Node.js Goof

Goof is a Node.js demo application that contains exploitable packages with known vulnerabilities. It features Docker Image Scanning to identify base images that have known vulnerabilities in their system libraries. Additionally, it provides runtime alerts to detect when vulnerable functions in open source dependencies are invoked.

The application has several identified vulnerabilities, which include the following: * Exploitable packages that contain known vulnerabilities * Docker Image Scanning to identify base images with known vulnerabilities in system libraries * Runtime alerts that detect the invocation of vulnerable functions in open source dependencies * Code-level vulnerabilities * Open Redirect issues * NoSQL Injection vulnerabilities * Code Injection vulnerabilities * Cross-site Scripting (XSS) vulnerabilities * Information exposure due to hardcoded values in the code * Security misconfiguration that exposes server information * Insecure communication using the HTTP protocol * Code injection vulnerabilities * Local File Inclusion (Path Traversal) vulnerabilities * Regular expression denial of service vulnerabilities

The application consists of several steps designed to showcase each of these vulnerabilities. To run the application, execute the following command: npm install && npm start Note: You need to use an older version of MongoDB because some of the outdated libraries rely on specific database server APIs. MongoDB version 3 is confirmed to work well. You can also run the MongoDB server separately using Docker with the following command: docker run --rm -p 27017:27017 mongo:3 Heroku usage: To deploy Goof as a Heroku app, you must attach a MongoLab service. CloudFoundry usage: To deploy Goof on CloudFoundry, you need to attach a MongoLab service and name it "goof-mongo." Cleanup: To delete all current TODO items from the database in bulk, run: npm run cleanup