{"id":18284491,"url":"https://github.com/samuraiwtf/musashi-js","last_synced_at":"2025-04-05T07:31:45.654Z","repository":{"id":38818526,"uuid":"172387860","full_name":"SamuraiWTF/musashi-js","owner":"SamuraiWTF","description":"A set of Node applications for demonstrating web security concepts. Created for use in Samurai WTF.","archived":false,"fork":false,"pushed_at":"2023-08-17T19:50:59.000Z","size":720,"stargazers_count":6,"open_issues_count":3,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-21T00:32:53.103Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Nunjucks","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SamuraiWTF.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-24T20:42:02.000Z","updated_at":"2022-06-07T19:22:12.000Z","dependencies_parsed_at":"2024-11-05T13:13:56.878Z","dependency_job_id":"2fe16288-be31-4239-b490-3db1d9f5f54a","html_url":"https://github.com/SamuraiWTF/musashi-js","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuraiWTF%2Fmusashi-js","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuraiWTF%2Fmusashi-js/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuraiWTF%2Fmusashi-js/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuraiWTF%2Fmusashi-js/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SamuraiWTF","download_url":"https://codeload.github.com/SamuraiWTF/musashi-js/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247305872,"owners_count":20917197,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-05T13:13:43.795Z","updated_at":"2025-04-05T07:31:40.645Z","avatar_url":"https://github.com/SamuraiWTF.png","language":"Nunjucks","funding_links":[],"categories":[],"sub_categories":[],"readme":"# musashi-js\n[![Build Status](https://travis-ci.org/SamuraiWTF/musashi-js.svg?branch=master)](https://travis-ci.org/SamuraiWTF/musashi-js)\n\nMusashi.js is a set of Node applications for demonstrating web security concepts. Created for use in Samurai WTF.\n\n## Applications Ready for General Use\n - CORS Demonstrator\n - CSP Demonstrator\n\n ## Unusable Applications (Work-in-Progress or Roadmap)\n - JWT Demo\n - OAuth Demonstrator\n - Sandbox for CSRF, CORS, XSS exercises\n - Help page\n\n## Starting the services\nYou need Node and Yarn installed an in the path.\n 1. Clone this repo\n 2. `yarn install`\n 3. Create a `.env` that's appropriate to your environment. The [sample.env](sample.env) file is available as a reference. Detailed further in the following section.\n 4. `yarn start`\n\n## Customizing your .env\nThere are a handful of settings in the `.env` file. Here's what they are and what they do:\n - **CORS_API_PORT** (default: `3020`) - Port to bind to for the CORS Demonstrator API\n - **CORS_API_HOST** (default: `localhost:3020`) - Hostname for the CORS Demonstrator API, used to populate defaults in the CORS demo client\n - **CORS_CLIENT_HOST** (default: `localhost:3021`) - Hostname for the CORS demonstrator client, used to dynamically generate Regex-based CORS policies\n - **CORS_CLIENT_PORT** (default: `3021`) - Port to bind to for the CORS client\n - **OAUTH_PROVIDER_PORT** (default: `3030`) - Port to bind to for the OAuth Identity Provider *(Currently disabled)*\n - **OAUTH_CLIENT_PORT** (default: `3031`) - Port to bind to for the OAuth Client app *(Currently disabled)*\n - **CSP_APP_PORT** (default: `3041`) - Port to bind to for the Content Security Policy demo app\n - **USE_TLS** (default: `FALSE`) - Affects the protocol used in the CORS demonstrator to call the API. `TRUE` for **https**, `FALSE` for **http**. *This does not actually enable TLS on the listener at this time. It's useful if going through a reverse-proxy with TLS enabled. In a future release, it will be required that this be TRUE. This is due to coming changes in standard browser behavior around cookies.*\n - **KEYSTORE_FILE** (default: undefined) - Optional path to a PKCS#12 keystore file for using a self-signed certificate. For example, this can be an exported certificate from Burp Suite. Note that USE_TLS must be `TRUE` for this to function properly.\n - **KEYSTORE_PASS** (default: undefined) - Required if `KEYSTORE_FILE` is defined. It is the passphrase for the keystore file.\n\nHere's a default local dev configuration:\n```\nCORS_API_PORT=3020\nCORS_API_HOST=localhost:3020\nCORS_CLIENT_HOST=localhost:3021\nCORS_CLIENT_PORT=3021\nOAUTH_PROVIDER_PORT=3030\nOAUTH_CLIENT_PORT=3031\nCSP_APP_PORT=3041\nUSE_TLS=FALSE\n```\n\n## CORS Demonstrator\n### Usage\n 1. Open the CORS Client app, which is on localhost:3021 by default.\n 2. The API URL box will indicate the actual hostname/port that will be targeted for your API. If you're not using a reverse proxy or hostname resolution, localhost:3020 would be the right default value here. This value can be modified in the *Settings* page if necessary, although only the home page will be affected. Typically if this is incorrect, it should be corrected in the `.env` which will necessitate restarting the application.\n 3. The policy selector on the top right lets you set which CORS policy you're reaching the on the server. The Regex option is dynamically generated based on the **CORS_CLIENT_HOST** supplied in the `.env` file. It allows that Origin, and subdomains of that Origin.\n 4. Down the left side of the *Home* page are a variety of request types. The Auth one will take any set of credentials and will set a cookie. It is *never* blocked by a CORS policy. The other request types all require an auth cookie.\n 5. The *Exercises* each provide a scenario, a goal (success condition), and the ability to generate a sample request. Note that the `Origin` header in the sample request may not be an allowed Origin in the context of the exercise. The scenario will explain what the intended behavior is. Exercises are completed by modifying the request in your interception proxy until the goal is met. There is no automatic detection of a success, it is up to the student to determine based on the response if they have met the goal.\n\n### Additional notes\n - Some of the HTTP Methods used will always trigger a CORS preflight (e.g. PUT and DELETE)\n - When set to Same-Origin (no CORS policy), the CORS middleware isn't used at all, and therefore preflights will get an Unauthorized response.\n\n\n ## CSP Demonstrator\n ### Usage\n  1. Open the CSP app, which is localhost:3041 by default. This should match the port specified in your `.env`.\n  2. The home page provides the ability to execute XSS-style JavaScript payloads in through both reflected and DOM-based interactions. There is no filtering on these.\n  3. The *Set CSP* page allows you to set a custom content-security-policy. This applies across the application, except on the *Set CSP* page itself. It may not have every directive, but the all of the common ones and some of the uncommon ones are included. Including the string `$nonce` in any of the directives will have it replaced with an actual generated nonce at dynamically when the policy header is served.\n  4. Each of the *Execises* provides a CSP bypass or evasion challenge. They each have a button that replaces the application's CSP with the challenge CSP. They also have directions explaining the success condition for the exercise.\n \n## Running from a docker container\nWe have a Dockerfile!  So you can build and run the dockerized version as a convenience.\n\n### Building the docker image\n```\ndocker build -t musashi-js .\n```\n### Running the docker image\n```\ndocker run -p 3020:3020 -p 3021:3021 -p 3030:3030 -p 3031:3031 -p 3041:3041 musashi-js\n```\n\n_Note: The ports are mapped to the same ports as the default configuration.  If you change the ports in your .env file, you will need to change the port mappings in the docker run command._","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamuraiwtf%2Fmusashi-js","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamuraiwtf%2Fmusashi-js","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamuraiwtf%2Fmusashi-js/lists"}