Open valvolineford opened 4 years ago
Vulnerability ID: KQSI-8BCB-VHTG-A5MZ
Application Name: AgentMessageGeneratorNode
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/d944b35a-2925-43da-a27b-0fa1fac7d8aa/vulns/KQSI-8BCB-VHTG-A5MZ
We tracked the following data from Untrusted Sources:
GET /serialization/node-serialize/hello
...which was accessed within the following code:
global.unmakeCookie(), line 69
... and ended up in this dynamic evaluation call:
((0))
Stack: global.getCookieValue(/app/vulnerabilities/serialization/index.js:61) global.(/app/vulnerabilities/serialization/index.js:36) Layer.handle(/app/node_modules/express/lib/router/layer.js:96) next(/app/node_modules/express/lib/router/route.js:138) Route.dispatch(/app/node_modules/express/lib/router/route.js:113) Layer.handle(/app/node_modules/express/lib/router/layer.js:96) (/app/node_modules/express/lib/router/index.js:279) Function.process_params(/app/node_modules/express/lib/router/index.js:332) next(/app/node_modules/express/lib/router/index.js:273) Layer.handle(/app/node_modules/express/lib/router/layer.js:96) trim_prefix(/app/node_modules/express/lib/router/index.js:314) (/app/node_modules/express/lib/router/index.js:282) Function.process_params(/app/node_modules/express/lib/router/index.js:332) next(/app/node_modules/express/lib/router/index.js:273)
Stack: global.exports.unserialize(/app/node_modules/node-serialize/lib/serialize.js:76) global.unmakeCookie(/app/vulnerabilities/serialization/index.js:69) global.getCookieValue(/app/vulnerabilities/serialization/index.js:61) global.(/app/vulnerabilities/serialization/index.js:36) Layer.handle(/app/node_modules/express/lib/router/layer.js:96) next(/app/node_modules/express/lib/router/route.js:138) Route.dispatch(/app/node_modules/express/lib/router/route.js:113) Layer.handle(/app/node_modules/express/lib/router/layer.js:96) (/app/node_modules/express/lib/router/index.js:279) Function.process_params(/app/node_modules/express/lib/router/index.js:332) next(/app/node_modules/express/lib/router/index.js:273)
GET http://20.42.27.158:8004/serialization/node-serialize/hello HTTP/1.1 Accept-Encoding: identity Cookie: name=%257B%2522name%2522%253A%2522_$$NDFUNC$$(0)%2522%257D Host: 20.42.27.158:8004 X-Screener-Uuid: f0f365af-170d-41ef-828d-fa61cdd77e1b
https://www.owasp.org/index.php/Top_10_2013-A1-Injection
Vulnerability ID: KQSI-8BCB-VHTG-A5MZ
Application Name: AgentMessageGeneratorNode
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/d944b35a-2925-43da-a27b-0fa1fac7d8aa/vulns/KQSI-8BCB-VHTG-A5MZ
What Happened?
We tracked the following data from Untrusted Sources:
GET /serialization/node-serialize/hello
...which was accessed within the following code:
global.unmakeCookie(), line 69
... and ended up in this dynamic evaluation call:
((0))
What's the risk?
Recommendation
First Event
Last Event
HTTP Request
GET http://20.42.27.158:8004/serialization/node-serialize/hello HTTP/1.1 Accept-Encoding: identity Cookie: name=%257B%2522name%2522%253A%2522_$$NDFUNC$$(0)%2522%257D Host: 20.42.27.158:8004 X-Screener-Uuid: f0f365af-170d-41ef-828d-fa61cdd77e1b
References
https://www.owasp.org/index.php/Top_10_2013-A1-Injection