Convert Figma logo to code with AI

OWASP logoNodeGoat

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

1,973
1,936
1,973
59
View on GitHub

Top Related Projects

digininja's avatar

DVWA

11,593

Damn Vulnerable Web Application (DVWA)

WebGoat's avatar

WebGoat

8,485

WebGoat is a deliberately insecure application

rapid7's avatar

metasploitable3

5,142

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.

s4n7h0's avatar

xvwa

1,742

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.

Quick Overview

OWASP NodeGoat is a deliberately insecure web application built with Node.js, Express, and MongoDB. It's designed to demonstrate common security vulnerabilities in Node.js applications and serve as a learning tool for developers to understand and implement security best practices.

Pros

  • Provides hands-on experience with real-world security vulnerabilities
  • Includes detailed tutorials and fix information for each vulnerability
  • Regularly updated to reflect current security trends and Node.js best practices
  • Offers a Docker setup for easy deployment and testing

Cons

  • May not cover all possible security vulnerabilities in Node.js applications
  • Requires careful handling in production environments due to its intentionally insecure nature
  • Some users might find the setup process challenging without prior Node.js experience
  • Documentation could be more comprehensive for some advanced topics

Getting Started

  1. Clone the repository:

    git clone https://github.com/OWASP/NodeGoat.git

  2. Install dependencies:

    cd NodeGoat
npm install

  3. Set up the configuration:

    cp config/env/development.js config/env/local.js

  4. Start the application:

    npm start

  5. Access the application at http://localhost:4000

For a more detailed setup, including Docker instructions and tutorial mode, refer to the project's README file.

Competitor Comparisons

digininja logo

DVWA

11,593

Damn Vulnerable Web Application (DVWA)

Pros of DVWA

  • Written in PHP, making it accessible for a wider range of developers
  • Includes a broader set of vulnerabilities, covering more OWASP Top 10 risks
  • Offers multiple difficulty levels for each vulnerability

Cons of DVWA

  • Less modern tech stack compared to NodeGoat's Node.js environment
  • Lacks built-in remediation guides or secure coding examples

Code Comparison

DVWA (PHP):

<?php
if( isset( $_GET[ 'Submit' ] ) ) {
    // Get input
    $id = $_GET[ 'id' ];

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
}
?>

NodeGoat (JavaScript):

UserDao.prototype.getByUserName = function(userName, callback) {
    var user = this.db.collection("users");
    user.findOne({
        userName: userName
    }, function(err, user) {
        if (err) return callback(err, null);
        callback(null, user);
    });
}

Both examples demonstrate database queries, but NodeGoat uses a more modern, non-SQL approach with better separation of concerns.

WebGoat logo

WebGoat

8,485

WebGoat is a deliberately insecure application

Pros of WebGoat

  • More comprehensive, covering a wider range of web application security vulnerabilities
  • Better documentation and learning resources, including detailed explanations for each lesson
  • Larger and more active community, leading to frequent updates and improvements

Cons of WebGoat

  • Steeper learning curve, which may be challenging for beginners
  • Requires more setup time and resources due to its comprehensive nature
  • Java-based, which may not be ideal for developers primarily working with other languages

Code Comparison

WebGoat (Java):

@GetMapping("/login")
public String login(@RequestParam(value="error", required=false) String error,
                    Model model) {
    if (error != null) {
        model.addAttribute("error", "Invalid username and password!");
    }
    return "login";
}

NodeGoat (JavaScript):

app.post('/login', function(req, res) {
    userDAO.validateLogin(req.body.userName, req.body.password, function(err, user) {
        if (err || !user) {
            return res.render('login', {errorMessage: 'Invalid username or password'});
        }
        req.session.userId = user._id;
        res.redirect('/dashboard');
    });
});

Both repositories serve as intentionally vulnerable applications for security training, but they differ in language, scope, and target audience. WebGoat offers a more comprehensive learning experience, while NodeGoat focuses on Node.js-specific vulnerabilities and may be more accessible for JavaScript developers.

rapid7 logo

metasploitable3

5,142

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.

Pros of Metasploitable3

  • Provides a more comprehensive and diverse set of vulnerabilities across multiple technologies
  • Offers a realistic, pre-configured virtual machine environment for penetration testing
  • Supports both Windows and Linux-based vulnerable systems

Cons of Metasploitable3

  • Requires more resources to set up and run due to its virtual machine nature
  • Less focused on a specific technology stack, potentially overwhelming for beginners
  • May require more frequent updates to maintain relevance with current security landscapes

Code Comparison

NodeGoat (JavaScript):

var MongoClient = require('mongodb').MongoClient;
MongoClient.connect(MONGODB_URI, function(err, db) {
  if(err) throw err;
  // Vulnerable query
  db.collection('users').find({username: username, password: password});
});

Metasploitable3 (Ruby):

require 'sinatra'
get '/vulnerable_endpoint' do
  system("ping -c 4 #{params[:ip]}")
end

Both examples showcase vulnerable code, but NodeGoat focuses on Node.js-specific issues, while Metasploitable3 includes vulnerabilities across various technologies and languages.

s4n7h0 logo

xvwa

1,742

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.

Pros of xvwa

  • Written in PHP, which is more widely used for web applications compared to Node.js
  • Includes a broader range of vulnerabilities, covering more OWASP Top 10 categories
  • Easier to set up and run, requiring only a basic LAMP stack

Cons of xvwa

  • Less actively maintained, with fewer recent updates compared to NodeGoat
  • Lacks comprehensive documentation and learning resources
  • Does not provide built-in remediation examples for the vulnerabilities

Code Comparison

xvwa (PHP):

$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = $id";
$result = mysqli_query($conn, $query);

NodeGoat (JavaScript):

var userId = req.params.userId;
User.findById(userId, function(err, user) {
    if (err) return next(err);
    // ...
});

The xvwa example demonstrates a classic SQL injection vulnerability, while NodeGoat uses Mongoose ORM, which provides better protection against such attacks by default.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

NodeGoat

Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

Getting Started

OWASP Top 10 for Node.js web applications:

Know it!

This application bundled a tutorial page that explains the OWASP Top 10 vulnerabilities and how to fix them.

Once the application is running, you can access the tutorial page at http://localhost:4000/tutorial (or the port you have configured).

Do it!

A Vulnerable Node.js App for Ninjas to exploit, toast, and fix. You may like to set up your own copy of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.

Default user accounts

The database comes pre-populated with these user accounts created as part of the seed data -

  • Admin Account - u:admin p:Admin_123
  • User Accounts (u:user1 p:User1_123), (u:user2 p:User2_123)
  • New users can also be added using the sign-up page.

How to Set Up Your Copy of NodeGoat

OPTION 1 - Run NodeGoat on your machine

  1. Install Node.js - NodeGoat requires Node v8 or above

  2. Clone the github repository:

    git clone https://github.com/OWASP/NodeGoat.git

  3. Go to the directory:

    cd NodeGoat

  4. Install node packages:

    npm install

  5. Set up MongoDB. You can either install MongoDB locally or create a remote instance:

    • Using local MongoDB:

      1. Install MongoDB Community Server
      2. Start mongod

    • Using remote MongoDB instance:

      1. Deploy a MongoDB Atlas free tier cluster (M0 Sandbox)
      2. Enable network access to the cluster from your current IP address
      3. Add a database user to the cluster
      4. Set the MONGODB_URI environment variable to the connection string of your cluster, which can be viewed in the cluster's connect dialog. Select "Connect your application", set the driver to "Node.js" and the version to "2.2.12 or later". This will give a connection string in the form: 
        mongodb://<username>:<password>@<cluster>/<dbname>?ssl=true&replicaSet=<rsname>&authSource=admin&retryWrites=true&w=majority
        The <username> and <password> fields need filling in with the details of the database user added earlier. The <dbname> field sets the name of the database nodegoat will use in the cluster (eg "nodegoat"). The other fields will already be filled in with the correct details for your cluster.

  6. Populate MongoDB with the seed data required for the app:

    npm run db:seed

    By default this will use the "development" configuration, but the desired config can be passed as an argument if required.

  7. Start the server. You can run the server using node or nodemon:

    • Start the server with node. This starts the NodeGoat application at http://localhost:4000/: 
      npm start
    • Start the server with nodemon, which will automatically restart the application when you make any changes. This starts the NodeGoat application at http://localhost:5000/: 
      npm run dev

Customizing the Default Application Configuration

By default the application will be hosted on port 4000 and will connect to a MongoDB instance at localhost:27017. To change this set the environment variables PORT and MONGODB_URI.

Other settings can be changed by updating the config file.

OPTION 2 - Run NodeGoat on Docker

The repo includes the Dockerfile and docker-compose.yml necessary to set up the app and db instance, then connect them together.

  1. Install docker and docker compose

  2. Clone the github repository:

    git clone https://github.com/OWASP/NodeGoat.git

  3. Go to the directory:

    cd NodeGoat

  4. Build the images:

    docker-compose build

  5. Run the app, this starts the NodeGoat application at http://localhost:4000/:

    docker-compose up

OPTION 3 - Deploy to Heroku

This option uses a free ($0/month) Heroku node server.

Though not essential, it is recommended that you fork this repository and deploy the forked repo. This will allow you to fix vulnerabilities in your own forked version, then deploy and test it on Heroku.

  1. Set up a publicly accessible MongoDB instance:

    1. Deploy a MongoDB Atlas free tier cluster (M0 Sandbox)
    2. Enable network access to the cluster from anywhere (CIDR range 0.0.0.0/0)
    3. Add a database user to the cluster

  2. Deploy NodeGoat to Heroku by clicking the button below:

    Deploy

    In the Create New App dialog, set the MONGODB_URI config var to the connection string of your MongoDB Atlas cluster. This can be viewed in the cluster's connect dialog. Select "Connect your application", set the driver to "Node.js" and the version to "2.2.12 or later". This will give a connection string in the form:

    mongodb://<username>:<password>@<cluster>/<dbname>?ssl=true&replicaSet=<rsname>&authSource=admin&retryWrites=true&w=majority

    The <username> and <password> fields need filling in with the details of the database user added earlier. The <dbname> field sets the name of the database nodegoat will use in the cluster (eg "nodegoat"). The other fields will already be filled in with the correct details for your cluster.

Report bugs, Feedback, Comments

  • Open a new issue or contact team by joining chat at Slack or Join the chat at https://gitter.im/OWASP/NodeGoat

Contributing

Please Follow the contributing guide

Code Of Conduct (CoC)

This project is bound by a Code of Conduct.

Contributors

Here are the amazing contributors to the NodeGoat project.

Supports

  • Thanks to JetBrains for providing licenses to fantastic WebStorm IDE to build this project.

License

Code licensed under the Apache License v2.0.