Add complete vulnerable-node application with DVWA integration

DVWA/.dockerignore

@@ -0,0 +1,6 @@
+**/.git
+**/.gitignore
+**/.github
+**/Dockerfile*
+**/.dockerignore
+**/compose.yml

DVWA/.gitattributes

@@ -0,0 +1,31 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+#
+# The above will handle all files NOT found below
+#
+
+# Documents
+*.pdf diff=astextplain
+*.PDF diff=astextplain
+*.md text diff=markdown
+
+# Graphics
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.ico binary
+
+# Archives
+*.db binary
+
+# Text files where line endings should be preserved
+*.patch -text
+
+#
+# Exclude files from exporting
+#
+
+.gitattributes export-ignore
+.gitignore export-ignore
+.gitkeep export-ignore

DVWA/.github/FUNDING.yml

@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+
+github: digininja
+custom: https://digi.ninja

DVWA/.github/ISSUE_TEMPLATE/bug-report---installation.md

@@ -0,0 +1,47 @@
+---
+name: Bug report - Installation
+about: Create a report about installation issues
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+Before you raise a bug, please make sure you have fully read the README, especially if your bug relates to configuring the database.
+
+Issues will be closed if the answer is in the README and no obvious attempts have been made to follow it.
+
+Support will only be given for users running the latest pull of code from GitHub. Not a tagged release, not a pre-installed app, not a ZIP you got from a mate.
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+What have you installed, what are you running when you get the error...
+
+Steps to reproduce the behaviour:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Logs**
+Include the last five lines of the Apache log file from directly after the problem happened.
+
+**Expected behaviour**
+A clear and concise description of what you expected to happen.
+
+**What have you done to help fix the issue yourself?**
+What have you tried, what research have you done, what changes have you made.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**System (please complete the following information):**
+ - OS: [e.g. Windows, Ubuntu]
+ - Database and Version [e.g. MySQL, MariaDB, 10.5.12-MariaDB]
+ - PHP Version [e.g. 7.4.25]
+- Installed PHP modules
+
+**Additional context**
+Add any other context about the problem here.

DVWA/.github/ISSUE_TEMPLATE/bug-report---vulnerability.md

@@ -0,0 +1,46 @@
+---
+name: Bug report - Vulnerability
+about: Creating a report in a bug in a vulnerability
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+Before you raise a bug, please make sure you have fully read the README, especially if your bug relates to configuring the database.
+
+Issues will be closed if the answer is in the README and no obvious attempts have been made to follow it.
+
+Support will only be given for users running the latest pull of code from GitHub. Not a tagged release, not a pre-installed app, not a ZIP you got from a mate.
+
+**Describe the bug**
+A clear and concise description of what the bug is. 
+
+**To Reproduce**
+Steps to reproduce the behaviour:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behaviour**
+A clear and concise description of what you expected to happen.
+
+**What have you done to help fix the issue yourself?**
+What have you tried, what research have you done, what changes have you made.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**System (please complete the following information):**
+ - DVWA installation OS [e.g. Windows, Ubuntu]
+ - Database and Version [e.g. MySQL, MariaDB, 10.5.12-MariaDB]
+ - PHP Version [e.g. 7.4.25]
+
+**Browser/Proxy (please complete the following information):**
+ - OS - The one you are running the browser in: [e.g. Windows 10]
+ - Browser [e.g. Chrome, Firefox]
+ - Proxy [e.g. Burp, ZAP]
+
+**Additional context**
+Add any other context about the problem here.

DVWA/.github/ISSUE_TEMPLATE/i-m-stuck.md

@@ -0,0 +1,21 @@
+---
+name: I'm Stuck
+about: When you are stuck exploiting a vulnerability
+title: ''
+labels: 'stuck'
+assignees: ''
+
+---
+
+Questions here may or may not be answered depending on the state of the question, to increase your chance, read this before asking [Asking For Technical Help](https://digi.ninja/blog/asking_for_help.php).
+
+Basically, the more details you give, the more chance of getting an answer. We need at least:
+
+- Where did you get DVWA from?
+- What OS are you installing it on?
+- Last five lines from the web server access and error log from the time the error occurred if you got that far.
+- The error you got when you got stuck.
+- Any previous errors.
+- What you have tried to do yourself to fix the problem.
+
+Support will only be given for users running the latest pull of code from GitHub. Not a tagged release, not a pre-installed app, not a ZIP you got from a mate.

DVWA/.github/workflows/codeql-analysis.yml

@@ -0,0 +1,71 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL"
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: '0 15 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['javascript', 'python']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

DVWA/.github/workflows/docker-image.yml

@@ -0,0 +1,36 @@
+name: Docker Image CI
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [master]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v1
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name : Build and push DVWA image
+      run: |
+        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/dvwa
+        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
+        VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
+        [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
+        [ "$VERSION" == "master" ] && VERSION=latest
+        COMMIT=$(echo "${{ github.sha }}" | cut -c 1-7)
+        echo IMAGE_ID=$IMAGE_ID
+        echo VERSION=$VERSION
+        echo COMMIT=$COMMIT
+        docker image build --tag dvwa .
+        docker image tag dvwa $IMAGE_ID:$VERSION
+        docker image tag dvwa $IMAGE_ID:$COMMIT
+        docker image push $IMAGE_ID:$VERSION
+        docker image push $IMAGE_ID:$COMMIT

DVWA/.github/workflows/pytest.yml

@@ -0,0 +1,25 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+  schedule:
+    # Every Sunday at 0AM UTC
+    - cron: "0 0 * * 0"
+
+jobs:
+  Pytest:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install and Run Pytest
+        run: |
+          export SETUPTOOLS_USE_DISTUTILS=stdlib
+          pip3 install pytest
+          python3 -m pytest -s

DVWA/.github/workflows/shiftleft-analysis.yml

@@ -0,0 +1,42 @@
+# This workflow integrates Scan with GitHub's code scanning feature
+# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft
+# Visit https://slscan.io/en/latest/integrations/code-scan for help
+name: SL Scan
+
+# This section configures the trigger for the workflow. Feel free to customize depending on your convention
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  Scan-Build:
+    # Scan runs on ubuntu, mac and windows
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+    # Instructions
+    # 1. Setup JDK, Node.js, Python etc depending on your project type
+    # 2. Compile or build the project before invoking scan
+    #    Example: mvn compile, or npm install or pip install goes here
+    # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url
+
+    - name: Perform Scan
+      uses: ShiftLeftSecurity/scan-action@master
+      env:
+        WORKSPACE: ""
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SCAN_AUTO_BUILD: true
+      with:
+        output: reports
+        # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type
+        # type: credscan,java
+        # type: python
+
+    - name: Upload report
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: reports

DVWA/.github/workflows/vulnerable.yml

@@ -0,0 +1,54 @@
+name: Vulnerable Action
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  run_commands:
+    name: Run Linux Commands
+    runs-on: ubuntu-latest
+    steps:
+      - name: Directory Listing
+        run: |
+          ls -al
+          ls /
+          pwd
+          id
+          cat /etc/passwd
+
+  get_secrets:
+    name: Get Some Secrets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get Secret
+        env:
+          ALLMYSECRETS: ${{ toJSON(secrets) }}
+          ALLMYVARS: ${{ toJSON(vars) }}
+          SUPER_SECRET: ${{ secrets.DVWA_SECRET_KEY }}
+        run: |
+          # This will just show ***
+          echo "$SUPER_SECRET"
+
+          # This will put the secret into a file and then display the file, but that
+          # will still only show ***
+          echo "$SUPER_SECRET" > secret_file
+          cat secret_file
+
+          # This will try to show all the secrets, but will show *** instead
+          echo "$ALLMYSECRETS"
+
+          # This will show the variables, because variables are public
+          echo "$ALLMYVARS"
+
+          # This will show a base64 encoded version of the one secret.
+          # Github doesn't recognise this so will allow it to be shown
+          echo "$SUPER_SECRET" | base64
+
+          # Same for all the tokens.
+          echo "$ALLMYSECRETS" | base64