{"id":13351887,"url":"https://github.com/OWASP/NodeGoat","last_synced_at":"2025-03-12T10:30:53.799Z","repository":{"id":37884541,"uuid":"13752333","full_name":"OWASP/NodeGoat","owner":"OWASP","description":"The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.","archived":false,"fork":false,"pushed_at":"2024-06-15T01:20:40.000Z","size":9227,"stargazers_count":1918,"open_issues_count":43,"forks_count":1754,"subscribers_count":78,"default_branch":"master","last_synced_at":"2025-03-06T06:09:12.665Z","etag":null,"topics":["docker","heroku","javascript","nodegoat","nodejs","owasp-top-ten","owasp-zap","vulnerabilities"],"latest_commit_sha":null,"homepage":"https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OWASP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-10-21T19:14:52.000Z","updated_at":"2025-03-05T00:36:22.000Z","dependencies_parsed_at":"2023-02-19T03:40:35.594Z","dependency_job_id":"5819d822-c5c6-42d6-9c0f-f1a2dc638245","html_url":"https://github.com/OWASP/NodeGoat","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FNodeGoat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FNodeGoat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FNodeGoat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FNodeGoat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OWASP","download_url":"https://codeload.github.com/OWASP/NodeGoat/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243199999,"owners_count":20252524,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","heroku","javascript","nodegoat","nodejs","owasp-top-ten","owasp-zap","vulnerabilities"],"created_at":"2024-07-29T21:01:05.444Z","updated_at":"2025-03-12T10:30:53.152Z","avatar_url":"https://github.com/OWASP.png","language":"HTML","readme":"# NodeGoat\n\nBeing lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.\n\n## Getting Started\n\nOWASP Top 10 for Node.js web applications:\n\n### Know it!\n\nThis application bundled a tutorial page that explains the OWASP Top 10 vulnerabilities and how to fix them.\n\nOnce the application is running, you can access the tutorial page at [http://localhost:4000/tutorial](http://localhost:4000/tutorial) (or the port you have configured).\n\n### Do it!\n\n[A Vulnerable Node.js App for Ninjas](http://nodegoat.herokuapp.com/) to exploit, toast, and fix. You may like to [set up your own copy](#how-to-set-up-your-copy-of-nodegoat) of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.\n\n##### Default user accounts\n\nThe database comes pre-populated with these user accounts created as part of the seed data -\n* Admin Account - u:`admin` p:`Admin_123`\n* User Accounts (u:`user1` p:`User1_123`), (u:`user2` p:`User2_123`)\n* New users can also be added using the sign-up page.\n\n## How to Set Up Your Copy of NodeGoat\n\n### OPTION 1 - Run NodeGoat on your machine\n\n1) Install [Node.js](http://nodejs.org/) - NodeGoat requires Node v8 or above\n\n2) Clone the github repository:\n   ```\n   git clone https://github.com/OWASP/NodeGoat.git\n   ```\n\n3) Go to the directory:\n   ```\n   cd NodeGoat\n   ```\n\n4) Install node packages:\n   ```\n   npm install\n   ```\n\n5) Set up MongoDB. You can either install MongoDB locally or create a remote instance:\n\n   * Using local MongoDB:\n     1) Install [MongoDB Community Server](https://docs.mongodb.com/manual/administration/install-community/)\n     2) Start [mongod](http://docs.mongodb.org/manual/reference/program/mongod/#bin.mongod)\n\n   * Using remote MongoDB instance:\n     1) [Deploy a MongoDB Atlas free tier cluster](https://docs.atlas.mongodb.com/tutorial/deploy-free-tier-cluster/) (M0 Sandbox)\n     2) [Enable network access](https://docs.atlas.mongodb.com/security/add-ip-address-to-list/) to the cluster from your current IP address\n     3) [Add a database user](https://docs.atlas.mongodb.com/tutorial/create-mongodb-user-for-cluster/) to the cluster\n     4) Set the `MONGODB_URI` environment variable to the connection string of your cluster, which can be viewed in the cluster's\n        [connect dialog](https://docs.atlas.mongodb.com/tutorial/connect-to-your-cluster/#connect-to-your-atlas-cluster). Select \"Connect your application\",\n        set the driver to \"Node.js\" and the version to \"2.2.12 or later\". This will give a connection string in the form:\n        ```\n        mongodb://\u003cusername\u003e:\u003cpassword\u003e@\u003ccluster\u003e/\u003cdbname\u003e?ssl=true\u0026replicaSet=\u003crsname\u003e\u0026authSource=admin\u0026retryWrites=true\u0026w=majority\n        ```\n        The `\u003cusername\u003e` and `\u003cpassword\u003e` fields need filling in with the details of the database user added earlier. The `\u003cdbname\u003e` field sets the name of the\n        database nodegoat will use in the cluster (eg \"nodegoat\"). The other fields will already be filled in with the correct details for your cluster.\n\n6) Populate MongoDB with the seed data required for the app:\n   ```\n   npm run db:seed\n   ```\n   By default this will use the \"development\" configuration, but the desired config can be passed as an argument if required.\n\n7) Start the server. You can run the server using node or nodemon:\n   * Start the server with node. This starts the NodeGoat application at [http://localhost:4000/](http://localhost:4000/):\n     ```\n     npm start\n     ```\n   * Start the server with nodemon, which will automatically restart the application when you make any changes. This starts the NodeGoat application at [http://localhost:5000/](http://localhost:5000/):\n     ```\n     npm run dev\n     ```\n\n#### Customizing the Default Application Configuration\n\nBy default the application will be hosted on port 4000 and will connect to a MongoDB instance at localhost:27017. To change this set the environment variables `PORT` and `MONGODB_URI`.\n\nOther settings can be changed by updating the [config file](https://github.com/OWASP/NodeGoat/blob/master/config/env/all.js).\n\n### OPTION 2 - Run NodeGoat on Docker\n\nThe repo includes the Dockerfile and docker-compose.yml necessary to set up the app and db instance, then connect them together.\n\n1) Install [docker](https://docs.docker.com/installation/) and [docker compose](https://docs.docker.com/compose/install/) \n\n2) Clone the github repository:\n   ```\n   git clone https://github.com/OWASP/NodeGoat.git\n   ```\n\n3) Go to the directory:\n   ```\n   cd NodeGoat\n   ```\n\n4) Build the images:\n   ```\n   docker-compose build\n   ```\n\n5) Run the app, this starts the NodeGoat application at http://localhost:4000/:\n   ```\n   docker-compose up\n   ```\n\n### OPTION 3 - Deploy to Heroku\n\nThis option uses a free ($0/month) Heroku node server.\n\nThough not essential, it is recommended that you fork this repository and deploy the forked repo.\nThis will allow you to fix vulnerabilities in your own forked version, then deploy and test it on Heroku.\n\n1) Set up a publicly accessible MongoDB instance:\n   1) [Deploy a MongoDB Atlas free tier cluster](https://docs.atlas.mongodb.com/tutorial/deploy-free-tier-cluster/) (M0 Sandbox)\n   2) [Enable network access](https://docs.atlas.mongodb.com/security/ip-access-list/#add-ip-access-list-entries) to the cluster from anywhere (CIDR range 0.0.0.0/0)\n   3) [Add a database user](https://docs.atlas.mongodb.com/tutorial/create-mongodb-user-for-cluster/) to the cluster\n\n2) Deploy NodeGoat to Heroku by clicking the button below:\n\n   [![Deploy](https://www.herokucdn.com/deploy/button.png)](https://heroku.com/deploy)\n\n   In the Create New App dialog, set the `MONGODB_URI` config var to the connection string of your MongoDB Atlas cluster.\n   This can be viewed in the cluster's [connect dialog](https://docs.atlas.mongodb.com/tutorial/connect-to-your-cluster/#connect-to-your-atlas-cluster).\n   Select \"Connect your application\", set the driver to \"Node.js\" and the version to \"2.2.12 or later\".\n   This will give a connection string in the form:\n   ```\n   mongodb://\u003cusername\u003e:\u003cpassword\u003e@\u003ccluster\u003e/\u003cdbname\u003e?ssl=true\u0026replicaSet=\u003crsname\u003e\u0026authSource=admin\u0026retryWrites=true\u0026w=majority\n   ```\n   The `\u003cusername\u003e` and `\u003cpassword\u003e` fields need filling in with the details of the database user added earlier. The `\u003cdbname\u003e` field sets the name of the\n   database nodegoat will use in the cluster (eg \"nodegoat\"). The other fields will already be filled in with the correct details for your cluster.\n\n## Report bugs, Feedback, Comments\n\n*  Open a new [issue](https://github.com/OWASP/NodeGoat/issues) or contact team by joining chat at [Slack](https://owasp.slack.com/messages/project-nodegoat/) or [![Join the chat at https://gitter.im/OWASP/NodeGoat](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/OWASP/NodeGoat?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n\n## Contributing\n\nPlease Follow [the contributing guide](CONTRIBUTING.md)\n\n## Code Of Conduct (CoC)\n\nThis project is bound by a [Code of Conduct](CODE_OF_CONDUCT.md).\n\n## Contributors\n\nHere are the amazing [contributors](https://github.com/OWASP/NodeGoat/graphs/contributors) to the NodeGoat project.\n\n## Supports\n\n- Thanks to JetBrains for providing licenses to fantastic [WebStorm IDE](https://www.jetbrains.com/webstorm/) to build this project.\n\n## License\n\nCode licensed under the [Apache License v2.0.](http://www.apache.org/licenses/LICENSE-2.0)\n","funding_links":[],"categories":["HTML","Tools","Hacking Playground","Extra","vulnerabilities","🔐 Vulnerable APIs","🕸️ Vulnerable Web Applications","Vulnerable Web apps:","NodeJS"],"sub_categories":["Intentionally Vulnerable Applications","Vulnerable apps","Node"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2FNodeGoat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FOWASP%2FNodeGoat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2FNodeGoat/lists"}