NodeGoat
NodeGoat copied to clipboard
Feature/192
Following discussion in #194 I've forked branch from @KoolTheba and started working on implementing new endpoints and examples of vulnerabilities.
This Pull Request is still WIP. It was created to allow reviewers gradually review and comment on new changes, as there will be a lot of them.
For now, new API application includes:
- Base express app structure
- Authenticating using
express-session
- Connecting to MongoDB
- Tests with Jest
- Fully mocking Mongo database in tests
- Script for reseting and initilizing database with sample data (the same data and structure was used as in initial NodeGoat application)
- Endpoints:
-
POST /api/v1/login
-
GET /api/v1/profile
-
PUT /api/v1/profile/:id
-
GET /api/v1/allocations/:userId
-
Each implemented vulnerability includes tests for checking:
- Whether vulnerability is present - these tests should be disabled once vulnerability is fixed in the code to prevent failures,
- Whether vulnerability has been fixed - these tests are disabled and meant to be manually enabled once vulnerability is fixed in the code.
Vulnerabilities implemented:
- API1:2019 Broken Object Level Authorization
- API2:2019 Broken User Authentication
- API3:2019 Excessive Data Exposure
- API6:2019 Mass Assignment
If I implement new endpoints before this PR gets merged, I'll include them as part of this PR.
@sher04lock great progress! I will review and get back to you if any early feedback. Thanks for the WIP PR.