HackTheCat – Deliberately Vulnerable Node Express App for teaching/learning AppSec

The last few months I’ve been working on creating a deliberately vulnerable web application to teach and learn AppSec and also use as practice for scripting exploits in preparation for Offensive Security’s AWAE course exam.

AppSec is generally not taught well (if at all) and we can write better, more secure applications if we understand the approaches and techniques attackers will use to exploit solutions – Better Defence through Learning Offence!

The result of this is HackTheCat – a deliberately and deeply flawed Node/Express & MySQL App ready for you to hack and harden!

The application contains a heap of security issues for you to exploit and harden.

In future I plan on creating some step by step guides to teach some basics like avoiding XSS etc.

Obviously do not put this on a machine exposed directly to the internet or on a sensitive network as this application is designed to be easily compromised – you have been warned..

You can download the code from https://github.com/alexmackey/HackTheCat/ and there’s a docker version too so its ready to go with no effort.

Read on if you want to know more about the issues contained in the application and if you’d rather find them yourself stop here as spoilers ahead 🙂

Issues (Warning Spoilers Ahead!)

The app contains a heap of security issues including:

  • XSS (stored and reflected)
  • Various different SQL Injection issues
  • Weak session cookie options
  • Weak encoding options
  • LFI (Local File Inclusion)/RFI (Remote File Inclusion)
  • RCE via vulnerable version of node-serialize (0.4)
  • RCE via Side Template Injection (SSTI) in vulnerable version of pug template engine (2.0.4)
  • Unrestricted file upload
  • Left over mock credentials file discoverable via brute force
  • IDOR (Indirect object reference)
  • Poor and inconsistently implemented authentication approach
  • Some crappy CSS/HTML hacks to a template I made..

Hope some of you find it useful!