/contrast-demo-nodegoat

Primary LanguageHTMLApache License 2.0Apache-2.0

NodeGoat: A deliberately insecure Node.js web application

This sample application is based on https://github.com/OWASP/NodeGoat.git.

Warning: The computer running this application will be vulnerable to attacks, please take appropriate precautions.

Running standalone

You can run NodeGoat locally on any machine with Node.js v10.16.0 installed.

  1. Place a contrast_security.yaml file into the application's root folder.
  2. Run npm install @contrast/agent.
  3. Create Mongo DB: * If using local Mongo DB instance, start mongod. * Update the db property in file config/env/development.js to reflect your DB setup. (in format: mongodb://localhost:27017/<databasename>)
  4. Populate MongoDB with seed data required for the app
    • Run the npm run db:seed to populate the DB with seed data required for the application. Pass the desired environment as argument. If not passed, "development" is the default.
  5. Start the server using npm start, the Contrast agent will already be enabled.
  6. Browse the application at http://localhost:4000/NodeGoat/

Running in Docker

You can run NodeGoat within a Docker container.

  1. Place a contrast_security.yaml file into the application's root folder.
  2. Build the NodeGoat container image using docker-compose build. The Contrast agent is added automatically during the Docker build process.
  3. Run the container using docker-compose up, this will start a local mongodb container and the web server together.
  4. Browse the application at http://localhost:4000/NodeGoat/

Running in Azure (Azure App Service):

Pre-Requisites

  1. Place a contrast_security.yaml file into the application's root folder.
  2. Install Terraform from here: https://www.terraform.io/downloads.html.
  3. Install PyYAML using pip install PyYAML.
  4. Install the Azure cli tools using brew update && brew install azure-cli.
  5. Log into Azure to make sure you cache your credentials using az login.
  6. Edit the variables.tf file (or add a terraform.tfvars) to add your initials, preferred Azure location, app name, server name and environment.
  7. Run terraform init to download the required plugins.
  8. Run terraform plan and check the output for errors.
  9. Run terraform apply to build the infrastructure that you need in Azure, this will output the web address for the application.
  10. Run terraform destroy when you would like to stop the app service and release the resources.

Tests

This container includes cypress to run automated tests. These can be run using npm run test-with-contrast.

Updating the Docker Image

You can re-build the docker image by running two scripts in order:

  • 1-Build-Docker-Image.sh
  • 2-Deploy-Docker-Image-To-Docker-Hub.sh

License

Code licensed under the Apache License v2.0.