Open bizob2828 opened 7 months ago
@bizob2828 Although IAST agent is designed is such a way which can expose unhandled exceptions. We will take a look into it.
@shashank34 I confirmed with the security agent team that the reason your application is crashing is because you have a no-sql injection. The offending code is here. I'll let @sumitsuthar and team follow up with any more details.
how come in v11 , on previous v10 its working fine , no malformed request made
Hi, @shashank34 could you please provide us more details about the system configuration (CPU and memory). Is the crash happening with standalone node.js process or running with pm2? is process crashes with heap out of memory? it would be great if you can provide your run command. Also need to confirm are you limiting memory/CPU to node.js process?
We explored the application and got some interesting results. IAST exposed a nosql injection vulnerability in the application. This is serious and should be taken care. I am including the result. The crashing of the application is equally serious vulnerability as IAST has shown that a malicious attacker can easily crash the application and cause DOS attack. We need some more analysis to track which data is not correctly handled by the user application.
Note: This original description has been edited to provide specific information to the security agent team. I'm logging this on behalf of a community member. The original issue was here
Description
Running this application with the security agent causes Node.js to crash. It does not crash when using v10 of the agent.
Steps to Reproduce
npm install
npm start
Expected Result
fuzzing occurs, no crashes
Actual Results
Application eventually crashes with: