A vulnerable application made using node.js, express server and ejs template engine. This application is meant for educational purposes only.

Setup

Clone this repository

git clone https://github.com/4auvar/VulnNodeApp.git

Application setup:

• Install the latest node.js version with npm.
• Open terminal/command prompt and navigate to the location of downloaded/cloned repository.
• Run command: npm install

DB setup

• Install and configure latest mysql version and start the mysql service/deamon
• Login with root user in mysql and run below sql script:

CREATE USER 'vulnnodeapp'@'localhost' IDENTIFIED BY 'password';
create database vuln_node_app_db;
GRANT ALL PRIVILEGES ON vuln_node_app_db.* TO 'vulnnodeapp'@'localhost';
USE vuln_node_app_db;
create table users (id int AUTO_INCREMENT PRIMARY KEY, fullname varchar(255), username varchar(255),password varchar(255), email varchar(255), phone varchar(255), profilepic varchar(255));
insert into users(fullname,username,password,email,phone) values("test1","test1","test1","[email protected]","976543210");
insert into users(fullname,username,password,email,phone) values("test2","test2","test2","[email protected]","9887987541");
insert into users(fullname,username,password,email,phone) values("test3","test3","test3","[email protected]","9876987611");
insert into users(fullname,username,password,email,phone) values("test4","test4","test4","[email protected]","9123459876");
insert into users(fullname,username,password,email,phone) values("test5","test5","test   5","[email protected]","7893451230");

Set basic environment variable

• User needs to set the below environment variable.
  • DATABASE_HOST (E.g: localhost, 127.0.0.1, etc...)
  • DATABASE_NAME (E.g: vuln_node_app_db or DB name you change in above DB script)
  • DATABASE_USER (E.g: vulnnodeapp or user name you change in above DB script)
  • DATABASE_PASS (E.g: password or password you change in above DB script)

Start the server

• Open the command prompt/terminal and navigate to the location of your repository
• Run command: npm start
• Access the application at http://localhost:3000

Vulnerability covered

• SQL Injection
• Cross Site Scripting (XSS)
• Insecure Direct Object Reference (IDOR)
• Command Injection
• Arbitrary File Retrieval
• Regular Expression Injection
• External XML Entity Injection (XXE)
• Node js Deserialization
• Security Misconfiguration
• Insecure Session Management

TODO

• Will add new vulnerabilities such as CORS, Template Injection, etc...
• Improve application documentation

Issues

• In case of bugs in the application, feel free to create an issues on github.

Contribution

• Feel free to create a pull request for any contribution.

You can reach me out at @4auvar

XM Goat is composed of XM Cyber terraform templates that help you learn about common Azure security issues. Each template is a vulnerable environment, with some significant misconfigurations. Your job is to attack and compromise the environments.

Here's what to do for each environment:

1. Run installation and then get started.

2. With the initial user and service principal credentials, attack the environment based on the scenario flow (for example, XMGoat/scenarios/scenario_1/scenario1_flow.png).

3. If you need help with your attack, refer to the solution (for example, XMGoat/scenarios/scenario_1/solution.md).

4. When you're done learning the attack, clean up.

Requirements

• Azure tenant
• Terafform version 1.0.9 or above
• Azure CLI
• Azure User with Owner permissions on Subscription and Global Admin privileges in AAD

Installation

Run these commands:

$ az login
$ git clone https://github.com/XMCyber/XMGoat.git
$ cd XMGoat
$ cd scenarios
$ cd scenario_<\SCENARIO>

Where <\SCENARIO> is the scenario number you want to complete

$ terraform init
$ terraform plan -out <\FILENAME>
$ terraform apply <\FILENAME>

Where <\FILENAME> is the name of the output file

Get started

To get the initial user and service principal credentials, run the following query:

$ terraform output --json

For Service Principals, use application_id.value and application_secret.value.

For Users, use username.value and password.value.

Cleaning up

After completing the scenario, run the following command in order to clean all the resources created in your tenant

$ az login
$ cd XMGoat
$ cd scenarios
$ cd scenario_<\SCENARIO>

Where <\SCENARIO> is the scenario number you want to complete

$ terraform destroy

Analyse binaries for missing security features, information disclosure and more.

Extrude is in the early stages of development, and currently only supports ELF and MachO binaries. PE (Windows) binaries will be supported soon.

Usage

Usage:
  extrude [flags] [file]

Flags:
  -a, --all               Show details of all tests, not just those which failed.
  -w, --fail-on-warning   Exit with a non-zero status even if only warnings are discovered.
  -h, --help              help for extrude

Docker

You can optionally run extrude with docker via:

docker run -v `pwd`:/blah -it ghcr.io/liamg/extrude /blah/targetfile

Supported Checks

ELF

• PIE
• RELRO
• BIND NOW
• Fortified Source
• Stack Canary
• NX Stack

MachO

• PIE
• Stack Canary
• NX Stack
• NX Heap
• ARC

Windows

Coming soon...

TODO

• Add support for PE
• Add secret scanning
• Detect packers