A vulnerable Node.js demo application, based on the Dreamers Lab tutorial.
aaa
This vulnerable app includes the following capabilities to experiment with:
- Exploitable packages with known vulnerabilities
- Docker Image Scanning for base images with known vulnerabilities in system libraries
- Runtime alerts for detecting an invocation of vulnerable functions in open source dependencies
mongod &
git clone https://github.com/Snyk/snyk-demo-todo
npm install
npm start
This will run Goof locally, using a local mongo on the default port and listening on port 3001 (http://localhost:3001)
docker-compose up --build
docker-compose down
Goof requires attaching a MongoLab service to be deployed as a Heroku app. That sets up the MONGOLAB_URI env var so everything after should just work.
Goof requires attaching a MongoLab service and naming it "goof-mongo" to be deployed on CloudFoundry. The code explicitly looks for credentials to that service.
To bulk delete the current list of TODO items from the DB run:
npm run cleanup
This app uses npm dependencies holding known vulnerabilities, as well as insecure code that introduces code-level vulnerabilities.
The exploits/
directory includes a series of steps to demonstrate each one.
Here are the exploitable vulnerable packages:
- Mongoose - Buffer Memory Exposure - requires a version <= Node.js 8. For the exploit demo purposes, one can update the Dockerfile
node
base image to useFROM node:6-stretch
. - st - Directory Traversal
- ms - ReDoS
- marked - XSS
- Open Redirect
- NoSQL Injection
- Command execution
- Cross-site Scripting (XSS)
- Security misconfiguration exposes server information
- Insecure protocol (HTTP) communication
The /admin
view introduces a redirectPage
query path, as follows in the admin view:
<input type="hidden" name="redirectPage" value="<%- redirectPage %>" />
One fault here is that the redirectPage
is rendered as raw HTML and not properly escaped, because it uses <%- >
instead of <%= >
. That itself, introduces a Cross-site Scripting (XSS) vulnerability via:
http://localhost:3001/login?redirectPage="><script>alert(1)</script>
To exploit the open redirect, simply provide a URL such as redirectPage=https://google.com
which exploits the fact that the code doesn't enforce local URLs in index.js:72
.
The Dockerfile
makes use of a base image (node:6-stretch
) that is known to have system libraries with vulnerabilities.
To scan the image for vulnerabilities, run:
snyk test --docker node:6-stretch --file=Dockerfile
To monitor this image and receive alerts with Snyk:
snyk monitor --docker node:6-stretch
Snyk provides the ability to monitor application runtime behavior and detect an invocation of a function is known to be vulnerable and used within open source dependencies that the application makes use of.
The agent is installed and initialized in app.js.
For the agent to report back to your snyk account on the vulnerabilities it detected it needs to know which project on Snyk to associate with the monitoring. Due to that, we need to provide it with the project id through an environment variable SNYK_PROJECT_ID
To run the Node.js app with runtime monitoring:
SNYK_PROJECT_ID=<PROJECT_ID> npm start
** The app will continue to work normally even if not provided a project id
To find these flaws in this application (and in your own apps), run:
npm install -g snyk
snyk wizard
In this application, the default snyk wizard
answers will fix all the issues.
When the wizard is done, restart the application and run the exploits again to confirm they are fixed.