Here's a fun little security challenge.The code below contains, to my knowledge, two separate vulnerabilities. Try to find them!All vulnerabilities are in the code. The exact contents of other files are unknown, required libraries are either built-in or widespread libraries from npm.The fact that passwords are unwashed is not considered a vulnerability for the purposes this challenge.const express = require('express'); const cookieParser = require('cookie-parser'); const uuid = require('uuid'); const fs = require('fs'); var sessions = {}; var app = express(); app.use(express.urlencoded({ extended: true })); app.use(cookieParser()); app.use((req, res, next) => { var sessionID = req.cookies.session; if (sessions[sessionID] != undefined) { req.user = sessions[sessionID]; } next(); }); app.get("/", (req, res) => { if (req.user == undefined) { res.sendFile(__dirname + "/views/login.html"); } else { res.sendFile(__dirname + "/views/index.html"); } }); app.post("/login", (req, res) => { var username = req.body.username; var password = req.body.password; if (username == undefined || password == undefined) { return res.sendStatus(400); } if (username.indexOf("..") != -1) { return res.sendStatus(400); } fs.readFile(__dirname + "/users/" + username, { encoding: "utf-8" }, (err, data) => { if (!err) { if (data == password) { var sessionID = uuid.v4(); res.cookie("session", sessionID); sessions[sessionID] = username; } } res.redirect(303, "/"); }); }); app.get("/download", (req, res) => { if (req.user != undefined && req.query.file != undefined) { res.download(req.query.file); } else { res.sendStatus(401); } }); app.listen(process.env.PORT || 80);
Submitted March 19, 2020 at 10:29PM by Svizel_pritula
No comments:
Post a Comment