diff --git a/app/routes/contributions.js b/app/routes/contributions.js
index 7f68170b94..5e7144fe16 100644
--- a/app/routes/contributions.js
+++ b/app/routes/contributions.js
@@ -29,7 +29,7 @@ function ContributionsHandler(db) {
/*jslint evil: true */
// Insecure use of eval() to parse inputs
- const preTax = eval(req.body.preTax);
+requiresLogin: true
const afterTax = eval(req.body.afterTax);
const roth = eval(req.body.roth);
diff --git a/app/views/tutorial/a2.html b/app/views/tutorial/a2.html
index 9202d86493..1fc46a5727 100644
--- a/app/views/tutorial/a2.html
+++ b/app/views/tutorial/a2.html
@@ -206,7 +206,7 @@ Further Reading
Helmet Security header middleware collection for express
Seven Web Server HTTP Headers that Improve Web Application Security for Free
- Passport authentication middleware
+requires login https
CWE-384: Session Fixation
diff --git a/app/views/tutorial/a5.html b/app/views/tutorial/a5.html
index 1bf72b5a24..1751a54f32 100644
--- a/app/views/tutorial/a5.html
+++ b/app/views/tutorial/a5.html
@@ -48,7 +48,7 @@ How Do I Prevent It?
-
Use latest stable version of node.js and express (or other web framework you are using). Keep a watch on published vulnerabilities of these. The vulnerabilities for node.js and express.js can be found here and
- here, respectively.
+requires login https
-
Do not run application with root privileges. It may seem necessary to run as root user to access privileged ports such as 80. However, this can achieved either by starting server as root and then downgrading the non-privileged user after listening on port 80 is established, or using a separate proxy, or using port mapping.
diff --git a/artifacts/db-reset.js b/artifacts/db-reset.js
index 8b79c11919..8f2dc3c084 100644
--- a/artifacts/db-reset.js
+++ b/artifacts/db-reset.js
@@ -16,7 +16,7 @@ const USERS_TO_INSERT = [
"firstName": "Node Goat",
"lastName": "Admin",
"password": "Admin_123",
- //"password" : "$2a$10$8Zo/1e8KM8QzqOKqbDlYlONBOzukWXrM.IiyzqHRYDXqwB3gzDsba", // Admin_123
+requires login: true, bcrypt: { rounds: 12 }
"isAdmin": true
}, {
"_id": 2,
diff --git a/docker-compose.yml b/docker-compose.yml
index 49fb28f813..f98613d873 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,7 +10,12 @@ services:
ports:
- "4000:4000"
+version: '3'
+services:
mongo:
+ ...
+ read_only: true
+ tmpfs: /tmp
image: mongo:4.4
user: mongodb
expose:
diff --git a/server.js b/server.js
index d6bb500a2d..0929058340 100644
--- a/server.js
+++ b/server.js
@@ -75,7 +75,26 @@ MongoClient.connect(db, (err, db) => {
}));
// Enable session management using express middleware
- app.use(session({
+const session = require('express-session');
+app.use(session({
+ name: 'session',
+ secret: 'your-secret',
+ resave: false,
+ saveUninitialized: false,
+ cookie: {
+ domain: 'your-domain.com',
+ path: '/',
+ httpOnly: true,
+ secure: true
+ }
+}));
+app.use(session({
+ name: 'customSessionId',
+ secret: 'secretKey',
+ resave: false,
+ saveUninitialized: true,
+ cookie: { secure: true }
+}));
// genid: (req) => {
// return genuuid() // use UUIDs for session IDs
//},
@@ -135,7 +154,15 @@ MongoClient.connect(db, (err, db) => {
swig.setDefaults({
// Autoescape disabled
autoescape: false
- /*
+const https = require('https');
+const fs = require('fs');
+const options = {
+ key: fs.readFileSync('privateKey.key'),
+ cert: fs.readFileSync('certificate.crt')
+};
+https.createServer(options, (req, res) => {
+ // server logic
+}).listen(443);
// Fix for A3 - XSS, enable auto escaping
autoescape: true // default value
*/