NodeGoat

Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

How to Install and Run NodeGoat

Requirements

1. Install Node.js - NodeGoat requires Node v0.10.*
2. Git command line tools - follow the setup instructions on GitHub or download here

Getting a Copy of the Code

Open a command prompt / terminal window and run the command below from the parent directory inside which you would like the NodeGoat code copied.

git clone https://github.com/OWASP/NodeGoat.git

Running Your Copy of the Code

0. Install node modules

cd NodeGoat
npm install

0. Create and populate local DB

1. Connect to mongod

2. From a system prompt, start mongo by issuing the mongo command

3. Paste contents of nodegoat_db_reset.js at root directory on mongo console

4. Add an entry for DB path in config/env/development.js as

var devConfig = {
  db: "mongodb://localhost/nodegoat" // path to local mongo db
  // any other dev specific entries here
};

0. Start server

grunt run

This starts the NodeGoat application at url http://localhost:5000/

Customizing the Default Application Configuration

The default application settings (database url, http port, etc.) can be changed by updating the [config file] (https://github.com/OWASP/NodejsGoat/blob/master/config/env/all.js).

Contributing

Contributions from community are key to make NodeGoat a high quality comprehensive resource. Make NodeGoat awesome together!

New to git? You may find these resources helpful:

• GitHub's git tutorial
• git - the simple guide
• git tutorials and workflows

Ways to Contribute

Depending on your preference, you can contribute in various ways:

• Suggest a vulnerability that can be demonstrated through NodeGoat web app. Start by posting a message on NodeGoat Google Group to initiate discussion on it.
• Implement vulnerability in the demo web application
• Document vulnerabilities in the tutorial guide
• Add to the in-app tour to walk user through the steps to expose vulnerabilities
• Add tests to failing test suite guide, which contains tests that pass as user fixes vulnerabilities
• Create screencasts to demonstrate how to fix vulnerabilities

What is the Process

1. Assign a task from project task list to yourself.
2. Implement the changes.
3. Once code is ready to commit, run command:

grunt precommit

This command indents code using js-beautifier and shows any jsHint errors. These coding conventions are checked using jsHint. Resolve all jsHint errors before committing the code.

4. Commit the changes by adding issue number into a commit message

Contributors

Here are the amazing contributors to NodeGoat project

Report bugs, Feedback, Comments

• Contact team by posting a message on NodeGoat Google Group

Troubleshooting / FAQs

License

Code licensed under the Apache License v2.0.