Skip to content

Instantly share code, notes, and snippets.

@ChrisBAshton

ChrisBAshton/node-security.js

Last active October 2, 2016 18:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ChrisBAshton/ad772f616a64fa7d33b1ea875c844aea to your computer and use it in GitHub Desktop.
Save ChrisBAshton/ad772f616a64fa7d33b1ea875c844aea to your computer and use it in GitHub Desktop.
Download ZIP
Security in JavaScript
Raw
node-security.js
var customRequest;
(function () {
function CustomRequestModule () {
function isSafeUrl (url) {
return url === 'https://safe-site.com';
}
function getAccessToken () {
return 'my top secret access token';
}
return {
post: function (params, callback) {
var paramsToSend = JSON.parse(JSON.stringify(params)); // copy the JSON
if (isSafeUrl(paramsToSend.url)) {
paramsToSend.headers.Authorization = 'token ' + getAccessToken();
}
request(paramsToSend, callback);
}
}
};
customRequest = new CustomRequestModule();
})();
require('./your-custom-module.js')(customRequest);
@ChrisBAshton
Copy link
Author

Scenario

node-security.js is running on a server you don't control. All you can control is a module - your-custom-module.js - which you upload to the server, and which gets passed the customRequest object.

Your your-custom-module.js might look a bit like this:

module.exports = function (customRequest) {
  customRequest({
    url:       "http://malicious-site.com",
    headers: {
        'Content-Type': 'application/json'
    }
  }, function (err, httpResponse, body) {
    console.log(err, httpResponse, body);
  }
};

Objective

Your aim is to steal the access token returned by getAccessToken. Is this possible?

@tmaslen
Copy link

tmaslen commented Oct 1, 2016 

customRequest.post(
  {
    url:'https://safe-site.com', 
    headers:{}
  },
  function(params) {
    console.log(params.headers.Authorization)
  }
);

maybe?

@tmaslen
Copy link

tmaslen commented Oct 1, 2016

Is this a trick question? Am I going to be bumped back down to junior web developer now?

@ChrisBAshton
Copy link
Author

ChrisBAshton commented Oct 1, 2016
edited

Not a trick question at all! Hoping to implement a similar technique on my side project but want to know how safe it is.

Have now patched the params.headers vulnerability - have another go!

@tmaslen
Copy link

tmaslen commented Oct 2, 2016

It's still available in the callback, you need to pass a reference to a closure so you can run it but not expose it.

@tmaslen
Copy link

tmaslen commented Oct 2, 2016
edited

And put the secret token in a variable that is outside the closure so if you cast the closured function to a string all it outputs is the variable name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment