This is a purposely insecure toy webserver for learning about security vulnerabilities.
This was originally designed for Stanford's CS106S and was authored by Cooper de Nicola, Aditya Saligrama, and George Hosono. It has since been used a few times for workshops by Stanford Applied Cyber. Feel free to use for your own lessons or learning.
- IDOR (in
/userendpoint) - XSS (in
/helloendpoint) - Insecure session handling (in
/loginendpoint)
First cd into the app directory.
Make sure dependencies are installed using the command npm install.
Start the server using command node index.js. Access the server on localhost:3000.
Initialize the TLS certificates from Let's Encrypt using this script edited to add your email and domain. Note you may need to edit the line that says
docker-compose up --force-recreate -d nginxto
docker-compose up --force-recreate -d nginx app
Then simply run docker-compose up. Note you'll need to replace usage of catshare.saligrama.io with your domain.
There is a systemd service that can start the app at system start.