Skip to content
forked from snyk/node-woof

An intentionally vulnerable application, for testing

Notifications You must be signed in to change notification settings

jeffsnyk/node-woof

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

node-woof

An intentionally vulnerable application, to test Snyk's Runtime Monitoring offering.

The docs there explain what the tool achieves. You might want to read them before continuing, to get a feel for what this demo is going to show. Once you've run the demo, you definitely will want to read them to learn how to integrate the agent into your application!

The runtime monitoring tool is open source. The documentation on how to get started with contributing to the agent is hosted on that project.

How?

Everything should drive from npm.

You just need node (8 or above) and npm, installed and working.

First, check you can build:

$ npm ci
npm WARN prepare removing existing node_modules/ before installation
added 132 packages in 1.084s
$ npm run startWithAgent

You must specify a valid project ID.

Please run `snyk monitor`, collect the id from the results' settings page,
then re-run `start` using that ID.

For example (you *must* change the id!):

  npm run startWithAgent 4567901-2345-6789-0123-45678912345

...

Then, run snyk cli:

$ snyk monitor

Monitoring node-woof...

Explore this snapshot at https://app.snyk.io/org/yall/project/4567901-2345-6789-0123-45679012345

Now, you can start the app with the agent:

$ npm run startWithAgent 4567901-2345-6789-0123-45678912345
...

Agent loaded successfully, your application is monitored.


,------------------------------------------------------------,
|                                                            |
|      The demo application has started successfully.        |
|                                                            |
|   You can visit the application, and trigger an exploit,   |
|                 by visiting this url:                      |
|                                                            |
|            http://localhost:3000/hello.txt                 |
|                                                            |
|        You can stop the application with ctrl+c.           |
|                                                            |
`------------------------------------------------------------'


...

This will require('@snyk/nodejs-runtime-agent') with your projectId, and then start the application.

Exploit!

You can visit the application. Simply visiting the application URL is sufficient evidence of an exploit!

If your application is protected, then you should shortly see the warning on your Snyk dashboard.

About

An intentionally vulnerable application, for testing

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 100.0%