This project is a PoC to demonstrate the SSJI vulnerability in CVE-2014-7205, which opens the possibility of RCE (Remote Code Execution) on a target NodeJS Web Server.
The repository contains two web applications what-is-the-year and the-cutlery-shop, both showcase the same vulnerability. Written instructions on how to run each app are contained within their respective folders.
Further explanations and steps of how to reproduce the attack, is contained within the payload folder together with the JavaScript payload used.
https://brutelogic.com.br/blog/dom-based-xss-the-3-sinks/
https://exchange.xforce.ibmcloud.com/vulnerabilities/96730
https://portswigger.net/kb/issues/00100d00_server-side-javascript-code-injection
https://s1gnalcha0s.github.io/node/2015/01/31/SSJS-webshell-injection.html
https://www.exploit-db.com/exploits/40689
https://www.openwall.com/lists/oss-security/2014/09/30/10