A full-stack web application that uses Docker, Node.js, Express, and React to demonstrate the OWASP Top 10 API Security Risks – 2019.
- Injection (SQL Injection)
- Cross-Site Scripting (XSS)
- Broken User Authentication (Security Assertion Markup Language (SAML))
- Broken Object Level Authorization
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Mass Assignment
- Security Misconfiguration
- Improper Assets Management
- Insufficient Logging & Monitoring
Here's a preview of what the projects looks like:
This project involves creating a web application that will serve as the main platform for users to practice exploiting web application vulnerabilities and learn about web application security. It will include a range of vulnerable web applications that users can test their skills on, including injection attacks, broken authentication and session management, and insufficient logging and monitoring. The website will be designed to be user-friendly and accessible to users of all skill levels. Specific features and functions, such as the types of vulnerabilities to be covered, will be further developed in the planning stage.
The web application will be used to demonstrate how these vulnerabilities can be exploited and how to prevent them. It will involve setting up a testing environment that simulates real-world scenarios. The lab will cover a range of vulnerabilities, including injection attacks, broken authentication and session management, and insufficient logging and monitoring. Overall, the project is an exciting opportunity to contribute to the field of web application security and make a positive impact in this area.
This is a modern, scalable, and maintainable full-stack web applications. By using Docker, we can easily package and deploy your application across different environments, while Node.js and Express provide the server-side infrastructure for handling HTTP requests and serving dynamic content. Finally, React enables you to build rich and interactive user interfaces that can communicate with backend APIs.
Include information about how to get started with the project. This include prerequisites and installation instructions.
Before you get started with this project, you'll need to have the following tools installed:
Docker(v18 or higher)
You can download Docker from the official website: https://www.docker.com/products/docker-desktop
Once you have Docker installed, you can proceed with setting up the project.
To use the project, follow the instructions below:
- Start the project by running the web_lab.sh script:
./web_lab.sh start
The script will handle the setup and execution of the project.
- Stopping the Project:
To stop the project, run the following command:
./web_lab.sh stop
This will stop both the backend, frontend servers and all containers.
- Restarting the Project:
If you need to restart the project, you can use the following command:
./web_lab.sh restart
- Create project repository and README file
- Determine the necessary tools and dependencies for the development environment, such as the programming language, framework, and database, and install them
- Configure Docker setup for the web application
- Develop a main website for users to practice exploiting web application vulnerabilities
- Integrate a Docker-in-Docker (dind) setup in the project
- Implement injection attack demonstrations (SQL injection, command injection, etc.)
- Implement broken authentication and session management demonstrations
- Implement cross-site scripting (XSS) and cross-site request forgery (CSRF) demonstrations
- Implement insufficient logging and monitoring demonstrations
- Conduct penetration testing to identify additional vulnerabilities and weaknesses in the web application
- Explore and experiment with different tools and techniques for identifying and exploiting vulnerabilities
- Analyze and prioritize vulnerabilities found in the testing phase
- Develop and implement fixes for identified vulnerabilities
- Conduct additional testing to ensure vulnerabilities are successfully fixed
- Create detailed documentation on the vulnerabilities demonstrated and how to prevent them
- Publish the project on a public platform (GitHub, etc.) for others to use and learn from
- Provide guidance and resources for users to continue learning and exploring web application security on their own.
This project is licensed under the terms of the MIT License. See the LICENSE file for details.
This project uses the following open source components:
- docker-test-saml-idp under the MIT license by Kristoph Junge
- simplesamlphp UNDER GNU license by SimpleSAMLphp Community
If you have any questions or suggestions about this project, please feel free to reach out to us at:
- Email: peng.cai.perth@gmail.com
- GitHub: redmojo7
We would like to express our sincere gratitude to the following individuals/organizations for their contributions to this project:
- Open Web Application Security Project (OWASP) - provided resources and documentation on web application security best practices and common vulnerabilities