This is an intentionally vulnerable JavaScript/Express.js application designed for testing security remediation tools and learning about common web application vulnerabilities.
This application is designed to:
- Test automated security scanning and remediation tools
- Demonstrate common OWASP Top 10 vulnerabilities
- Provide a realistic codebase with 200+ dependency vulnerabilities
- Showcase different vulnerability remediation scenarios
- User authentication (with vulnerabilities)
- File upload/download
- Database operations (simulated)
- External API integration
- Search functionality
- Admin operations
- Multiple data parsers (XML, YAML, JSON)
| Vulnerability | CWE | Line | Severity |
|---|---|---|---|
| Hardcoded Secrets | CWE-798 | 26-28 | HIGH |
| SQL Injection | CWE-89 | 60-65 | CRITICAL |
| Command Injection | CWE-78 | 76-83 | CRITICAL |
| Path Traversal | CWE-22 | 87-96 | HIGH |
| Unrestricted File Upload | CWE-434 | 100-108 | HIGH |
| Cross-Site Scripting (XSS) | CWE-79 | 112-116 | HIGH |
| Server-Side Request Forgery (SSRF) | CWE-918 | 120-129 | HIGH |
| Remote Code Execution (eval) | CWE-94 | 133-141 | CRITICAL |
| Missing Authentication | CWE-862 | 145-154 | CRITICAL |
| Insecure Direct Object Reference | CWE-639 | 158-166 | MEDIUM |
| XML External Entity (XXE) | CWE-611 | 170-179 | HIGH |
| YAML Deserialization | CWE-502 | 183-191 | HIGH |
| Mass Assignment | CWE-915 | 195-204 | MEDIUM |
| Sensitive Data Exposure | CWE-200 | 208-218 | HIGH |
| Regex Denial of Service (ReDoS) | CWE-1333 | 222-228 | MEDIUM |
| Insufficient Logging | CWE-778 | 232-236 | LOW |
| Insecure Randomness | CWE-330 | 240-245 | MEDIUM |
| Open Redirect | CWE-601 | 249-253 | MEDIUM |
| Prototype Pollution | CWE-1321 | 257-262 | HIGH |
| Information Disclosure | CWE-209 | 272-279 | MEDIUM |
| Insecure Session Config | CWE-1004 | 41-49 | MEDIUM |
| CORS Misconfiguration | CWE-942 | 52-57 | MEDIUM |
This application uses 60+ outdated packages from 2017-2018, each with multiple known CVEs:
High-CVE Packages:
lodash@4.17.4- Prototype pollution, ReDoS (10+ CVEs)moment@2.19.3- ReDoS, inefficient regex (5+ CVEs)axios@0.18.0- SSRF, request smuggling (3+ CVEs)express@4.16.0- Various security issues (5+ CVEs)ejs@2.5.7- RCE vulnerabilities (2+ CVEs)jsonwebtoken@8.1.0- Algorithm confusion (2+ CVEs)mongoose@5.0.0- Prototype pollution, query injection (5+ CVEs)request@2.88.0- DEPRECATED - SSRF, various issues (10+ CVEs)marked@0.3.17- XSS, RCE (5+ CVEs)handlebars@4.0.11- Prototype pollution, RCE (3+ CVEs)
Expected Total: 200-250 vulnerabilities from dependencies alone
This application includes various remediation scenarios:
lodash 4.17.4 → 4.17.21moment 2.19.3 → 2.29.4axios 0.18.0 → 1.6.0
- Fix
minimistby upgradingyargs - Fix
memby upgradingyargs - Many transitive vulnerabilities through Express/Mongoose
- Multiple packages depend on vulnerable
minimist - Multiple packages depend on vulnerable
lodash
- Use
resolutionsin package.json for transitive deps - Require
npm audit fix --forcefor some issues - Need to relock with
npm installafter changes
requestis deprecated → migrate toaxiosorgot- Major version jumps require code changes
- API signature changes in several packages
request- deprecated, no longer maintained- Several packages with archived GitHub repos
- Deep transitive chains requiring upstream fixes
- Packages with no available patches
- Vulnerabilities in end-of-life packages
# Install dependencies (will show many vulnerabilities)
npm install
# Run the vulnerable application
npm start
# Application will run on http://localhost:3000# Run Snyk test
snyk test
# Expected output: 200+ vulnerabilities
# View dependency tree
snyk test --print-deps
# Generate JSON report
snyk test --json > snyk-report.jsonAll endpoints are intentionally vulnerable:
POST /api/login- SQL InjectionGET /api/ping?host=example.com- Command InjectionGET /api/files?filename=test.txt- Path TraversalPOST /api/upload- Unrestricted File UploadGET /api/search?query=<script>- XSSGET /api/proxy?url=http://internal- SSRFPOST /api/calculate- RCE via evalDELETE /api/admin/users/1- Missing AuthGET /api/users/1- IDORPOST /api/parse-xml- XXEPOST /api/parse-yaml- YAML DeserializationPOST /api/register- Mass AssignmentGET /api/debug- Data ExposurePOST /api/validate-email- ReDoSGET /api/token- Weak RandomnessGET /redirect?url=- Open RedirectPOST /api/merge- Prototype Pollution
The .env file contains exposed secrets (intentionally committed):
- Database credentials
- API keys (AWS, Stripe, GitHub, Google, SendGrid, Twilio)
- JWT secrets
- Private keys
- ✅ A01:2021 - Broken Access Control
- ✅ A02:2021 - Cryptographic Failures
- ✅ A03:2021 - Injection
- ✅ A04:2021 - Insecure Design
- ✅ A05:2021 - Security Misconfiguration
- ✅ A06:2021 - Vulnerable and Outdated Components
- ✅ A07:2021 - Identification and Authentication Failures
- ✅ A08:2021 - Software and Data Integrity Failures
- ✅ A09:2021 - Security Logging and Monitoring Failures
- ✅ A10:2021 - Server-Side Request Forgery
curl -X POST http://localhost:3000/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin'\''--","password":"anything"}'curl "http://localhost:3000/api/ping?host=127.0.0.1;ls -la"curl "http://localhost:3000/api/files?filename=../../etc/passwd"curl -X POST http://localhost:3000/api/calculate \
-H "Content-Type: application/json" \
-d '{"expression":"require('\''child_process'\'').exec('\''ls'\'')"}See REMEDIATION.md for detailed remediation steps for each vulnerability type.
MIT License - Use for educational and testing purposes only.
DO NOT use this application in production environments. It contains intentional security vulnerabilities and should only be used in isolated, controlled environments for security testing and education.