The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
OWASP/NodeGoat
NodeGoat
Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
Getting Started
OWASP Top 10 for Node.js web applications:
Know it!
Tutorial Guide explaining how each of the OWASP Top 10 vulnerabilities can manifest in Node.js web apps and how to prevent it.
Do it!
A Vulnerable Node.js App for Ninjas to exploit, toast, and fix. You may like to set up your own copy of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.
Default user accounts
The database comes pre-populated with these user accounts created as part of the seed data -
How to Set Up Your Copy of NodeGoat
OPTION 1 - Run NodeGoat on your machine
Install Node.js - NodeGoat requires Node v8 or above
Clone the github repository:
Go to the directory:
Install node packages:
Set up MongoDB. You can either install MongoDB locally or create a remote instance:
Using local MongoDB:
Using remote MongoDB instance:
MONGODB_URI
environment variable to the connection string of your cluster, which can be viewed in the cluster's connect dialog. Select "Connect your application", set the driver to "Node.js" and the version to "2.2.12 or later". This will give a connection string in the form:<username>
and<password>
fields need filling in with the details of the database user added earlier. The<dbname>
field sets the name of the database nodegoat will use in the cluster (eg "nodegoat"). The other fields will already be filled in with the correct details for your cluster.Populate MongoDB with the seed data required for the app:
By default this will use the "development" configuration, but the desired config can be passed as an argument if required.
Start the server. You can run the server using node or nodemon:
Customizing the Default Application Configuration
By default the application will be hosted on port 4000 and will connect to a MongoDB instance at localhost:27017. To change this set the environment variables
PORT
andMONGODB_URI
.Other settings can be changed by updating the config file.
OPTION 2 - Run NodeGoat on Docker
The repo includes the Dockerfile and docker-compose.yml necessary to set up the app and db instance, then connect them together.
Install docker and docker compose
Clone the github repository:
Go to the directory:
Build the images:
Run the app, this starts the NodeGoat application at http://localhost:4000/:
OPTION 3 - Deploy to Heroku
This option uses a free ($0/month) Heroku node server.
Though not essential, it is recommended that you fork this repository and deploy the forked repo. This will allow you to fix vulnerabilities in your own forked version, then deploy and test it on Heroku.
Set up a publicly accessible MongoDB instance:
Deploy NodeGoat to Heroku by clicking the button below:
In the Create New App dialog, set the
MONGODB_URI
config var to the connection string of your MongoDB Atlas cluster. This can be viewed in the cluster's connect dialog. Select "Connect your application", set the driver to "Node.js" and the version to "2.2.12 or later". This will give a connection string in the form:The
<username>
and<password>
fields need filling in with the details of the database user added earlier. The<dbname>
field sets the name of the database nodegoat will use in the cluster (eg "nodegoat"). The other fields will already be filled in with the correct details for your cluster.Report bugs, Feedback, Comments
Contributing
Please Follow the contributing guide
Code Of Conduct (CoC)
This project is bound by a Code of Conduct.
Contributors
Here are the amazing contributors to the NodeGoat project.
Supports
License
Code licensed under the Apache License v2.0.