onesie.life
An intentionally insecure web application to highlight different web security concepts
This is an example application used by Dominik Kundel in his Introduction to Web Security talk. It has intenionally a set of vulnerabilities to highlight different attack vectors and as well as ways to fix them.
If you find any additional attack vectors, feel free to create an issue for it or alternatively create a pull request for this README to add it to the list of vulnerabilities.
Vulnerabilities
There is a variety of vulnerabilites present in this application. Check out the respective docs to learn more about them.
- Clickjacking
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS)
- JSON Web Token (JWT)
- Poor JSONP implementations
- Parent Window Redirection
Security Measurements
Resources
- Open Web Application Security Project (OWASP). Extensive Wiki around all web security related topics
- OWASP Common Attacks List
- Slides of my intro to web security talk
- Google Web Fundamentals Security
- Gruyere Codelab. A Codelab by Google teaching you different things around security
- SecurityHeaders.io. Analyzes the HTTP headers of your application for security aspects
goof. A vulnerable demo app by Synk.iohelmet. A Node.js module to set security related headers for yourexpressserver- Snyk.io. A tool to detect vulnerabilities in your projects by scanning your dependencies
- Greenkeeper.io. A tool to keep your dependencies up to date
Setup
This application is built with Node.js and uses Twilio Sync as a database at the moment.
Prerequisites
- Node.js & npm
- A Twilio account - Sign up here
Make sure you have the following values stored in your environment variables:
# Your Twilio Account SID
TWILIO_ACCOUNT_SID=
# A Twilio API Key
TWILIO_API_KEY=
# A Twilio API Secret
TWILIO_API_SECRET=
# The SID of your Twilio Sync Service (can be 'default')
TWILIO_SYNC_SERVICE=defaultSetup
git clone git@github.com:dkundel/onesie-life.git
cd onesie-life
npm installStart Server
npm startOpen Page http://localhost:3000
License
MIT