This codebase is used to conduct a workshop on GitHub Actions and GitHub Code Scanning.
Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
OWASP Top 10 for Node.js web applications:
Tutorial Guide explaining how each of the OWASP Top 10 vulnerabilities can manifest in Node.js web apps and how to prevent it.
A Vulnerable Node.js App for Ninjas to exploit, toast, and fix. You may like to set up your own copy of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.
The database comes pre-populated with these user accounts created as part of the seed data -
- Admin Account - u:admin p:Admin_123
- User Accounts (u:user1 p:User1_123), (u:user2 p:User2_123)
- New users can also be added using the sign-up page.
The repo includes a .devcontainer/
directory with Codespaces configuration artifacts that can be used to open the repository and launch the application directly from within the web browser. The Codespace also includes a MongoDB instance.
-
Navigate to https://github.com/octodemo/NodeGoat-Workshop
-
Click on the green "Code" drop-down button
-
Select "Open with Codespaces".
-
Either select an existing Codespace or click "New codespace" to launch the repository within a Codespace
-
Open the Visual Studio Code Integrated Terminal (if the integrated terminal is already open when first launching the Codespace, you will need to close and re-open it due to a known bug where the shell isn't being set to
/bin/bash
). -
Install node packages (only if
node_modules/
is missing):npm install
-
Populate MongoDB with the seed data required for the app:
npm run db:seed
-
Start the server:
npm start
-
Install Node.js - NodeGoat requires Node v8 or above
-
Clone the github repository:
git clone https://github.com/OWASP/NodeGoat.git
-
Go to the directory:
cd NodeGoat
-
Install node packages:
npm install
-
Set up MongoDB. You can either install MongoDB locally or create a remote instance:
-
Using local MongoDB:
- Install MongoDB Community Server
- Start mongod
-
Using remote MongoDB instance:
-
Deploy a MongoDB Atlas free tier cluster (M0 Sandbox)
-
Enable network access to the cluster from your current IP address
-
Add a database user to the cluster
-
Set the
MONGODB_URI
environment variable to the connection string of your cluster, which can be viewed in the cluster's connect dialog. Select "Connect your application", set the driver to "Node.js" and the version to "2.2.12 or later". This will give a connection string in the form:mongodb://<username>:<password>@<cluster>/<dbname>?ssl=true&replicaSet=<rsname>&authSource=admin&retryWrites=true&w=majority
The
<username>
and<password>
fields need filling in with the details of the database user added earlier. The<dbname>
field sets the name of the database nodegoat will use in the cluster (eg "nodegoat"). The other fields will already be filled in with the correct details for your cluster.
-
-
-
Populate MongoDB with the seed data required for the app:
npm run db:seed
By default this will use the "development" configuration, but the desired config can be passed as an argument if required.
-
Start the server. You can run the server using node or nodemon:
-
Start the server with node. This starts the NodeGoat application at http://localhost:4000/:
npm start
-
Start the server with nodemon, which will automatically restart the application when you make any changes. This starts the NodeGoat application at http://localhost:5000/:
npm run dev
-
By default the application will be hosted on port 4000 and will connect to a MongoDB instance at localhost:27017. To change this set the environment variables PORT
and MONGODB_URI
.
Other settings can be changed by updating the config file.
The repo includes the Dockerfile and docker-compose.yml necessary to set up the app and db instance, then connect them together.
-
Install docker and docker compose
-
Clone the github repository:
git clone https://github.com/OWASP/NodeGoat.git
-
Go to the directory:
cd NodeGoat
-
Build the images:
docker-compose build
-
Run the app, this starts the NodeGoat application at http://localhost:4000/:
docker-compose up
Here are the amazing contributors to the NodeGoat project.
- Thanks to JetBrains for providing licenses to fantastic WebStorm IDE to build this project.
Code licensed under the Apache License v2.0.