Solutions
Solutions
Snyk
Docs Library
Blog
Partners
Home
Snyk Academy
Getting Started with Snyk
Snyk Open Source
Snyk Container
Partner Workshops
Amazon Web Services
Atlassian
CircleCI
Sign up for Snyk
Securing Kubernetes Workloads on AWS
Getting started
Create EKS cluster
CircleCI Configuration
config.yml
Kubernetes manifests
CircleCI Project
Test deployment
Interpret scan results
Exploits
Example 1
Example 2
Example 3
Conclusion
Docker
GitHub
Microsoft Azure
Red Hat
SpringOne Workshop
Integration Guide
IDE plugin
Snyk Connector
Powered by GitBook

Example 1

One of these vulnerabilities is with the st npm package. This is a module for serving static pages. The issue here is that our sample application is using st@0.2.4 and this has a directory traversal vulnerability.

This package is used in our application to serve the about page. If you click on the about page you will notice in the address bar that you are taken to /public/about.html.

A potential attacker that discovers a resource that is static may attempt to escape by typing ../ to escape the present context and see what else may be available. Fortunately, if done through the web browser this is normalized and the command will not reach the server. However, we can bypass this using the command line. Let's walk through a couple of examples that illustrate how you can accomplish this. From the terminal, we will use curl to perform a few steps. If we attempt to browse using ../ we will fail because st will inspect for this and block attempts to list contents using this method.

curl $GOOF_HOST/public/../../../

However, there is a vulnerability in st and that is that if we use the URL encoded version of ../, or %2e, then are be able to browse the directories. 

curl $GOOF_HOST/public/%2e%2e/%2e%2e/%2e%2e/

Let's take a look at this example which demonstrates how this vulnerability would work to escape out and browse the files in /etc as well as some file contents.

In this example, we see how a bad actor could exploit this vulnerability and gain access to sensitive information such as the contents of passwd and further compromise your security.

Previous
Exploits
Next
Example 2
Last updated 7 months ago