BunchOfFriendsJS is an intentionally insecure social network to teach web security.
I recently redesigned and reimplemented the system for Node.js, based on an earlier version designed for Java EE.
It is designed to have many of the OWASP Top 10 vulnerabilities.
To run BunchOfFriendsJS:
npx bjau/bunchoffriendsjs and open your browser to http://localhost:3000/ (the npx command will automatically download and run a temporary version)The source is available on GitHub.
Options: Use npx bjau/bunchoffriendsjs --port 4000 to specify a different port (i.e., port 4000 in this case).
Security: The application is insecure. For safety, it will bind only to the loopback interface 127.0.0.1. To bind to all interfaces (0.0.0.0) and allow remote access, use npx bjau/bunchoffriendsjs --public to launch the web application.
Purpose: I created the system while teaching a subject on advanced internet programming. It is intended to help teach a security mindset. Feel free to use it for any purpose. However, you should not deploy it on a publicly accessible server because it is so insecure.
License: Feel free to use it however you wish - it is under a Creative Commons Zero / Public Domain license.
BunchOfFriendsJS is an alternative to the OWASP WebGoat project. WebGoat is tutorial oriented: it is a set of guided exercises. In contrast, BunchOfFriends is an ordinary application that is full of security holes.
BunchOfFriendsJS can be used to re-create something like the “Samy” MySpace worm. You can create a profile that virally becomes friends with anybody who sees the profile name.
In the following is a discussion of how the OWASP Top 10 vulnerabilities relate to the application.
SQL queries are not properly escaped. You can use SQL injection to log in without a valid password.
Sessions are generated with predictable identifiers and stored in insecure cookies.
The database stores passwords in plain-text. Username/passwords can be read from the admin zone and are not hashed.
The application does not process XML so this vulnerability is not applicable.
Pages for authenticated users are not properly secured. You can view the posts of a user, without logging in.
Error messages reveal internal SQL queries.
No sandboxing is used to protect the server's filesystem from SQL advanced queries that read/write CSV.
Almost all user input is untrusted. Untrusted code can be injected into any page.
The application does not serialize/deserialize data so this vulnerability is not applicable.
The application makes use of the in-memory AlaSQL database. This database is not designed for untrusted use. In fact, it is possible to modify the local filesystem with carefully crafted queries.
The application does not log any access so there is no record of any incident.
The application is vulnerable to URL editing. You can view the posts of somebody who is not a friend, without “friending” them.
The application has an admin zone that has not been properly secured.
The application is vulnerable to cross-site request forgery: you can create a third-party website that will automatically cause logged in users to add a friend.
The application does use a redirect (when liking a post) that can be abused to redirect to a phishing site.
Published 12 September 2020 by Benjamin Johnston.