A small project to compare the performance of various of fuzzers against 5 Node.js applications. The list of applications involved in this project:
- NodeGoat v1.3.0 - license
- Keystone v4.0.0 - license
- Juice-Shop v8.3.0 - license
- Mongo-express v0.51.0 - license
- Apostrophe boilerplate - license
The list of fuzzers involved:
- OWASP ZAP v2.9.0 - license
- Arachni v1.5.1 & WebUI v0.5.12 - license
- w3af - GPLv2.0
The docker images are built and tested with:
- Docker version 18.09.1-ol, build b2a1f2a
- docker-compose version 1.27.4, build 40524192
All the docker-compose.yml files are at version "2.0". For the docker-compose version support, please see here
The infrastructure to exercise 5 Node.js applications has three components:
- Application Docker images
- Fuzzer Docker images
- Docker & docker-compose
With the help of docker-compose.yml, the infrastructure is started which allows fuzzer container to interact with our applications. The user can access those containers from the host machine.
First create a personal token on github. Make sure that the token has enough privileges (i.e read,write:packages). Then run docker login.
$ docker login docker.pkg.github.com --username <your_username> -p <your_token>
Build your image and run docker tag (all names are lowercase)
$ docker build -t <image_name>:<tag> .
$ docker tag <image_name>:<tag> docker.pkg.github.com/<user_name>/<repo_name>/<image_name>:<tag>
Push the tagged docker image to repo
$ docker push docker.pkg.github.com/<user_name>/<repo_name>/<image_name>:<tag>
For more information, please see Github Docs.
Docker-compose provides a quick and easy way to startup the applications.
- Head to the desired application's directory (for example:
app_docker/nodegoatfor NodeGoat). - In the
docker-compose.ymlfile, replace<name>:<tag>by the application's Docker image name. For examplenodegoat:v1. - Run:
docker-compose up - Docker-compose will handle the pulling and running those applications
- Then you can access the application via browser on localhost. (Please see
README.mdinapp_dockerfor more information).
For apostrophe-boilerplate only:
After the application has been started, we need to add an admin account. We do that by executing this command in the same directory with the docker-compose.yml file used:
$ docker-compose exec apostrophe node app apostrophe-users:add admin admin
The above command will add the user admin (first parameter) to the group admin (second parameter). After that you need to enter the password for this account (please use demo for admin to suit the auth script). Instructions taken from here.
- Before using
docker-compose.ymlplease provide it with the necesary image, or build your own following the instructions in app_docker. - All the applications are run with code coverage enabled by default. To disable code coverage, in the
docker-compose.ymlfile, remove the--enable-coverage(and--babelfor Juice-Shop) flag in the startupcommand. - The code coverage plugin uses a modified version of instanbul-middleware. The original repo is located here - license.
- The instructions on how to work with fuzzers and get them to interact with our applications can be found in fuzzer_docker
We also provide authenticating scripts for each applications. The output of these scripts will be a set of tokens that can be used in the scanning process of fuzzers. Please refer to README for how to use the scripts.