
Damn Vulnerable Node Application - anaxag0ras
https://github.com/quantumfoam/DVNA/
======
nailer
Seems to be a bunch of Express apps rather than a single application. Many
just take arbitrary input from requests and do things on the shell. I'd hope
(maybe I'm wrong) that most people are already aware that executing arbitrary
user input is bad. See
[https://github.com/quantumfoam/DVNA/tree/master/vulnerabilit...](https://github.com/quantumfoam/DVNA/tree/master/vulnerabilities)

------
sebcat
I was kinda hoping for node specific vulns. This does not seem to cover more
than DVWA, WAVSEP or any other test suites/intentionally vulnerable web
applications out there.

~~~
inglor
I just wrote PRs for two node-specific vulnerabilities:

[https://github.com/quantumfoam/DVNA/pull/14](https://github.com/quantumfoam/DVNA/pull/14)
[https://github.com/quantumfoam/DVNA/pull/13](https://github.com/quantumfoam/DVNA/pull/13)

Let me know if that's what you had in mind.

~~~
sebcat
I know very little node.js, but by the looks of it that is exactly the type of
vulnerabilities I would like to see in a project like this. Kudos for the PRs.

------
javajosh
Well, skimming the vulnerabilities [1] didn't really see anything too
interesting. Consider this "eval_remote" vulnerability:

    
    
       var e = require("express");
       var DVNA = e();
       DVNA.get('/', function(req, res) {
         var res = eval("("+req.query.e+")");
         res.send('Parameter eval():<br> ' + res);
       });
       DVNA.listen(6666);
    

Yes, if you eval your requests that is a vulnerability, but it is a trivial
one. I was expecting some side-channel esoteric stuff that, reading the code,
you wouldn't necessarily see the problem.

1 -
[https://github.com/quantumfoam/DVNA/tree/master/vulnerabilit...](https://github.com/quantumfoam/DVNA/tree/master/vulnerabilities)

------
iDemonix
Reminds me of Damn Vulnerable Web App
([http://www.dvwa.co.uk/](http://www.dvwa.co.uk/)) which my friend made whilst
we were at university.

------
sebcat
the OWASP Broken Web Applications project (owaspbwa) is worth mentioning in
this context. It's a collection of vulnerable web applications for web
security training, demonstrations and testing. It can be downloaded as a VM
from [1]. I don't have a lot of faith in sourceforge, but it seems to be the
official source.

[1]:
[http://sourceforge.net/projects/owaspbwa/files/1.2/](http://sourceforge.net/projects/owaspbwa/files/1.2/)

------
gonyea
It's beta, so don't put this in production (yet)!

