-
-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[⭐ ⭐ ⭐ ⭐ ⭐] Create a Challenge on HBS vulnerability. #1576
Comments
Hi @CaptainFreak I would like to work on this challenge |
Cool, but this needs some up-front design first before you jump into coding. Feel free to elaborate here in the ticket how you'd plan to implement this challenge first. Thanks! 👍 |
Hi @bkimminich sorry for the delay. currently userProfile routes uses pug as template engine I think we should convert it so it uses hbs as view engine |
Hm, there's already 5 or so challenges in the User profile, I'd prefer not to squeeze another one into it. Especially, if that requires a rewrite that could potentially break the existing challenges in it. |
videoHandler routes also uses pug |
Hey guys, I think pug maybe vulnerable to this thing as well, just with some other object property. I and some folks am working with are generically calling it Not a promise, but I will possibly look into pugs view engine and see if it's vuln. And if yes, then with which property. |
Hi I compared response header of three websites one using hbs ,second using ejs and third using pug only first two returns X-Powered-By: Express |
We really don't care about response headers, bug is in passing user controlled object to templates. |
ok thanks |
Video handler would be a better candidate to change, because it only has a single challenge (Video XSS) to keep intact. But it has no forms or anything, it's just a page rendering the video player. |
what about data erasure component ? |
Data erasure could be rewritten into a legacy page, its built-in challenge shouldn't be hard to keep working. |
So I should first change in to use hbs as view-engine and then start on the challenge |
👍Makes sense, first migrate without breaking existing look&feel and challenge(s), then add new challenge. You should use a similar UI as the PUG views, but maybe with a slight difference, so someone looking closely might notice they're not the same tech stack? |
@cigar-galaxy82, did you send me your post address already so I can send you some stickers? If not, please do so via email or DM on Slack! Thanks! |
Hi @bkimminich |
Yes that would work. You can place the middleware in the same routes file. |
Is this ok? |
That looks like it could work.
|
I can use fs.access() which is async and also takes a callback but as you mentioned if we are aiming for a particular file then there is no need to check if file exist or not using fs we can only check if path in the body is equal to ../package.json |
Description of the challenge |
We can't use package.json for this purpose as we have many other challenges rely on getting the package.json.bak from the FTP folder. Getting the actual package.json would jeopardize several challenges as dependencies have changed etc. Both package.json and frontend/package.json must be protected from LFR attack explicitly. Same for ctf.key. Probably a few others, too. Essentially all the source code, now that I think about it. We probably should place a dedicated file to read and block LFR for everything else. |
Ah, just saw that @J12934 already mentioned to have one specific file as LFR target in 3. in his comment above. |
Btw, with the XXE you can read all files from the server already, but the difference is, that it returns only the first few characters truncated and then "...", so it doesn't allow exfiltrating the entire server side code. LFR cannot add that capability either. |
https://rcehbs.herokuapp.com/ This is a example app I created which is vulnerable to RCE and uses hbs |
I think we shoud make sure you cannot get |
like a txt file ? |
1.This makes sure there is the layout keyword |
I'm not a fan of entirely "crafted" challenges where the attack vector and payload are kind of arbitrary. We have this in some of the very first challenges around Null Byte Injection, but there it serves the purpose of explaining multi-stage attacks at least. Where exactly will the read local file content be displayed? As part of the HTML page, no? So, could we just truncate whatever is read this way similar to the XXE attack vector? Could we wrap it into some scenario where truncating would even make sense? @CaptainFreak @J12934 ... what's your opinion on this? |
We can display in the browser by changing some html |
Ok, maybe I just don't understand the actual attack flow against this vulnerability from @CaptainFreak's posting. If a |
1.The responses are different when using browser and some tool for package.json file while using a tool it returns contents of the file and when using browser it converts 2.I think we can truncate all responses to show less content which will made it feel more realistic and also protect the ctf.key files |
I don't really understand what you mean in 1.) The file gets itnerpreted as a handlebars template, this means for most files that the complete contents are getting returned as most files dont include any handlebar templates :) Truncating the returned body should be possible by specifying a callback in the res.render call, see https://expressjs.com/en/4x/api.html#res.render, without the callback the rendered content is send out directly. |
👍 |
Misclicked, sorry... 😆 |
Okay that just looks like the browser is trying really hard (and failing) to render a json document as html as it thinks the response is because of the wrong content type. |
How about this ? |
@cigar-galaxy82 that looks like it would do the job 👍 Please open up a PR, commenting and reviewing on a inline code snippet in GitHub is not really practical. |
Description of the challenge |
Here's my suggestion on how to declare this challenge:
|
Hi @CaptainFreak, could you please provide feedback if #1616 implements the vulnerability in the expected form? I would say it does, as it allows both aspects of your original attack flow to happen:
Furthermore there's a truncation of the returned file contents to ~100 chars if the attacker hits an existing file (to prevent leaking the entire server side codebase) and also some specific files are completely blocked from this LFR (CTF key, ftp folder etc.) as they'd interfere with other challenges where different attack flows are expected. |
Yes @bkimminich LGTM! Good work @cigar-galaxy82! |
I know this is a long-closed issue, but it just got my attention again because @CaptainFreak is nominated in https://portswigger.net/polls/top-10-web-hacking-techniques-2021 with his original article on the matter! 🥳 And then I realized, that we still have "🔧 TODO" marker in https://github.com/juice-shop/pwning-juice-shop/blob/master/part2/vulnerable-components.md#gain-read-access-to-an-arbitrary-local-file-on-the-web-server and https://github.com/juice-shop/pwning-juice-shop/blob/master/appendix/solutions.md#gain-read-access-to-an-arbitrary-local-file-on-the-web-server and I would very much appreciate a PR on either of those... 😀 |
@bkimminich Please don't forget to vote for the blog ;) |
I already did! 🗳️ |
Done 🗳 |
This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs. |
⭐ Challenge idea
Description
Complete Blog post:
https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/
Underlying vulnerability/ies
Loca File Read, Potential RCE
Expected difficulty
Possible attack flow
500 Internal Server
Error withENOENT: no such file
or directory in body, You have hit the LFR.The text was updated successfully, but these errors were encountered: