skip bank routing value validation if it's empty
disable research page
remove the livereload script
Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
OWASP Top 10 for Node.js web applications:
Tutorial Guide explaining how each of the OWASP Top 10 vulnerabilities can manifest in Node.js web apps and how to prevent it.
A Vulnerable Node.js App for Ninjas to exploit, toast, and fix. You may like to set up your own copy of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.
The database comes pre-populated with these user accounts created as part of the seed data -
The the quickest way to get running with NodeGoat is to click the button below to deploy it on Heroku.
Even though it is not essential, but recommended that you fork this repository and deploy the forked repo. This would allow you to fix vulnerabilities in your own forked version, and deploy and test it on heroku.
This Heroku instance uses Free ($0/month) node server and MongoLab add-on.
If you do not wish to run NodeGoat on Heroku, please follow these steps to setup and run it locally -
Install Node.js - NodeGoat requires Node v4.4 or above
Clone the github repository
git clone https://github.com/OWASP/NodeGoat.git
*go to the directory
cd NodeGoat
npm install
Create Mongo DB: You can create a remote MongoDB instance or use local mongod installation
db
property in file config/env/development.js
to reflect your DB setup. (in format: mongodb://<username>:<password>@<databasename>
)db
property in file config/env/development.js
to reflect your DB setup. (in format: mongodb://localhost:27017/<databasename>
)Populate MongoDB with seed data required for the app
npm run db:seed
npm start
You need to install docker and docker compose to be able to use this option
The repo includes the Dockerfile and docker-compose.yml necessary to setup the app and the db instance then connect them together.
config/env/development.js
to point to the respective Docker container.db: "mongodb://mongo:27017/nodegoat",
docker-compose build
docker-compose up
The default application settings (database url, http port, etc.) can be changed by updating the [config file] (https://github.com/OWASP/NodeGoat/blob/master/config/env/all.js).
Contributions from community are key to make NodeGoat a high quality comprehensive resource. Lets make NodeGoat awesome together!
Depending on your preference, you can contribute in various ways. Here are tasks planned for upcoming release. You can also open an issue, sending a PR, or get in touch on Gitter Chat or Slack
If sending PR, once code is ready to commit, run:
npm run precommit
This command uses js-beautifier
to indent the code and verifies these coding standards using jsHint
. Please resolve all jsHint
errors before committing the code.
Here are the amazing contributors to the NodeGoat project.
Code licensed under the Apache License v2.0.