When I am trying to find vulnerabilities in web applications, I always perform fuzzing of all http parameters, and sometimes it gives me something interesting:
The demo.paypal.com server was responding differently for '\' and '%0a' requests and was throwing a 'syntax error' in responses. At the same time for single quote, double quote and other characters the server was responding with HTTP 200 OK.
From error messages I found out that PayPal Node.js application uses Dust.js
The old version of Dust.js supports "if" helpers
, you can use them in your code like that:
Yeah, why not? It's a simple and elegant solution.
Which throws a syntax error.
Hmmm, but what if the 's' parameter is not a string? In Node.js we can send a request like paypal.com/?device=1&device=2
and the 'device' parameter will be parsed by qs
module as an Array, instead of string.
I quickly made a request to https://_demo.paypal.com/demo/navigation?device=&device='
and when the server responded with 'syntax error' my chair started to shake under me.
I am a bit friendly with Node.js, so it took me few minutes to craft a test payload that sends '/etc/passwd'
file to my server.
This string was worth $10.000 for me.