Example 1

One of these vulnerabilities is with the st npm package. This is a module for serving static pages. The issue here is that our sample application is using st@0.2.4 and this has a directory traversal vulnerability.

This package is used in our application to serve the about page. If you click on the about page you will notice in the address bar that you are taken to /public/about.html.

A potential attacker that discovers a resource that is static may attempt to escape by typing ../ to escape the present context and see what else may be available. Fortunately, if done through the web browser this is normalized and the command will not reach the server. However, we can bypass this using the command line. Let's walk through a couple of examples that illustrate how you can accomplish this. From the terminal, we will use curl to perform a few steps. If we attempt to browse using ../ we will fail because st will inspect for this and block attempts to list contents using this method.

curl $GOOF_HOST/public/../../../

However, there is a vulnerability in st and that is that if we use the URL encoded version of ../, or %2e, then are be able to browse the directories.

curl $GOOF_HOST/public/%2e%2e/%2e%2e/%2e%2e/

Let's take a look at this example which demonstrates how this vulnerability would work to escape out and browse the files in /etc as well as some file contents.

In this example, we see how a bad actor could exploit this vulnerability and gain access to sensitive information such as the contents of passwd and further compromise your security.