Hello, I am doing a penetration testing on an app built on nodejs, angular and express. The app does all the work through api calls using json format I was looking at ways of passing my own objects and see if could get that object deserialized I'm not a savvy nodejs and since this is Blackbox testing I can't figure out what is going on. When I pass an array as value for a variable I get an error can not cast variable name of type String/enum so I'm guessing the app is doing type checking before processing, however if try to pass constructor as a variable name I get an error can not cast constructor of type undefined so I'm not really sure of what is going on. On some fields username for example if I pass an array instead of a string the username changes to [object : object] does that mean the app is not type checking that field? What are the best practices to enforce secure input? What are your assumptions about this implementation? Thank you in advance
Submitted August 24, 2018 at 10:59AM by neglektd
No comments:
Post a Comment