Sunday, January 9, 2022

open direct vulnerability prevention

user can be redirected to phishing site if open redirect url is tempered

click register

redirected to contact page after registration

if redirect url is tempered, it will stay on registration page and alert user.

//app.js
const jwtFunc = require('./jwt')
const express = require('express')
const app = express()
const port = 8080
const path = require('path');

var bodyParser = require('body-parser')
app.use(bodyParser.json());       // to support JSON-encoded bodies
app.use(bodyParser.urlencoded({     // to support URL-encoded bodies
    extended: true
}));

// serve your css as static
app.use(express.static(__dirname + '/public'));

var mysql = require('mysql')
var connection = mysql.createConnection({
    host: '127.0.0.1',
    user: 'dvwa',
    password: 'p@ssw0rd',
    database: 'sqlinjection'
})

connection.connect()

//render html
app.set('view engine', 'ejs');
app.engine('html', require('ejs').renderFile);

app.get('/', function (req, res) {
    res.render('index');
});

...

app.all('/register/', function (req, res) {
    if (!req.query.redirect_url) {
        res.render('register');
    }
    else {
        if (req.query.redirect_url != '/contact') {
            res.render('register', { redirect_url: req.query.redirect_url });
        }
        else {
            res.redirect(req.query.redirect_url);
        }
    }
});

app.get('/contact/', function (req, res) {
    res.render('contact');
});

app.listen(port, () => {
    console.log(`Example app listening at http://localhost:${port}`)
})

--------------------------
//views/register.ejs
<html>

<head>
    <%- include('partials/header'); %>
</head>

<body>
    <div style="margin:100px;">
        <%- include('partials/nav'); %>

            <div class="jumbotron" style="padding:40px;">
                <h3>registration</h3>
                <form action="\register?redirect_url=/contact" method="post">
                    <table>
                        <tr>
                            <td><label>Name</label></td>
                            <td><input type="text" name="name" /></td>
                        </tr>
                        <tr>
                            <td><label>Password</label></td>
                            <td><input type="password" name="password" /></td>
                        </tr>
                    </table><br />
                    <input type="submit" value="register" />
                </form>

                <% if (locals.redirect_url) { %>
                    hacker is redirecting you to <a href='<%= redirect_url %>'>
                        <%= redirect_url %>
                    </a>
                    <% } %>
            </div>
    </div>
</body>

</html>

reference:
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)