36 | 37 |
36 | "+a+"";c=c.firstChild;f&&B(c,f,!0);H({j:d,m:f,h:c,l:1,a:null,i:null,c:null,g:null}); 61 | return c.innerHTML},prettyPrint:g=function(a,d){function f(){for(var c=Q.PR_SHOULD_USE_CONTINUATION?b.now()+250:Infinity;t
22 |
Your goal is to steal the API token by exploiting CORS.
16 |filename: /views/cors-api-token.ejs
27 |
28 | const cors_api_token_get = (req, res) => {
29 | const apiToken = req.user.apiToken;
30 | if (req.get('origin') !== undefined){
31 | res.header("Access-Control-Allow-Origin", req.get('origin'));
32 | res.header("Access-Control-Allow-Credentials", 'true');
33 | }
34 | res.render('cors-api-token', {apiToken})
35 | }
36 |
37 | Your goal is to change user password by exploiting CORS
16 |25 | 26 |
Application is using old version of socket.io to show USD value of user crypto wallet, your goal is to 17 | steal the wallet balance information. 18 |
22 |
Bitcoin:
26 | 
Ethereum:
29 | Application is using node-serialize method unserialize to parse the preference cookie, your goal is to acheive the RCE.
16 |20 |
60 |
61 | var serialize = require('node-serialize');
62 | ....
63 | const preference = serialize.unserialize(req.cookies.preference);
64 |
65 |
66 | 19 |
Application is trusting data supplied from the API client and using 14 | it to show the user details without performing the authorization check, 15 | your goal is to access details of other users by perfrom IDOR. 16 |
22 |
Username:
23 |Email:
24 | 25 |
33 |
34 | # vuln_controller.js
35 | const graphqlroot = {
36 | user: graphql_GetUser,
37 | listUsers: graphql_AllUsers,
38 | updateProfile: graphql_UpdateProfile,
39 | showProfile: graphql_ShowProfile
40 | }
41 |
42 | # vuln_controller.js
43 | async function graphql_ShowProfile(args){
44 | const userid = args.userid
45 | const q = "SELECT * FROM users where id='" + userid + "';";
46 | await con.connect()
47 | const userdata = await con.promise().query(q)
48 | return userdata[0][0]
49 | }
50 |
51 | Application is using GraphQL, your goal is to disclose the information of other registered users.
17 |Application is using graphql to update user information, your goal is to change information of other users by 15 | perform CSRF attack. 16 |
22 |
Username:
23 |Email:
24 |Password:
25 |26 | 27 |
Application is trusting data supplied from the API client and using it in a sql query without proper 14 | sanitization to display user profile, your goal is to perform SQL injection. 15 |
21 |
Username:
22 |Email:
23 | 24 |
32 |
33 | # vuln_controller.js
34 | const graphqlroot = {
35 | user: graphql_GetUser,
36 | listUsers: graphql_AllUsers,
37 | updateProfile: graphql_UpdateProfile,
38 | showProfile: graphql_ShowProfile
39 | }
40 |
41 | # vuln_controller.js
42 | async function graphqlGetUser(arg){
43 | const username = arg.username
44 | const q = "SELECT * FROM users where username='" + username + "';";
45 | await con.connect()
46 | const userdata = await con.promise().query(q)
47 | console.log(userdata[0][0])
48 | return userdata[0][0]
49 | }
50 |
51 | Application is using exec method to run ping, your goal is to acheive the Remote 19 | Code Execution.
20 | Exploit -> 21 |Application is using node-serialize method unserialize to parse preference cookie, 29 | your goal is to acheive the RCE.
30 | 31 | Exploit -> 32 |Application is using weak secret to create JSON web token that can lead to 43 | authentication bypass.
44 | Exploit -> 45 |Application has functionality to store notes, your goal is to access notes saved in
53 | vulnlabAdmin account.
Three different XSS cases are covered in this exercise depending on the ejs template syntax used to display user supplied input and context.
Application is directly concatenating user supplied input to the template that can lead to SSTI your goal is to steal the database credentials.
75 |Application is concatenating user supplied input to SQL statement without any 88 | santization.
89 | Exploit -> 90 |Application is using libxmljs to parse xml input but noent flag is set to true which 99 | enables external entities parsing.
100 | Exploit -> 101 |Application is using html-pdf-node to generate ticket pdf your goal is to acheive 112 | the SSRF
113 | Exploit -> 114 |Application has functionality to update password, which opens a new window and 122 | listens for the post message can you exploit it?
123 | Exploit -> 124 |Application has functionality to add users in organization, your goal is to add 135 | your self in a victim organization by exploiting web messages.
136 | Exploit -> 137 |Can you steal the user API token by exploiting Web Message.
145 |Steal the user API token by exploiting CORS.
Application has insecure CORS implementation, your goal is to change user password 167 | by exploiting CORS.
168 | Exploit -> 169 |Application is using old version of socket.io, your goal is to exploit it to 189 | disclose the balance in vicitm user account.
190 | Exploit -> 191 |Application is using websocket for real-time chat feature, But has only implemented 202 | client side input santization.
Application is using ReactJS which provides by default protection from XSS your 212 | goal is to 213 | perform XSS in ReactJS applications.
214 |Application is using ref escape hatch with innerHTML
227 | property to update user supplied input.
Application is using mongodb to handle user notes your goal is to
237 | perform NoSQL injection to access other users notes.
Application is using GraphQL, your goal is to disclose the information of other registered users.
Application is trusting data supplied from the API client and using it in a sql query without proper 259 | santization your goal is to perform SQL injection.
Exploit -> 261 |Application is using GraphQL, your goal is to perform CSRF.
Application is trusting data supplied from the API client and using 281 | it to show the user details without performing the authorization check.
Exploit -> 283 |Application has a functionality to upload profile picture your goal is to perform XSS.
Application is using JSONP for fetching wallet balance information your goal is to steal wallet information of other users.
303 |Application has a password protected secret your goal is to access it by using NoSQL injection.
Application is using JSONP for fetching wallet balance information your goal is to steal wallet information of other users. 16 |
20 |
Bitcoin:
24 | Ethereum:
27 | Application is using weak secret to create JSON web token that can lead to authentication bypass. Your goal is to access API Key of username: vulnlabAdmin
28 |
29 | # .env
30 | JWT_SECRET=secret
31 |
32 | # controllers/auth_controller.js
33 | function generateAccessToken(username, email) {
34 | const payload = {"username": username};
35 | return jwt.sign(payload, secret);
36 | }
37 |
38 | Application is using mongodb to handle user notes your goal is to read a note with the title
16 | SuperSecretNote by
17 | performing NoSQL injection.
18 |
24 |
25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 || Title | 43 |Note | 44 |
|---|---|
59 |
60 | const mongodb_show_notes_post = (req, res) => {
61 | MongoClient.connect(dbURL, mongodb_config, (err, client) => {
62 | if (err) return res.status('500').send('MongoDB is not installed, Please follow the installation guideline.');
63 | const db = client.db('vuln_nodejs_app')
64 | db.collection('mongodb-notes').find({ username: req.body.username }).toArray()
65 | .then((notes) => {
66 | res.send(notes)
67 | })
68 | })
69 | }
70 |
71 | Application has a password protected secret your goal is to access it by using NoSQL injection.
16 |Password
23 |Application is loading Notes saved in user account based on the userid supplied in url path your
16 | goal is to access notes saved in vulnlabAdmin account by performing IDOR.
17 |
23 |
24 | 25 | 26 | 27 | 28 | 29 || id | 40 |title | 41 |
|---|---|
56 |
57 | const userNotes_get = (req, res) => {
58 | const userid = req.params.userid;
59 | Notes.findAll({ where: { userid: userid } })
60 | .then((queryResult) => {
61 | res.header("Content-Type", "application/json")
62 | res.send(JSON.stringify(queryResult));
63 | })
64 | }
65 |
66 | Your goal is to add yourself in a victim organization by exploiting web messages.
16 |20 |
21 | 22 | 23 |User supplied input directly passed to exec function without santization.
14 |
17 |
18 | const exec = require('child_process').exec
19 | ....
20 | const ping = req.body.ping;
21 | exec('ping -c 3 ' + req.body.ping, function (err, stdout, stderr){
22 | output = stdout + stderr;
23 | console.log(output)
24 | res.render('ping', {
25 | output: output
26 | });
27 | })
28 |
29 |
30 | Command Output
38 |39 | <%= output %> 40 |41 | <% } %> 42 | 43 |
In this version application uses `execFile` function from the `child_process` module that starts a specific program 46 | and takes an array of arguments. 47 |
50 |
51 | const execFile = require('child_process').execFile;
52 | ...
53 | execFile('/usr/bin/ping', ['-c', '3', ping1], function (err, stdout, stderr){
54 | pingoutput = stdout + stderr;
55 | res.render('ping', {
56 | pingoutput: pingoutput,
57 | output: null
58 | });
59 | });
60 |
61 |
62 | Command Output
69 |70 | <%= pingoutput %> 71 |72 | <% } %> 73 | 74 | 75 | 76 | 77 | -------------------------------------------------------------------------------- /views/register.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | <%- include ('includes/header.ejs') %> 6 | 7 | 8 | 9 | <%- include ('includes/navigation.ejs') %> 10 |
`findAll` method instead of executing raw query using pool.
15 |
50 | router.get('/sqli-fixed/:from-:to', vuln_handler.fixed_sqli_check_train_get);
51 | ...
52 | const fixed_sqli_check_train_get = (req, res) => {
53 | const from = req.params.from;
54 | const to = req.params.to;
55 | db.Train.findAll({where:{from_stnt: from, to_stnt: to }}).then((trains)=> res.send(trains))
56 | .catch(()=>res.send('Internal error occured!'));
57 | }
58 |
59 | Application is concatinating user supplied input to SQL statement without any santization your goal is to extract credentials of vulnlabAdmin account.
20 |
To
21 |
28 |
39 |
40 | router.get('/sqli/:from-:to', vuln_handler.sqli_check_train_get);
41 | ...
42 | const sqli_check_train_get = (req, res) => {
43 | const from = req.params.from;
44 | const to = req.params.to;
45 | const q = "SELECT ntrains FROM trains where from_stnt='" + from + "' and to_stnt='" + to + "';";
46 | con.connect(function (err) {
47 | if (err) throw err;
48 | con.query(q, (err, results) => {
49 | if (err) {
50 | res.send(err);
51 | };
52 | res.send(JSON.stringify(results));
53 | });
54 | });
55 | }
56 |
57 | Application allow users to upload .svg file as a profile picture your goal is to steal other users 15 | information by using XSS. 16 |
23 |
27 | 28 |Book your tickets
28 |Your goal is to bypass the 2FA authentication check during login.
16 |Your goal is to perform XSS by exploiting web message.
22 |
23 |24 |
25 | 34 | 35 |Your goal is to steal the API token by exploiting web messages.
16 |filename: /views/webmessage-api-token-popup.ejs
29 |
30 | var token = "<%-apiToken%>";
31 | window.opener.postMessage({'token':token}, '*')
32 | window.close()
33 |
34 | Application is using socket.io for real-time chat feature, But has only implemented client side input 18 | sanitization your goal is to perform XSS to steal other users session cookie.
19 |23 |
42 | # server.js
43 |
44 | socket.on('new_message', (data) => {
45 | io.sockets.emit('new_message', { message: data.message, username: socket.user.username, login_user: socket.user.username })
46 | })
47 |
48 | # websocket-xss.ejs
49 | socket.on('new_message', (data) => {
50 | const current_messages = message_box.innerHTML
51 | if (data.username === current_user) {
52 | message_box.innerHTML = current_messages + `<b><p style="color:rgb(114, 114, 114); display: inline-block;"> You:</p></b> ${data.message}</pre><br>`
53 | } else {
54 | message_box.innerHTML = current_messages + `<b><p style="color:rgb(250, 127, 168); display: inline-block;"> ${data.username}:</p></b> ${data.message}</pre><br>`;
55 | }
56 | })
57 |
58 |
59 | User supplied input rendered without santizing.
15 |16 |
20 | <% if (xss1){%> 21 |HTML encoding is used but user supplied input is rendered inside script tag.
32 |33 |
37 | 38 |XSS inside json object, In this case application is using <%-JSON.stringify("{username": xss3})%> to create a
45 | json object with user supplied input it is using ejs raw output syntax <%- to create a valid json object it does
46 | not use <%=
47 | because it will also encode the double quotes but JSON.stringify will escape the double quotes using backslash
48 | that means we have to find
49 | a way to break out of the double quote to do that we will use this payload
50 | </script><script>alert(1)</script>
52 |
56 | 57 |Application is using libxmljs for parsing xml which allows parsing of external entities if noent flag is set to true, your goal is to read /etc/passwd file.
Lorem ipsum dolor sit amet consectetur adipisicing elit. Non omnis blanditiis consequuntur. Placeat nobis quaerat esse! Maiores molestias quam at adipisci. Hic sequi qui tempore consectetur aliquid quisquam. Rem, illo. Lorem ipsum dolor sit amet, consectetur adipisicing elit. Error, ab qui dolore et facilis aperiam? Atque quasi repellendus facilis, quibusdam, reiciendis quae unde quia neque quaerat eveniet, ducimus iste mollitia. Lorem ipsum dolor sit amet consectetur adipisicing elit. Nulla optio expedita error dolores et corporis ratione, molestiae minus voluptates rerum, ut non distinctio eaque commodi earum repellendus, temporibus molestias! Ipsa!
17 |Comments: 19 |
20 | 21 | 22 |
28 |
29 | var libxmljs = require('libxmljs');
30 | ....
31 | const rawcomment = req.body.comment;
32 | const parsecomment = libxmljs.parseXmlString(rawcomment, {noent: true,noblanks:true}); // Vuln: noent is set to true
33 | var comment = parsecomment.get('//content');
34 | comment = comment.text();
35 | res.send(comment)
36 |
37 |
38 | Application is using ReactJS which provides by default protection from XSS attacks by 49 | encoding dangerous characters before appending it to the page but there are 50 | cases when it will not protect you from XSS attacks. In this exercise you will learn how you 51 | can perform XSS when application passes user supplied input to href attribute.
52 |
57 | Name:
58 | Email:
59 | Website:
60 |
61 |
62 |
66 | Name: {this.state.name}
67 | Email: {this.state.email}
68 | Website: {this.state.website}
69 |
70 |
51 | ReactJS provides escape hatch to provide direct access to DOM elements. With direct access
52 | application can perform the desired operation, without requiring explicit support from React.
53 | There are two escape hatches provided by ReactJS which give access to native DOM elements: findDOMNode and createRef.
54 | In this exercise application is using refs with innerHTML property to display user supplied input which makes it vulnerable to XSS.
55 |