Create app.js #3
Conversation
scw-examples
left a comment
scw-examples
left a comment
There was a problem hiding this comment.
Found some security issues in this PR. Please fix and resubmit.
|
|
||
| app.get('/', (req, res) => res.send('Hello World!')) | ||
| app.get('/foo/:id', (req, res) => { | ||
| eval('console.log("something", ' + req.params.id + ')'); |
There was a problem hiding this comment.
This looks like it might be vulnerable to code injection
There was a problem hiding this comment.
Micro-Learning Topic: Code injection (Detected by phrase)
Matched on "code injection"
Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.
Try this challenge in Secure Code Warrior
| app.get('/', (req, res) => res.send('Hello World!')) | ||
| app.get('/foo/:id', (req, res) => { | ||
| eval('console.log("something", ' + req.params.id + ')'); | ||
| res.send(`Hello ${req.params.id}`) |
There was a problem hiding this comment.
Could this be a cross-site scripting issue?
There was a problem hiding this comment.
Micro-Learning Topic: Cross-site scripting (Detected by phrase)
Matched on "cross-site scripting"
Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.
No description provided.