https://zachgrace.com/tags/express/Recent content in Express on Zach GraceHugoen-usWed, 01 Mar 2017 00:00:00 +0000https://zachgrace.com/posts/backdooring-nodejs-express-apps/Wed, 01 Mar 2017 00:00:00 +0000https://zachgrace.com/posts/backdooring-nodejs-express-apps/<p><em>Updated: 2017.03.03</em></p> <p>One of the interesting things about <a href="https://nodejs.org/en/">Node.js</a> (server-side JavaScript) apps/APIs is that they&rsquo;re event driven. As an attacker, this means there are new options for post-exploitation code execution, so I wrote a little PoC to demonstrate that.</p> <p>In the scenario below, we&rsquo;re going to assume we&rsquo;ve already identified Server-Side JavaScript Injection (SSJI) in the app. This is not a new vulnerability in Express, but an experiment in post-exploitation. There are many posts on how to exploit SSJI in which they show how to read files with <code>require(‘fs’).readFile</code> or execute commands with <code>require('child_process').spawn</code>. But what if we could add our own event through the SSJI? We could modify the running app&rsquo;s behavior without touching disk and have it harvest sensitive information or perform other nefarious activities.</p>