NodeJS Express

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Quick Fingerprinting

Viashiria vya Express vinavyofaa wakati wa recon:

• X-Powered-By: Express au stack traces zinazotaja express, body-parser, qs, cookie-parser, express-session, au finalhandler
• Cookies zilizoanza na s: (signed cookie) au j: (JSON cookie)
• Session cookies kama connect.sid
• Hidden form fields au query parameters kama _method=PUT / _method=DELETE
• Error pages leaking Cannot GET /path, Cannot POST /path, Unexpected token in body-parser, au URIError wakati wa query parsing

Unapothibitisha Express, zingatia middleware chain, kwa sababu most interesting bugs hutokea kutoka kwa parsers, proxy trust, session handling, na method-tunneling badala ya kutoka framework core yenyewe.

Cookie Signature

The tool https://github.com/DigitalInterruption/cookie-monster ni zana ya ku-automate testing na re-signing ya Express.js cookie secrets.

Express kawaida huonyesha formats mbili za cookie zinazofaa:

• s:<value>.<sig> signed cookies zinazosimamiwa na cookie-parser au express-session
• j:<json> JSON cookies ambazo zinatolewa (parsed) automatically na cookie-parser

Ikiwa cookie-parser inapokea signed cookie na signature ni invalid, value inakuwa false badala ya tampered value. Ikiwa application inakubali array ya secrets, old secrets zinaweza bado kuthibitisha cookies zilizopo baada ya rotation.

Single cookie with a specific name

cookie-monster -c eyJmb28iOiJiYXIifQ== -s LVMVxSNPdU_G8S3mkjlShUD78s4 -n session

Custom wordlist

cookie-monster -c eyJmb28iOiJiYXIifQ== -s LVMVxSNPdU_G8S3mkjlShUD78s4 -w custom.lst

Jaribu cookies nyingi kwa kutumia batch mode

cookie-monster -b -f cookies.json

Jaribu cookies nyingi ukitumia batch mode na custom wordlist

cookie-monster -b -f cookies.json -w custom.lst

Kodisha na saini cookie mpya

Ikiwa unajua siri, unaweza kusaini cookie.

cookie-monster -e -f new_cookie.json -k secret

Matumizi Mabaya ya Query String na URL-Encoded Parser

Malengo ya Express mara nyingi huwa ya kuvutia wakati yanapotafsiri funguo zinazoendeshwa na mshambuliaji kuwa nested objects.

• req.query inaweza kusanidiwa na parsers mbalimbali, ikiwa ni pamoja na qs
• express.urlencoded({ extended: true }) inatumia parsing ya mtindo wa qs kwa application/x-www-form-urlencoded
• Nested parsing hufungua object injection, mass assignment, NoSQL injection, na prototype pollution chains ikiwa object iliyotafsiriwa itaunganishwa kwenye application state

Payloads za vitendo za kujaribu:

# Mass assignment style probe
curl 'https://target.example/profile?role=admin&isAdmin=true'

# Nested object / qs syntax
curl 'https://target.example/search?user[role]=admin&filters[name][$ne]=x'

# URL-encoded body against express.urlencoded({ extended: true })
curl -X POST 'https://target.example/api/update'   -H 'Content-Type: application/x-www-form-urlencoded'   --data 'profile[role]=admin&filters[$ne]=x'

Ikiwa app inaonyesha au inahifadhi object inayotokana, nenda kwenye kurasa maalum za exploitation kwa maelezo ya undani:

Mass Assignment Cwe 915

Express Prototype Pollution Gadgets

Majaribio ya ziada yanayostahili kutumwa dhidi ya Express hasa:

• Uwekaji wa vitu kwa ndani kwa kina ili kutafuta mipaka ya parser, timeouts, au tofauti za 400/413
• Funguo rudufu kuona kama app inahifadhi thamani ya kwanza, ya mwisho, au array
• Sintaksia ya mabano kama a[b][c]=1, sintaksia ya nukta kama a.b=1, na __proto__ / constructor[prototype] payloads

trust proxy Matumizi mabaya

Ikiwa app inatumia app.set("trust proxy", true) au inamwamini hops nyingi kupita kiasi, Express itatokeza thamani muhimu za usalama kutoka kwa forwarding headers. Ikiwa reverse proxy haitaziandika upya, client anaweza kuzipotosha moja kwa moja.

Hii inaathiri:

• req.hostname kupitia X-Forwarded-Host
• req.protocol kupitia X-Forwarded-Proto
• req.ip / req.ips kupitia X-Forwarded-For

Hii inafaa kwa:

• Password reset poisoning na absolute URL poisoning
• Kuvuka allowlists za IP, rate limits, au audit trails
• Kuathiri utunzaji wa cookie secure na mantiki ya HTTPS-only katika apps zinazotegemea req.protocol
• Ku-poison redirects au cacheable responses wakati app inatemplate absolute links kwa kutumia forwarded host/proto headers

POST /reset-password HTTP/1.1
Host: target.example
X-Forwarded-Host: attacker.example
X-Forwarded-Proto: https
X-Forwarded-For: 127.0.0.1
Content-Type: application/json

{"email":"victim@target.example"}

Kagua kama viungo vilivyotengenezwa, maeneo ya redirect, logi, au maamuzi ya udhibiti wa upatikanaji sasa vinatumia thamani zilizotolewa na mshambulizi.

Related pages:

Reset/Forgotten Password Bypass

Cache Poisoning and Cache Deception

express-session Vidokezo vya Upimaji

Maeneo mengi ya Express hutumia express-session, ambayo inasaini cookie ya kitambulisho cha session lakini inahifadhi hali halisi upande wa server.

Mikaguzi muhimu:

• Session fixation: Thibitisha kwa kutumia cookie ya kabla ya kuingia na uhakiki kama SID inabaki ile ile baada ya kuingia
• Weak secret rotation: Baadhi ya usakinishaji huhakiki cookies kwa kutumia safu ya siri za zamani, hivyo saini ambazo zilikuwa halali hapo awali zinaweza kuendelea kufanya kazi
• saveUninitialized: true: application inatoa session za kabla ya uthibitisho kwa watumiaji wasiojulikana, ambayo inafanya fixation iwe rahisi na kuongeza uso wa session kwa brute-force au uchambuzi wa cache
• MemoryStore in production kawaida inaonyesha ukomavu duni wa uendeshaji na tabia isiyothabiti ya session wakati wa restart

Mtiririko wa kazi wa fixation wa vitendo:

1. Pata cookie ya session ya mgeni kutoka kwa target.
2. Tuma cookie hiyo kwa victim au ingia (authenticate) mwenyewe nayo.
3. Angalia kama kuingia kunafunga hali ya uthibitisho kwa SID iliyopo.
4. Iwapo ndivyo, rudisha cookie ile ile katika session tofauti ya browser.

Ikiwa app haifanyi call req.session.regenerate() baada ya authentication, fixation mara nyingi bado inawezekana.

Method Override Tunneling

Baadhi ya app za Express hutumia method-override ku-tunnel verbs ambazo HTML forms haiwezi kutuma asili. Wakati imewezeshwa, daima jaribu kama unaweza smuggle methods hatari kupitia route ambayo front-end, WAF, au mantiki ya CSRF ilidhani ilikuwa tu POST.

Typical probes:

POST /users/42 HTTP/1.1
Host: target.example
X-HTTP-Method-Override: DELETE
Content-Type: application/x-www-form-urlencoded

confirm=yes

POST /users/42?_method=PUT HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded

role=admin

Athari za kuvutia:

• Kufikia hidden PUT / PATCH / DELETE routes kupitia POST-only edge control
• Kupitisha route-specific middleware ambayo huangalia tu req.method
• Kusababisha state-changing handlers kupitia CSRF wakati application inathibitisha tu outer request method

Kwa default, middleware kwa kawaida huoverrides POST tu, hivyo weka kipaumbele kwa maombi ya POST yenye header, body, na query-string override values.

Marejeo

• https://expressjs.com/en/guide/behind-proxies.html
• https://portswigger.net/research/server-side-prototype-pollution

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.