An intentionally insecure web application to highlight different web security concepts
This is an example application used by Dominik Kundel in his Introduction to Web Security talk. It has intenionally a set of vulnerabilities to highlight different attack vectors and as well as ways to fix them.
If you find any additional attack vectors, feel free to create an issue for it or alternatively create a pull request for this README to add it to the list of vulnerabilities.
There is a variety of vulnerabilites present in this application. Check out the respective docs to learn more about them.
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS)
- JSON Web Token (JWT)
- Poor JSONP implementations
- Parent Window Redirection
- Open Web Application Security Project (OWASP). Extensive Wiki around all web security related topics
- OWASP Common Attacks List
- Slides of my intro to web security talk
- Google Web Fundamentals Security
- Gruyere Codelab. A Codelab by Google teaching you different things around security
- SecurityHeaders.io. Analyzes the HTTP headers of your application for security aspects
goof. A vulnerable demo app by Synk.io
helmet. A Node.js module to set security related headers for your
- Snyk.io. A tool to detect vulnerabilities in your projects by scanning your dependencies
- Greenkeeper.io. A tool to keep your dependencies up to date
This application is built with Node.js and uses Twilio Sync as a database at the moment.
- Node.js & npm
- A Twilio account - Sign up here
Make sure you have the following values stored in your environment variables:
# Your Twilio Account SID TWILIO_ACCOUNT_SID= # A Twilio API Key TWILIO_API_KEY= # A Twilio API Secret TWILIO_API_SECRET= # The SID of your Twilio Sync Service (can be 'default') TWILIO_SYNC_SERVICE=default
git clone email@example.com:dkundel/onesie-life.git cd onesie-life npm install