NodeGoat icon indicating copy to clipboard operation
NodeGoat copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Feature/192

Open sher04lock opened this issue 4 years ago • 1 comments

Following discussion in #194 I've forked branch from @KoolTheba and started working on implementing new endpoints and examples of vulnerabilities.

This Pull Request is still WIP. It was created to allow reviewers gradually review and comment on new changes, as there will be a lot of them.

For now, new API application includes:

  • Base express app structure
  • Authenticating using express-session
  • Connecting to MongoDB
  • Tests with Jest
  • Fully mocking Mongo database in tests
  • Script for reseting and initilizing database with sample data (the same data and structure was used as in initial NodeGoat application)
  • Endpoints:
    • POST /api/v1/login
    • GET /api/v1/profile
    • PUT /api/v1/profile/:id
    • GET /api/v1/allocations/:userId

Each implemented vulnerability includes tests for checking:

  • Whether vulnerability is present - these tests should be disabled once vulnerability is fixed in the code to prevent failures,
  • Whether vulnerability has been fixed - these tests are disabled and meant to be manually enabled once vulnerability is fixed in the code.

Vulnerabilities implemented:

  1. API1:2019 Broken Object Level Authorization
  2. API2:2019 Broken User Authentication
  3. API3:2019 Excessive Data Exposure
  4. API6:2019 Mass Assignment

If I implement new endpoints before this PR gets merged, I'll include them as part of this PR.

sher04lock avatar May 17 '20 13:05 sher04lock

@sher04lock great progress! I will review and get back to you if any early feedback. Thanks for the WIP PR.

ckarande avatar May 19 '20 19:05 ckarande