8 comments

[ 56.0 ms ] story [ 6957 ms ] thread
I was kinda hoping for node specific vulns. This does not seem to cover more than DVWA, WAVSEP or any other test suites/intentionally vulnerable web applications out there.
It's beta, so don't put this in production (yet)!
Well, skimming the vulnerabilities [1] didn't really see anything too interesting. Consider this "eval_remote" vulnerability:

   var e = require("express");
   var DVNA = e();
   DVNA.get('/', function(req, res) {
     var res = eval("("+req.query.e+")");
     res.send('Parameter eval():<br> ' + res);
   });
   DVNA.listen(6666);
Yes, if you eval your requests that is a vulnerability, but it is a trivial one. I was expecting some side-channel esoteric stuff that, reading the code, you wouldn't necessarily see the problem.

1 - https://github.com/quantumfoam/DVNA/tree/master/vulnerabilit...

the OWASP Broken Web Applications project (owaspbwa) is worth mentioning in this context. It's a collection of vulnerable web applications for web security training, demonstrations and testing. It can be downloaded as a VM from [1]. I don't have a lot of faith in sourceforge, but it seems to be the official source.

[1]: http://sourceforge.net/projects/owaspbwa/files/1.2/