"Med Cellar" is a sample CRUD application built with with Backbone.js, Twitter Bootstrap, Node.js, Express, and MongoDB.

It contains a deliberately vulnerable branch as well as a "fixed branch"

The application allows you to browse through a list of meds, as well as add, update, and delete meds.


There are two configurations inside of Med Cellar, development and weak. The configuration files are located in $MEDCELLAR_PATH/medcellar/config/. Development will have all of the security fixes mentioned in the excercises, whereas the weak build will have none or very minimal security controls.


cd ./medcellar
npm install
npm i grunt nodemon -g

In order to run the application in development mode use:

sudo grunt deploy

To run the application in weak mode use:

grunt deployweak

Running the commands mentioned above will completely drop the database, rebuild it with demo data, and launch the application with the associated configuration.

Additionally if you would like to experiment with different security controls, you may manually edit the config.js file in the config folder to enable or disable other options. One of these options is the use of helmet or lusca as a security middleware.

Install - Vagrant

vagrant box add phusion/ubuntu-14.04-amd64

Instead run the following:

vagrant box add phusion/ubuntu-14.04-amd64
vagrant up --provision
vagrant ssh
cd /opt/medcellar

In order to run the application in development mode use:

sudo grunt deployweak

To run the application in weak mode use:

sudo grunt deploy

Dropping the Database

If you would like to drop the database automatically you may run

grunt exec:dropdb