Juice-shop: Command injection causes Heroku to die [馃悰]

Created on 9 Oct 2019  路  7Comments  路  Source: bkimminich/juice-shop

:bug: Bug report

Description

The Heroku instance dies if process.exit() is injected in the request URL. While this issue isn't particular to Juice Shop's source code, the Node Goat project is great at recovering from such a crash (it recovers instantly).

Is this a regression?

I'm not sure. It's a problem inherent to Heroku's instance.

:microscope: Minimal Reproduction

  • Goto: https://juice-shop.herokuapp.com/rest/products/1/reviews
  • Replace with: https://juice-shop.herokuapp.com/rest/products/process.exit()/reviews

App dies for everyone >10 minutes!

bug critical

Most helpful comment

/rest/products/global['proc'+'ess']['ex'+'it']()/reviews 馃槈

All 7 comments

Ah, damn ... Your payload easily even beats my protection on develop of truncating after 40 chars as it is only 14 chars short... 馃榿

https://juice-shop-staging.herokuapp.com/rest/products/process.exit()/reviews = 馃拃

Gotta fix this somehow w/o having to disable NoSQLi on Heroku/Docker because that would mean no orders and no reviews, which is not acceptable.

Thanks for this awesome find!

The particular attack string is now sanitized after the truncation to 40 chars and should not work any more. The words process and exit are replaced with funny characters instead of removing them to avoid having to deal with recursion attacks. Feel free to try bypassing it, as it is definitely not bullet proof.

馃挕 For a long-term safer solution the vulnerable MarsDB query calls should probably be sandboxed.

/rest/products/global['proc'+'ess']['ex'+'it']()/reviews 馃槈

I'll sandbox it if possible soon and disable the challenges on Heroku...

@bkimminich Darn.. I wanted to teach this usecase as an example of Command Injection attack at a Bachelor level security lecture. Is there any other command injection vulnerability in JS? (I don't want to touch SQLi for now).
Thank you for your help! :)

It is still possible to exploit in local installations, only in Docker and Heroku it is turned off by default now. You even there turn it back on by using a custom config with only

challenges:
  safetyOverride: true

in it. Actually, I'll provide that one as config/unsafe.yml with v9.1.1 so you could start it with NODE_ENV=unsafe npm start or similarily pass that into your Docker or Heroku as an environment variable.

That'd be awesome! Thanks so much! 馃憤

Was this page helpful?
0 / 5 - 0 ratings

Related issues

cnotin picture cnotin  路  5Comments

kingthorin picture kingthorin  路  4Comments

agrawalarpit14 picture agrawalarpit14  路  4Comments

bkimminich picture bkimminich  路  6Comments

bkimminich picture bkimminich  路  6Comments