DVNA is a web application written in NodeJS runtime environment. Damn Vulnerable NodeJS Application (DVNA) has remained vulnerable intentionally; so, we can use it to learn how to identify, attack and more importantly solve OWASP 10 vulnerabilities in NodeJS.
DVNA: Deliberately vulnerable NodeJS application
Damn vulnerable NodeJS application (DVNA) is security application, which simply demonstrates the top 10 vulnerabilities of OWASP in NodeJS. In addition, it guides and points on how to fix and avoid these vulnerabilities.
The DVNA application uses common libraries such as sequelize, passport, express and more. The aim behind this development is to provide a useful environment for the developers who have limited working and development experience in the NodeJS and a fixed repository with all possible vulnerabilities and their fixes.
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object Reference
- Security Misconfiguration
- Sensitive Data Exposure
- Missing function Level Access Control
- Cross-site Request Forgery
- Using Components with Known Vulnerability
- Unvaildated Redirects and Forwards
- Docker, Docker Compose (installation with Docker)
- MySQL Server, NodeJS (installation without Docker)
DVNA can be installed in three approaches:
- Development setup for developers: by docker-compose through with code updates that can auto-reload.
- For security testers: installation by the Docker Hub Official image.
- For advanced users: using a complete manual setup.
1. Development Setup
In case you haven’t installed the Docker and Docker compose, first you need to install both of them on your system.
Clone the repo:
$ git clone https://github.com/appsecco/dvna
$ cd dvna
Then in the application’s folder, create a file with the name of
vars.env with required configuration like the following:
MYSQL_USER=dvna MYSQL_DATABASE=dvna MYSQL_PASSWORD=passw0rd MYSQL_RANDOM_ROOT_PASSWORD=yes
Start it using docker compose and access it at http://localhost:9090.
$ docker-compose up
2. From Docker Image
Create a file named
vars.env with the following configuration:
MYSQL_USER=dvna MYSQL_DATABASE=dvna MYSQL_PASSWORD=passw0rd MYSQL_RANDOM_ROOT_PASSWORD=yes MYSQL_HOST=mysql-db MYSQL_PORT=3306
Start the application’s MySQL container:
$ docker run --name dvna-mysql --env-file vars.env -d mysql:5.7
To start it using the official image run:
$ docker run --name dvna-app --env-file vars.env --link dvna-mysql:mysql-db -p 9090:9090 appsecco/dvna
Application can be accessed at http://127.0.0.1:9090/.
3. Manual Setup
To install it manually, you’ll need NodeJS setup on your system and access to MySQL Database. This is an advanced setup that requires you to do all the things manually. It’s recommended to use the Dockerized installation method, unless requirements demand manual setup.
Once the NodeJS is instaled and MySQL Server is up and running, create a new database and user for DVNA.
Clone the repo:
$ git clone https://github.com/appsecco/dvna; cd dvna
Configure the variables of environment with database information:
export MYSQL_USER=dvna export MYSQL_DATABASE=dvna export MYSQL_PASSWORD=passw0rd export MYSQL_HOST=127.0.0.1 export MYSQL_PORT=3306
$ npm install
Start the application which can be accessed at http://localhost:9090.
$ npm start