DVNA – Damn Vulnerable NodeJS Application

DVNA Damn Vulnerable NodeJS Application is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities.

DVNA - Damn Vulnerable NodeJS Application
DVNA – Damn Vulnerable NodeJS Application

The application comes with a developer friendly comprehensive guidebook which can be used to learn, avoid and fix the vulnerabilities:

  1. Instructions for setting up DVNA
  2. Instructions on exploiting the vulnerabilities
  3. Vulnerable code snippets and instructions on fixing vulnerabilities
  4. Recommendations for avoid such vulnerabilities
  5. References for learning more

One of the Top10 OWASP vulnerability is the Insufficient Logging and Monitoring. Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident:

  • Auditable events, such as logins, failed logins, and high-value transactions are not logged.
  • Warnings and errors generate no, inadequate, or unclear log messages.
  • Logs of applications and APIs are not monitored for suspicious activity.
  • Logs are only stored locally.
  • Appropriate alerting thresholds and response escalation processes are not in place or effective.
  • Penetration testing and scans by DAST tools (such as OWASP ZAP) do not trigger alerts.
  • The application is unable to detect, escalate, or alert for active attacks in real time or near real time.

The recommendation and fix committed is to log all sensitive operations by default and ensure that the logs are stored and processed securely.

You can read more and download the framework over here: https://github.com/appsecco/dvna

Notify of
Inline Feedbacks
View all comments