{"id":13649858,"url":"https://github.com/snoopysecurity/dvws-node","last_synced_at":"2025-04-04T23:09:27.392Z","repository":{"id":39517744,"uuid":"253220810","full_name":"snoopysecurity/dvws-node","owner":"snoopysecurity","description":"Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities. ","archived":false,"fork":false,"pushed_at":"2023-10-19T19:34:53.000Z","size":375,"stargazers_count":396,"open_issues_count":4,"forks_count":164,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-02-15T12:32:43.217Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/snoopysecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-04-05T11:40:11.000Z","updated_at":"2024-02-10T11:38:15.000Z","dependencies_parsed_at":"2024-01-13T12:52:32.079Z","dependency_job_id":"ade8b415-70b3-40c9-9497-ffdc0f12eba2","html_url":"https://github.com/snoopysecurity/dvws-node","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snoopysecurity%2Fdvws-node","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snoopysecurity%2Fdvws-node/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snoopysecurity%2Fdvws-node/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snoopysecurity%2Fdvws-node/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/snoopysecurity","download_url":"https://codeload.github.com/snoopysecurity/dvws-node/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247261612,"owners_count":20910108,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T02:00:28.336Z","updated_at":"2025-04-04T23:09:27.376Z","avatar_url":"https://github.com/snoopysecurity.png","language":"JavaScript","readme":"[![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/snoopysecurity/dvws-node) \n\n# dvws-node\nDamn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities.  This is a replacement for https://github.com/snoopysecurity/dvws\n\n![DVWS](https://github.com/snoopysecurity/Public/blob/master/dvws/dvws.png)\n\nThis vulnerable application contains the following API/Web Service vulnerabilities:\n\n* Insecure Direct Object Reference\n* Horizontal Access Control Issues\n* Vertical Access Control Issues\n* Mass Assignment\n* Cross-Site Scripting \n* NoSQL Injection\n* Server Side Request Forgery\n* JSON Web Token (JWT) Secret Key Brute Force\n* Information Disclosure\n* Hidden API Functionality Exposure\n* Cross-Origin Resource Sharing Misonfiguration\n* JSON Hijacking\n* SQL Injection\n* XML External Entity Injection (XXE)\n* Command Injection\n* XPATH Injection\n* XML-RPC User Enumeration\n* Open Redirect\n* Path Traversal\n* Unsafe Deserialization \n* Sensitive Data Exposure\n* GraphQL Access Control Issues\n* GraphQL Introspection Enabled\n* GraphQL Arbitrary File Write\n* GraphQL Batching Brute Force\n* Client Side Template Injection\n\n## Set Up Instructions\n\n### Manual (Preferred Method)\n\n**Node and NPM is needed to run dvws-node**\n\nTested on:\n* node v16.19.0\n* npm 8.19.3\n\n\nSet up a mongoDB environment to listen on port `27017`. Docker can be used to quickly set this up. \n\n```\ndocker run -d -p 27017-27019:27017-27019 --name dvws-mongo mongo:4.0.4\n```\n\nCreate a MySQL database which listens of port `3306` Docker can be used as follows\n\n```\ndocker run -p 3306:3306 --name dvws-mysql -e MYSQL_ROOT_PASSWORD=mysecretpassword -e MYSQL_DATABASE=dvws_sqldb -d mysql:8\n```\n\nGit clone the DVWS Repository \n\n```\ngit clone https://github.com/snoopysecurity/dvws-node.git\n```\n\nChange directory to DVWS\n\n```\ncd dvws-node\n```\n\nnpm install all dependencies  (build from source is needed for `libxmljs`, you might also need install libxml depending on your OS: `sudo apt-get install -y libxml2 libxml2-dev`)\n\n\n```\nnpm install --build-from-source\n```\n\n\n\nRun the startup script which create some test data\n\n```\nnode startup_script.js\n```\n\nTo start the application/API, run (**sudo privileges** is needed to bind to ports)\n\n```\nsudo npm start\n```\n\nWithin your /etc/hosts file, ensure localhost resolves to dvws.local. This ensures URLs from swagger is resolved correctly (optional)\n\n```\n127.0.0.1    dvws.local\n```\n\n### Docker Compose\n\nIf you have docker compose installed on your system, all you need to execute is : \n\nClone DVWS\n\n```\ngit clone https://github.com/snoopysecurity/dvws-node.git\n```\nChange directory to dvws-node \n\n```\ncd dvws-node\n```\nStart Docker\n```\n`docker-compose up`\n```\nThis will start the dvws service with the backend MySQL database and the NoSQL database.\n\nIf the DVWS web service doesn't start because of delayed MongoDB or MySQL setup, then increase the value of environment variable : `WAIT_HOSTS_TIMEOUT`\n\n\n\n## Solutions\n* [DVWS Solutions Wiki](https://github.com/snoopysecurity/dvws-node/wiki)\n\n\n\n## To Do\n* Cross-Site Request Forgery (CSRF)\n* XML Bomb Denial-of-Service\n* API Endpoint Brute Forcing\n* Web Socket Security\n* Type Confusion\n* LDAP Injection\n* SOAP Injection\n* XML Injection\n* GRAPHQL Denial Of Service\n* CRLF Injection\n* GraphQL Injection\n* Webhook security\n\n\n## Any Questions\n\nOpen a GitHub Issue :) \n","funding_links":[],"categories":["Deliberately vulnerable APIs","Technologies","Vulnerable Web apps:","API"],"sub_categories":["Node.js","Node"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnoopysecurity%2Fdvws-node","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnoopysecurity%2Fdvws-node","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnoopysecurity%2Fdvws-node/lists"}