15 September, 2022

Request forgery in node by example

Let me start by saying I've been writing Javascript on and off since the early 2000s but I definitely don't consider myself an expert in it, particularly given the rapid iteration of JS best practices and uses.

Somewhere between the end of 2020 and mid 2021 I started building an intentionally awful sketch toy app where I reproduced a handful of CVEs I was familiar with in nodejs, and have kept adding to it periodically as I have learned things or occasionally thought "how would that actually look in code?" when exploring something in a black box environment. 

My occasional dips into other people's Javascript codebases have also made me realize there's a lot of elements of a "typical" modern JS codebase which I've seen, used, or contributed to, but never set up from scratch in a modern JS project. Test frameworks. Linting. And so on. So with the intention of teaching myself how a modern Javascript app goes together properly, I started (and have yet to finish!) adding all the bells and whistles a proper server should have.

I am not opening up this code because it is finished (it is very much not finished or polished, and additions are welcome on basically all fronts), but rather in the hopes that other folks might like to play with it, learn from it, or add to it. 

As I was writing this code (both last year, and then this year after I picked up development again with the intent of releasing this project while I'm funemployed before my next job starts), I asked a couple of individuals for feedback or their thoughts. Thanks very much John, Nathan, Sharon, and anyone else who's spent any time looking at this :)

The code is here: https://github.com/kaoudis/vulnparty-js
How to get started: examples
And the rest of the documentation on what's there and a little about how it works: doc