DVNA: Damn Vulnerable NodeJS Application

DVNA: Damn Vulnerable NodeJS Application

DVNA is a web application written in NodeJS runtime environment. Damn Vulnerable NodeJS Application (DVNA) has remained vulnerable intentionally; so, we can use it to learn how to identify, attack and more importantly solve OWASP 10 vulnerabilities in NodeJS.

DVNA: Damn Vulnerable NodeJS Application Logo

DVNA: Deliberately vulnerable NodeJS application

Damn vulnerable NodeJS application (DVNA) is security application, which simply demonstrates the top 10 vulnerabilities of OWASP in NodeJS. In addition, it guides and points on how to fix and avoid these vulnerabilities.

The DVNA application uses common libraries such as sequelize, passport, express and more. The aim behind this development is to provide a useful environment for the developers who have limited working and development experience in the NodeJS and a fixed repository with all possible vulnerabilities and their fixes.


  1. Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object Reference
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing function Level Access Control
  8. Cross-site Request Forgery
  9. Using Components with Known Vulnerability
  10. Unvaildated Redirects and Forwards
DVNA: Damn Vulnerable NodeJS Application Dashboard

Supported Platforms:

  • Windows
  • Linux 


  • Docker, Docker Compose (installation with Docker)
  • MySQL Server, NodeJS (installation without Docker)

Install DVNA

DVNA can be installed in three approaches:

  1. Development setup for developers: by docker-compose through with code updates that can auto-reload.
  2. For security testers: installation by the Docker Hub Official image.
  3. For advanced users: using a complete manual setup.

1. Development Setup

In case you haven’t installed the Docker and Docker compose, first you need to install both of them on your system.

Clone the repo:

$ git clone https://github.com/appsecco/dvna
$ cd dvna

Then in the application’s folder, create a file with the name of vars.env with required configuration like the following:


Start it using docker compose and access it at http://localhost:9090.

$ docker-compose up

2. From Docker Image

Create a file named vars.env with the following configuration:


Start the application’s MySQL container:

$ docker run --name dvna-mysql --env-file vars.env -d mysql:5.7

To start it using the official image run:

$ docker run --name dvna-app --env-file vars.env --link dvna-mysql:mysql-db -p 9090:9090 appsecco/dvna

Application can be accessed at

3. Manual Setup

To install it manually, you’ll need NodeJS setup on your system and access to MySQL Database. This is an advanced setup that requires you to do all the things manually. It’s recommended to use the Dockerized installation method, unless requirements demand manual setup.

Once the NodeJS is instaled and MySQL Server is up and running, create a new database and user for DVNA.

Clone the repo:

$ git clone https://github.com/appsecco/dvna; cd dvna

Configure the variables of environment with database information:

export MYSQL_USER=dvna
export MYSQL_DATABASE=dvna
export MYSQL_PASSWORD=passw0rd
export MYSQL_HOST=
export MYSQL_PORT=3306

Install dependencies:

$ npm install

Start the application which can be accessed at http://localhost:9090.

$ npm start
Documentation Box
Download Box