Javascript for bug bounty hunters — part 3
This is a follow up to https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7
Chapter 7: Attacking Meteor.JS
Chapter 7–1: Information gathering
MeteorJS is not only a frontend library it also has its own backend engine to manage the communications. Running the following commands at Chrome’s Devtools will help us to extract some useful information about the server and the working environment
Chapter 7–2: NoSQL Injection at MeteorJS apps
At the first look, this server-side code looks safe however it’s vulnerable to NoSQL Injections attacks https://resources.infosecinstitute.com/what-is-nosql-injection/
From the client-side, this code could be invoked using the following javascript code
This will result in removing the cart with ID=1 (server-side). nothing fancy here, However by default MeteorJS based apps accept NoSQL queries as parameters, and from the server-side code above we saw that cartId is passed directly to the .remove() so by sending (w/Chrom Console) a NoSQL query as follows
Will result in removing all carts with ID ≥ 0 effectively removing all of them. we will use some tools to help us rather than the manual method. A useful chrome extension to help you gather information and discover insecure functions https://chrome.google.com/webstore/detail/meteor-devtools/ippapidnnboiophakmmhkdlchoccbgje?hl=en.
Here is a list of javascript code to test against Metoar js applications
Meteor.users.find().fetch(); // Sometimes returns all usersMeteor.call("CustomName", {$gte: 0}) // NoSQLI case_.each(Router.routes,route=>console.log(route.getName(),route.path())); // List Routers ex. https://example.com/[Router]CollectionName.insert({ key: value }); // NoSQLI InsertCollectionName.remove({ _id: {$regex:".*?"}}); // NoSQLI Remove
Useful resources
Chapter 8: Real-life applications (2)
Chapter 8–1: Authentication Bypass
I’m not allowed to disclose this yet but here is a screenshot from the pending disclosure request
By just running this code at my chrome browser I was able to randomly access users profiles
Chapter 8–2: Server-side Request Forgery
This is also is not allowed to be disclosed ( bugcrowd’s polices for yall ). an SSRF was found at exported function named readResumeFromS3 it was intended to be internal however after some digging at the client-side code I was able to find it. invoking it resulted in a big chunk of data from the internal S3 bucket
> Meteor.call("readResumeFromS3", '', function(e, a) {console.log(e,a)})<- undefined {contentType: "application/xml", fileData: "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz…DbGFzcz48L0NvbnRlbnRzPjwvTGlzdEJ1Y2tldFJlc3VsdD4="}
The next article will discuss my general approach when testing a javascript framework and also will include some write-ups :)
