The Broken Web AppNY

  • 5 Commits
  • 5 Pushes
  • 0 Deploys
Launch Site

The Broken Web App

By GoNode

Screencast
Quick Intro

An app developed to teach web application security lessons to Node.js web developers. It shows how each of the OWASP Top 10 categories of vulnerabilities can manifest themselves in a Node.js specific way and provides the subsequent mitigations for each in accompanied tutorial guide.

Description

The entry includes two components: A vulnerable node.js web application, and a tutorial guide.

The web application allows managing retirement saving plan for employees of a fictitious corporation. Along with retirement savings balances, it handles sensitive personal information of employees such as tax Id, data of birth, etc. in an insecure way.

The accompanied tutorial guide, explains each of the OWASP Top 10 vulnerability in depth, including how the attack scenario is manifested in the target application, and how to prevent it.

This project will be further enhanced and opened to Node.js community to contribute under OWASP Node.js Goat Project (https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project).

Judging Instructions
  1. Access the application using URL http://gonode.2013.nodeknockout.com/
  2. Sign up as a new user using dummy personal information (knowing the app is super insecure).
  3. Access the tutorial guide in another learn about vulnerabilities present in the application
  4. Vote if you like it :)
What they Used
  1. Node.js Express framework
  2. Mongo DB (Hosted at https://app.mongohq.com using a free account)
  3. SB Admin a free admin theme for Bootstrap 3.
  4. jquery.js
  5. Tablesorter 2.0 - Flexible client-side table sorting ( MIT or GPL licensed)
  6. morris.js - A BSD Licensed jQuery charts plugin
  7. Swig JavaScript Template Engine - MIT Open Source License.
Who

Votes

Your Vote

Voting is now closed.

Other Votes

  • contestant

    Useful!

  • contestant

    Learning Objects Inc.

    This is a cool way to learn about common vulnerabilities and their fixes.

    Wasn't sure what to do initially. I thought there'd be stuff in the app saying "look at this, this is a vulnerability" but then realized I was supposed to find them myself.

    It'd be neat if it showed "before" and "after" code examples that fixed each issue. Maybe links to diffs in github.

    Also maybe something like a "show me the problem" button which kicks off a http://bootstraptour.com pointing out security flaws.

    Random note: Ran into a 404 when clicking "Heaven Corp" header (went to http://gonode.2013.nodeknockout.com/index.html)

    • ckarande
      contestant

      Thank you for detailed feedback. I really appreciate it. I liked the suggestion of using bootstrap tour and github diffs. I will enhance the app to incorporate your feedback. Thanks!

  • judge

    The design is pretty clean/neat, and the idea itself is not bad but it's a shame the tutorial was so incomplete, I would have liked to see more of the examples.

  • contestant

    Hacker School

  • contestant

    YouMeb

    a nice and useful application, but the demo movie is too long... maybe you should try to show your application good part in a short time :D

  • contestant

    Wow really cool project!

  • contestant

    Spatial Automation Lab -- University of Wisconsin, Madison / 3D Systems / Bespoke Innovations

    This is a pretty good idea, and I think a demo like this could be useful as part of a course. Nice work!

  • judge

    Good idea - helpful to show people how sites can be vulnerable - and how to protect themselves. Looks like team didn't get to complete a lot of the demos / notes.

  • contestant

    I think this could be really helpful if presented right. Having an interactive walk through of the OWASP top 10 would have been great.

  • judge

    Modulus

  • contestant

    Very useful and good to teach security concepts

  • contestant

    Great entry! It would be nice to see a better integration between the demo application and the tutorial.

  • contestant

    It's nice to have a web app with simulates security vulnerabilities and you don't have to setup something locally. Although your documentation list a lot of those issues only a few are implemented.

  • contestant

    CARFAX

    This is a useful application, good job.

  • contestant

    Foliotek

    Amazing learning tool. Great job.

  • judge

IMPORTANT DATES

REGISTRATION
SEP 17
COMPETITION
NOV 9-11 UTC
JUDGING
NOV 11-17
WINNERS
NOV 18

Thank you to our Platinum Sponsors