After cloning or downloading, don't forget to install with npm install, which should automatically bower install too.
Once you've ensured that postgres is running (e.g. by trying to start a psql shell), you can execute npm run seed to seed the database with fake data.
Finally, fire it up with npm start and go to http://127.0.0.1:8080/.
In this round of the workshop, attackers attempt to uncover application secrets and defenders attempt to lock away those same secrets. It is inspired by OWASP's security misconfiguration vulnerability. Below are "solutions" for attack and defense scenarios.
The following are sensitive application secrets:
- session secret
- Google client secret
- GitHub client secret
- Twitter consumer secret
- postgres database URI
To discover them, you could attempt:
- Look through their current codebase for secrets.
- Look through their commit history for secrets.
- Make raw
GETrequests for static files, e.g.GET /secrets.json.
(If you're wondering what an attacker could do with application secrets, follow this link.)
For the solution implemented here, we throw the secrets into a single configuration file, /secrets.json, and add that file to the gitignores. We should then change ALL of the secrets, so that the secrets that are still in our git commit history become invalid.
More importantly, we alter the static file serving so that it does not simply share all of the files in the project. Of course we must still serve up any files the client needs. So we replace something like:
router.use(express.static(rootPath));
With something like:
router.use('/bower_components', express.static(bowerPath));
router.use('/browser', express.static(browserPath));