Scenario
This lab includes code for a simple web server with a single endpoint /api/resource
that serves files requested by a client from the resources
folder. It also allows a client to request a file in the compressed gzip format.
We need a second set of eyes to review the code and spot any security issues. Put on your hacker thinking hat and discover as many vulnerabilities as you can in the controller.js.
Setup
- Run
npm i
to install required npm packages. - Start server by running
npm start
ornode server.js
. You can also start server in a debug mode (In VS Code, this can be done by opening the server.js in the editor, then pressing F5). - To send HTTP Requests, invoke the client code by running
node client.js
Task:
As part of this lab, your mission is to do a security code review of the controller.js
to spot any vulnerabilities. You do not need to fix it, just note it down to discuss later.
Following are the input values a client request can send to the server -
Endpoint
GET /api/resource
URL Parameters
- filename: (Required) A file name. The server is expected to send files only from the
resources
folder, which containshello.txt
. Hence, setting the value tohello.txt
will serve the fileresources/hello.txt
- compressed: (Optional) set to
true
if the returned file should be in a compressed gzip format. Default: false
Request Headers
In addition, a request takes these HTTP headers:
auth_email
: (Required) Any value in a valid email format, such as: [email protected]auth_client_id
: (Required) The only active client ids areid_x
,id_y
, andid_z
. Server is expected to send file only if the client id header matches to one of these.auth_token
: (Required) A valid token value isbigWombat
.
Example of a Request
Here is an example of the client code making a GET request to fetch the hello.txt
file for a user email [email protected]
and client id id_x
in a compressed format:
//Example of a GET request, getting the hello.txt file for user email [email protected] and client id id_x in a compressed format
var request = require('request');
function doGET() {
request.get({
uri: 'http://localhost:3500/api/resource?filename=hello.txt&compressed=true',
headers: {
'auth_email': '[email protected]'
'auth_client_id': 'id_x',
'auth_token': 'bigWombat'
}
}, function (err, res) {
console.log(res.body);
});
}
doGET();
Feel free to change request params and headers in client.js
to any other values to test the server output.