BunchOfFriendsJS is an intentionally insecure social network to teach web security.

I recently redesigned and reimplemented the system for Node.js, based on an earlier version designed for Java EE.

It is designed to have many of the OWASP Top 10 vulnerabilities.

To run BunchOfFriendsJS:

The source is available on GitHub.

Options: Use npx bjau/bunchoffriendsjs --port 4000 to specify a different port (i.e., port 4000 in this case).

Security: The application is insecure. For safety, it will bind only to the loopback interface To bind to all interfaces ( and allow remote access, use npx bjau/bunchoffriendsjs --public to launch the web application.

Purpose: I created the system while teaching a subject on advanced internet programming. It is intended to help teach a security mindset. Feel free to use it for any purpose. However, you should not deploy it on a publicly accessible server because it is so insecure.

License: Feel free to use it however you wish - it is under a Creative Commons Zero / Public Domain license.

BunchOfFriendsJS is an alternative to the OWASP WebGoat project. WebGoat is tutorial oriented: it is a set of guided exercises. In contrast, BunchOfFriends is an ordinary application that is full of security holes.

BunchOfFriendsJS can be used to re-create something like the “Samy” MySpace worm. You can create a profile that virally becomes friends with anybody who sees the profile name.

In the following is a discussion of how the OWASP Top 10 vulnerabilities relate to the application.

A1. Injection

SQL queries are not properly escaped. You can use SQL injection to log in without a valid password.

A2. Broken Authentication

Sessions are generated with predictable identifiers and stored in insecure cookies.

A3. Sensitive Data Exposure

The database stores passwords in plain-text. Username/passwords can be read from the admin zone and are not hashed.

A4. XML External Entities (XXE)

The application does not process XML so this vulnerability is not applicable.

A5. Broken Access Control

Pages for authenticated users are not properly secured. You can view the posts of a user, without logging in.

A6. Security Misconfiguration

Error messages reveal internal SQL queries.

No sandboxing is used to protect the server's filesystem from SQL advanced queries that read/write CSV.

A7. Cross-Site Scripting (XSS)

Almost all user input is untrusted. Untrusted code can be injected into any page.

A8. Insecure Deserialization

The application does not serialize/deserialize data so this vulnerability is not applicable.

A9. Using Components with Known Vulnerabilities

The application makes use of the in-memory AlaSQL database. This database is not designed for untrusted use. In fact, it is possible to modify the local filesystem with carefully crafted queries.

A10. Insufficient Logging and Monitoring

The application does not log any access so there is no record of any incident.

Other issues

The application is vulnerable to URL editing. You can view the posts of somebody who is not a friend, without “friending” them.

The application has an admin zone that has not been properly secured.

The application is vulnerable to cross-site request forgery: you can create a third-party website that will automatically cause logged in users to add a friend.

The application does use a redirect (when liking a post) that can be abused to redirect to a phishing site.

Published 12 September 2020 by Benjamin Johnston.