NODEJS Packet Vulnerability scanning and vulnerability Test attack

A typical node application may have hundreds of or even thousands of packages dependent (most of the dependencies are indirect, that is, to download a package that relies on a lot of other packages), so the end result is that the application will look like this: The amount of code you write is less pathetic than the package you depend on. The introduction of a large number of packages into the code of the application, but also introduced some unpredictable pitfalls, such as whether we know if these packages are safe, if we introduce the package is safe, then these packages themselves introduced third-party package is also safe? If not, then these hidden dangers will become the application of the small backdoor, so that hackers can freely access. So we need a tool that can scan the vulnerabilities of these packages and reduce the likelihood that their applications will be hacked. Here I recommend that I am currently using the snyk,https://snyk.io/, which can have two ways to detect the vulnerability of our application, one is directly introduced from the Code warehouse, the currently supported code warehouse is: First of all, a more cumbersome, But the more intuitive way: Choose your code warehouse, and here we take GitHub as an example to illustrate: Select the account you want to add: To add a warehouse that needs to be scanned if it is a Nodejs project, he will automatically associate it, and if it does not automatically correlate, generate a test report by clicking on the location where you added the file. The view report and fix can view detailed reports and then fix the bugs according to the fix, basically updating patches to fix them. If you don't have a fix, you can ask the author how to fix the vulnerability yourself. If you choose automatic scanning, he will scan the application of the Package.json file, if there is a new vulnerability, there will be an email notification, timely repair the vulnerability.   Next we use the second method, the second is relatively quick and simple: Open iTerm (Other command-line tools are also available, but here in ITerm for example), install Snyk command-line tool: &NBSP;NPM install-g snyk  After the installation is successful, Enter the root directory of the node app, enter Snyk test:  to see a list of vulnerabilities and then run Snyk Wizard can fix the vulnerability   General Select the first item to fix the vulnerability by updating dependencies. Just one more fix. Two methods are finished, and then we'll take a few loopholes to test how to exploit these vulnerabilities for Test attacks: node Project demo code (HTTPS://GITHUB.COM/WJSZXLI/GOOF): 1. Directory Traversal with St module this is the module information: St The module is a middleware that provides static file services, such as our javascript,css and image files.The location of the code in our example project is in this is the vulnerability information that is detected: Next we begin to imitate: we first try to get his about page in Iterm: Can see, get the source code then try to see if you can break through the folder limit: The normalized folder path is filtered out, The URL-encoded format to try: Well, get the project root directory of the file, if you want to get any one of the files of the source code is easy, For example, we want to get db.js content: simply get it. If you want to get other folders on the server, the hacker can use any file that node has access to. 2. Cross-site scripting attacks (XSS) with marked: This is the module information This is our vulnerability information:  In the tab is used to marked, then we will try the tab, the first time to try it first, input  <script>alert (1) </script> This situation is controlled: then we create a tag format of the link, enter  [gotcha] (Javascript:alert (1)) to see what happened: It didn't work, and he did it. Then try escaping, try him to escape. No, I input: [Gotcha] (javascript& #58this; alert (1& #41;), this effect came out, as if there is a reaction, click, and really effective!    

Nodejs Packet Vulnerability scanning and vulnerability Test attack