This is a vulnerable Node.js application created for testing Static Application Security Testing (SAST) tools. The application includes several common vulnerabilities such as XSS, command injection, and insecure logging.
vulnerable-node-app/
├── Dockerfile
├── docker-compose.yml
├── app.js
├── package.json
├── views/
│ ├── index.html
│ ├── about.html
│ ├── contact.html
│ ├── admin.html
│ └── style.css
└── README.md- Docker
- Docker Compose
- Download and install Docker Desktop from Docker's official website.
- Follow the installation instructions specific to your operating system.
- Update your existing list of packages:
sudo apt-get update
- Install a few prerequisite packages:
sudo apt-get install apt-transport-https ca-certificates curl software-properties-common
- Add the GPG key for the official Docker repository to your system:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - - Add the Docker repository to APT sources:
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" - Update your package database with the Docker packages from the newly added repo:
sudo apt-get update
- Install Docker:
sudo apt-get install docker-ce
- Start Docker:
sudo systemctl start docker
- Verify that Docker is installed correctly by running the
hello-worldimage:sudo docker run hello-world
- Build the Docker image:
Build and run the Docker container manually:
docker build -t vuln-app .
docker run -p 3000:3000 vuln-app- Exposing Sensitive Information: The login route logs the username and password to the console.
- Reflected XSS: The search route injects the user input directly into the HTML response.
- Insecure Logging: The contact form logs sensitive information (email) to the server-side logs.
- Command Injection: The admin command execution uses
eval()to execute commands, leading to possible command injection.
This application is intended for educational purposes only. Do not deploy this application in a production environment.
To create and save the files in a Docker image:
docker build --platform linux/amd64 -t vulnapp67 .
docker run -it -p 8088:3000 vulnapp67:latest-
Login to Azure:
az login
-
Create a Resource Group:
az group create --name az-vuln-app --location westus
-
Create an Azure Container Registry:
az acr create --resource-group az-vuln-app --name vulnapp67acr --sku Basic
-
Login to the Azure Container Registry:
az acr login --name vulnapp67acr
-
Enable Admin Access on ACR:
az acr update -n vulnapp67acr --admin-enabled true -
Tag and Push the Docker Image to ACR:
docker tag vulnapp67 vulnapp67acr.azurecr.io/vulnapp67:v1 docker push vulnapp67acr.azurecr.io/vulnapp67:v1
-
Create an Azure App Service Plan:
az appservice plan create --name vulnapp67plan --resource-group az-vuln-app --is-linux --sku F1 az appservice plan show --name vulnapp67plan --resource-group az-vuln-app
-
Create a Web App and Deploy the Docker Container:
az webapp create --resource-group az-vuln-app --plan vulnapp67plan --name vulnapp67 --deployment-container-image-name vulnapp67acr.azurecr.io/vulnapp67:v1
-
Set Docker Container Configuration:
az webapp config container set --name vulnapp67 --resource-group az-vuln-app --docker-custom-image-name vulnapp67acr.azurecr.io/vulnapp67:v1 --docker-registry-server-url https://vulnapp67acr.azurecr.io -
Get the Web App URL:
az webapp show --name vulnapp67 --resource-group az-vuln-app --query defaultHostName -o tsv
################################ This step is only needed if admin on ACR is not used. #######################################
11. Set Docker Registry Credentials (if required):
sh az webapp config container set --name vulnapp67 --resource-group az-vuln-app --docker-custom-image-name vulnapp67acr.azurecr.io/vulnapp67:v1 --docker-registry-server-url https://vulnapp67acr.azurecr.io --docker-registry-server-user vulnapp67acr --docker-registry-server-password <ACR_PASSWORD>
- Retrieve the Web App URL again:
az webapp show --name vulnapp67 --resource-group az-vuln-app --query defaultHostName -o tsv