Scenario
This lab includes code for a simple web server with a single endpoint /api/resource that serves files requested by a client from the resources folder. It also allows a client to request a file in the compressed gzip format.
We need a second set of eyes to review the code and spot any security issues. Put on your hacker thinking hat and discover as many vulnerabilities as you can in the controller.js.
Setup
- Run
npm ito install required npm packages. - Start server by running
npm startornode server.js. You can also start server in a debug mode (In VS Code, this can be done by opening the server.js in the editor, then pressing F5). - To send HTTP Requests, invoke the client code by running
node client.js
Task:
As part of this lab, your mission is to do a security code review of the controller.js to spot any vulnerabilities. You do not need to fix it, just note it down to discuss later.
Following are the input values a client request can send to the server -
Endpoint
GET /api/resource
URL Parameters
- filename: (Required) A file name. The server is expected to send files only from the
resourcesfolder, which containshello.txt. Hence, setting the value tohello.txtwill serve the fileresources/hello.txt - compressed: (Optional) set to
trueif the returned file should be in a compressed gzip format. Default: false
Request Headers
In addition, a request takes these HTTP headers:
auth_email: (Required) Any value in a valid email format, such as: user@client.comauth_client_id: (Required) The only active client ids areid_x,id_y, andid_z. Server is expected to send file only if the client id header matches to one of these.auth_token: (Required) A valid token value isbigWombat.
Example of a Request
Here is an example of the client code making a GET request to fetch the hello.txt file for a user email user@client.com and client id id_x in a compressed format:
//Example of a GET request, getting the hello.txt file for user email user@client.com and client id id_x in a compressed format
var request = require('request');
function doGET() {
request.get({
uri: 'http://localhost:3500/api/resource?filename=hello.txt&compressed=true',
headers: {
'auth_email': 'user@client.com'
'auth_client_id': 'id_x',
'auth_token': 'bigWombat'
}
}, function (err, res) {
console.log(res.body);
});
}
doGET();Feel free to change request params and headers in client.js to any other values to test the server output.