Jul 8, 2014

Vulnerability Disclosure for Node.js Applications - CashCube and WEPL

This post is about two Server Side JS injection vulnerabilities that I found in CashCube, a node.js application which does personal money management and WEPL, a node.js based REPL.

In CashCube, the vulnerability is due to the use of unsanitized input in the eval command, this enables the attacker to pass arbitrary commands to the server. Can lead to shutdown of server or even deletion of files from the server filesystem. The details of the disclosure are on the github issue.

In WEPL, the vulnerability is due to a similar reason with the http request query parameter methodBody. The query parameter is directly passed to the eval function on the server side leading to possibility of command injection. The details of the disclosure are on the github issue