Damn Vulnerable Node Application (DVNA) is a Node.js web application that is damn vulnerable. Its intended purpose is to teach secure coding concepts to web developers who use Node, and to explore web application vulnerabilities in a controlled class environment or to serve as a cyber range for capture the flag events. It's loaded with common web vulnerabilities and various levels of complexity.
Install git, a node version manager and the latest stable release
sudo apt-get install git
wget -qO- https://raw.github.com/creationix/nvm/master/install.sh | sh
source ~/.bashrc
nvm install 5.3.0
nvm use 5.3.0
git clone https://github.com/quantumfoam/dvna.git
cd dvna/
npm set progress=false
npm install
node dvna.js
navigate to http://localhost:3000/
Go read the source files and find out how to exploit each flaw!