/csrf-bank

A demonstration of what could happen when you do not protect your forms with CSRF tokens

Primary LanguageJavaScriptMIT LicenseMIT

The Carl Sagan Richard Feynman Bank

An e-banking web application demonstrating what happens when you do not protect your forms with Cross-Site Request Forgery tokens.

Requirements

Development

# Clone and move into the repository
git clone https://github.com/MediaComem/exploit-csrf-bank.git
cd exploit-csrf-bank

# Install dependencies
npm ci

# Run the application in development mode
npm run dev

Production

# Clone and move into the repository
git clone https://github.com/MediaComem/exploit-csrf-bank.git
cd exploit-csrf-bank

# Install dependencies
npm install --production

# Run the application in development mode
BANK_SESSION_SECRET=changeme npm start

Configuration

The application can be configured using the following environment variables:

Variable Default value Description
BANK_LISTEN_HOST 0.0.0.0 The IP address to listen to (use 0.0.0.0 for any IP address).
BANK_LISTEN_PORT 3000 The port to listen on.
BANK_SESSION_SECRET - Secret used to sign session cookies. Should be a long random string.
BANK_SESSION_LIFETIME 86_400_000 (one day) Lifetime of sessions in milliseconds.
BANK_BCRYPT_ROUNDS 10 Bcrypt algorithm cost factor.
BANK_DB_FILE db.loki (relative to the application) The file in which the embedded database will be stored.
BANK_SESSIONS_DIR session (relative to the application) The diretory in which session files will be stored.
BANK_TRUST_PROXY false Whether to trust proxy headers.
BANK_TITLE Carl Sagan Richard Feynman Bank The title displayed in the navbar.
BANK_LOG_LEVEL DEBUG in production, TRACE otherwise The highest level of log messages to output.

In development mode, you can also put these settings in a .env file in the repository.