Hello, $name" and concatenates the user input to the output without escaping it. res.send(`Hello, ${req.query.name}`) http://localhost:8080/hello?name=%3Cscript%3Ealert(1)%3C/script%3E
Cross Site Scripting (XSS) The /view endpoint uses a template engine to say "Hello, $name" and misuses template syntax, leaving the user input unescaped. p!= 'Hello, ' + name http://localhost:8080/view?name=%3Cscript%3Ealert(1)%3C/script%3E
Hardcoded credentials There are secrets in the code committed to the repository POSTGRES_PASSWORD=mysecretpassword

password: "mysecretpassword",		 N/A
SQL Injection (SQLi) The SQL query is constructed using string concatenation instead of using a parameterized query client.query(`select * from users where id = ${req.params.id}`) http://localhost:8080/user/1;drop%20table%20users

sqlmap -u localhost:8080/user/1 --all
Use of a vulnerable (outdated) library This project includeslodash library version with known vulnerabilities "lodash": "4.17.20" CVE-2021-23337, CVE-2020-28500

Other issues

  • There is at least one unused variable
  • The project has no tests
  • The project dependencies are not locked
  • A few var instead of const (ESlint rule: no-var)
  • Library lodash is declared but never used
  • Style is inconsistent. E.g. a Standard Style linter would complain.

Running this code

NOTE: This project contains security vulnerabilities and should be only run in testing purposes.

Requirements:

To run the code locally:

# Clone the project
git clone https://github.com/the-scan-project/tsp-vulnerable-app-nodejs-express.git
cd tsp-vulnerable-app-nodejs-express

# Install dependencies
npm i

# Start the database container
docker run --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword -p 5432:5432 -d postgres

# Start the application
npm run start

About

A sample application with known vulnerabilities - JavaScript, Express

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 95.0%
  • Pug 5.0%