Skip to content

Instantly share code, notes, and snippets.

@lirantal
Created November 21, 2022 17:48
Embed
What would you like to do?
XSS in serve-lite@1.1.0 module

Cross-site scripting (XSS) vulnerability in serve-lite@1.1.0

serve-lite descibres itself as: a lightweight http-server for static file-based web development.

Observation:

  • Virtually zero downloads, so no considerable impact.
  • It was last published 6 months ago

Resources:

Background on exploitation

This file server library is vulnerable to cross-site scripting because when it detects a request to a directory it renders a file listing of all of its contents with links that include the actual file names without any sanitization or output encoding:

Lines 127-132 of server.js:

            for (let file of files) {
              let href = `${req.url}/${file}`.replace(/^\/\//, '/')
              let stat = fs.statSync(path.join(dir, file))
              let type = stat.isDirectory() ? 'D' : 'F'
              res.write(`[${type}] <a href="${href}">${file}</a><br>`)
            }

This vulnerability should probably be classified as a CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

Proof of Concept exploit

  1. Install the latest version of serve-lite (npm install --save lite-dev-server@1.1.0)
  2. Make sure you have a public/ directory with files in it
  3. Add a file into that directory named with an XSS payload in its name, such as touch '><img src=x onerror=alert(1)>'
  4. Run the server node server.js 3000 public/
  5. Browse to the webpage at http://localhost:3000/ and confirm an alert popup

Author

Liran Tal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment