Seems to be a bunch of Express apps rather than a single application. Many just take arbitrary input from requests and do things on the shell. I'd hope (maybe I'm wrong) that most people are already aware that executing arbitrary user input is bad. See <a href="https://github.com/quantumfoam/DVNA/tree/master/vulnerabilities" rel="nofollow">https://github.com/quantumfoam/DVNA/tree/master/vulnerabilit...</a>
I was kinda hoping for node specific vulns. This does not seem to cover more than DVWA, WAVSEP or any other test suites/intentionally vulnerable web applications out there.
Well, skimming the vulnerabilities [1] didn't really see anything too interesting. Consider this "eval_remote" vulnerability:<p><pre><code> var e = require("express");
var DVNA = e();
DVNA.get('/', function(req, res) {
var res = eval("("+req.query.e+")");
res.send('Parameter eval():<br> ' + res);
});
DVNA.listen(6666);
</code></pre>
Yes, if you eval your requests that is a vulnerability, but it is a trivial one. I was expecting some side-channel esoteric stuff that, reading the code, you wouldn't necessarily see the problem.<p>1 - <a href="https://github.com/quantumfoam/DVNA/tree/master/vulnerabilities" rel="nofollow">https://github.com/quantumfoam/DVNA/tree/master/vulnerabilit...</a>
Reminds me of Damn Vulnerable Web App (<a href="http://www.dvwa.co.uk/" rel="nofollow">http://www.dvwa.co.uk/</a>) which my friend made whilst we were at university.
the OWASP Broken Web Applications project (owaspbwa) is worth mentioning in this context. It's a collection of vulnerable web applications for web security training, demonstrations and testing. It can be downloaded as a VM from [1]. I don't have a lot of faith in sourceforge, but it seems to be the official source.<p>[1]: <a href="http://sourceforge.net/projects/owaspbwa/files/1.2/" rel="nofollow">http://sourceforge.net/projects/owaspbwa/files/1.2/</a>