Welcome!

This is the sample code for the GitHub Partner Workshop on Snyk Academy.

It uses Snyk's Goof vulnerable demo app. More on Goof below:

Goof - Snyk's vulnerable demo app

A vulnerable Node.js demo application, based on the Dreamers Lab tutorial.

Features

This vulnerable app includes the following capabilities to experiment with:

• Exploitable packages with known vulnerabilities
• Docker Image Scanning for base images with known vulnerabilities in system libraries
• Runtime alerts for detecting an invocation of vulnerable functions in open source dependencies

Running

mongod &

git clone https://github.com/Snyk/snyk-demo-todo
npm install
npm start

This will run Goof locally, using a local mongo on the default port and listening on port 3001 (http://localhost:3001)

Running with docker-compose

docker-compose up --build
docker-compose down

Exploiting the vulnerabilities

This app uses npm dependencies holding known vulnerabilities.

Here are the exploitable vulnerable packages:

• Mongoose - Buffer Memory Exposure
• st - Directory Traversal
• ms - ReDoS
• marked - XSS

The exploits/ directory includes a series of steps to demonstrate each one.