snyk-labs/nodejs-goof — reverse-engineered prompt

Build me a small intentionally vulnerable todo list web app for security training, not for real users. I want people to be able to run it locally, add and delete todo items, sign in as an admin, and edit an account details page.

Use a simple Node.js web app with MongoDB, with server rendered pages and basic routes. Make it easy to start with npm and also with Docker Compose. It should listen on port 3001 and include a cleanup command to wipe the todo items.

Please include demo security issues on purpose so a workshop can show how scanners and manual testing find them. Things like old vulnerable packages, NoSQL injection on login, cross site scripting, open redirect, command execution, hardcoded session secret, unsafe template rendering, and exposed server information. Add clear example exploit steps in an exploits folder so learners can reproduce each issue safely on their own machine.