The Heroku instance dies if process.exit() is injected in the request URL. While this issue isn't particular to Juice Shop's source code, the Node Goat project is great at recovering from such a crash (it recovers instantly).
I'm not sure. It's a problem inherent to Heroku's instance.
https://juice-shop.herokuapp.com/rest/products/1/reviewshttps://juice-shop.herokuapp.com/rest/products/process.exit()/reviewsApp dies for everyone >10 minutes!
Ah, damn ... Your payload easily even beats my protection on develop of truncating after 40 chars as it is only 14 chars short... 馃榿
https://juice-shop-staging.herokuapp.com/rest/products/process.exit()/reviews = 馃拃
Gotta fix this somehow w/o having to disable NoSQLi on Heroku/Docker because that would mean no orders and no reviews, which is not acceptable.
Thanks for this awesome find!
The particular attack string is now sanitized after the truncation to 40 chars and should not work any more. The words process and exit are replaced with funny characters instead of removing them to avoid having to deal with recursion attacks. Feel free to try bypassing it, as it is definitely not bullet proof.
馃挕 For a long-term safer solution the vulnerable MarsDB query calls should probably be sandboxed.
/rest/products/global['proc'+'ess']['ex'+'it']()/reviews 馃槈
I'll sandbox it if possible soon and disable the challenges on Heroku...
@bkimminich Darn.. I wanted to teach this usecase as an example of Command Injection attack at a Bachelor level security lecture. Is there any other command injection vulnerability in JS? (I don't want to touch SQLi for now).
Thank you for your help! :)
It is still possible to exploit in local installations, only in Docker and Heroku it is turned off by default now. You even there turn it back on by using a custom config with only
challenges:
safetyOverride: true
in it. Actually, I'll provide that one as config/unsafe.yml with v9.1.1 so you could start it with NODE_ENV=unsafe npm start or similarily pass that into your Docker or Heroku as an environment variable.
That'd be awesome! Thanks so much! 馃憤
Most helpful comment
/rest/products/global['proc'+'ess']['ex'+'it']()/reviews馃槈