In this part we will disccus about Command Injection Vulnerability inside NodeJS Code and How we can fix it

The Target application is i’ve uploaded called “app.js” and let’s start with first step reviewing the code…

The Part 1

So in the code below

Image of mahmoudashraf1344

we see that the application use exec to execute The child_process so what is it?

child_process module provides the ability to spawn subprocesses in a manner that is similar, but not identical, to popen(3). This capability is primarily provided by the spawn function:

let’s say something like this code below:

const { spawn } = require('child_process');
const ls = spawn('ls', ['-lh', '/usr']);

ls.stdout.on('data', (data) => {
  console.log(`stdout: ${data}`);

ls.stderr.on('data', (data) => {
  console.error(`stderr: ${data}`);

ls.on('close', (code) => {
  console.log(`child process exited with code ${code}`);

So Here we have a command injection, it means that the cmd “ls” is execute by default and -lh, /usr so we can see the list of the folders only but the way we can bypass that it’s so easy for example i can run like= ; whoami ==> this will show me the user name that app is run on it.!!

we can do more and more we can open a listener and run a reverse shell bash script and gain access to the server/APPLICATION

The Part 2

Image of mahmoudashraf1344

Using the same bug with no validation process

How we can Fix That??

we can you “execFile” instead of “exec” like in the image below

Image of mahmoudashraf1344

I’m Using a VScode and when i type execFile('identify ' + url, function (err, stdout, stderr) { it auto type in line 21 of code const { execFile } = require('child_process');

And this is the best way of fixing Command Injection in NodeJS App


1. Don’t Run Your App with root this will be pretty bad thing just use the user to less the risk/threat that attacker can do it

2. Try to search as more as you can and revewing as more as you can

3. Don’t forget to update all your Images, Web Server, Kubernetes, Cloud platforms and etc…


View Github