#148 | pen19 – NodeJS Express server directory traversal notes

Hi everybody, today I’ll talk about Express, which is a NodeJS framework used to create web applications and how to abuse it to exploit a directory traversal on some implementations.


Directory traversal

You probably already know what is a directory traversal, but in short, it is based on the ability to use “../”, which goes up a folder. Doing that repeatedly on a file function which does not filter properly its input will lead to the ability to go out the initial folder intended for that function.

Local file include or read are basically exploited using directory traversal.


Express NodeJS vs Apache/Nginx + PHP

On apache and nginx, the web server will automatically handle “../” in http requests to resolve correct files. As such, doing something like “http://attack/test/../file.php” will get “http://attack/file.php”. Because of that, attacks relying on directory traversal are generally made by using a parameter (GET/POST/Cookie/Stored/…).

On Express, since it is considered as the web server, doing the same request will have a different impact. To serve files, some servers will set a route on “files/*” or “download/*” with a file download getting the current url. However, since Express doesn’t handle directory traversal that well, it is possible to do a request such as “GET /files/../server/app.js” to recover the source file of the application.


Express and hidden files

On Express, recovering hidden files can be difficult due to the usage of some specific options. To be able to get hidden files, you’ll generally have to use a special option of file functions, which is generallly “hidden”. I’m not too sure yet on how it works but I was not aware of that.

Leave a Reply

Your email address will not be published.