Introduction

I am instructed to investigate Frost Tower's website for security issues. Luckily for me, as this is not a black-box penetration testing, I am given a copy of the source code! That's always nice to hear. Given the source code, am I able to break in? This challenge proved more difficult than it seemed, though it also illustrated just how much damage can be done with just one simple entry point. Can I pwn the entire site, especially given the source code? Come on along with me and find out!

The source code was provided as a downloadable zip file that contained all of the files necessary to run the website. The site was built upon the NodeJS backend using ExpressJS as the model-view-controller framework. All the assets were presented to me (except for one, which I will get to much later), but I will link the following items here for reference.

The server.js file contained a majority of the code I reviewed, outlining all of the endpoints the server will respond on. modconnection.js was a custom module that simply initiated the connection to the MySQL database that was referenced and exported the object so that it can be used, and encontact_db.sql was a SQL file outlining the structure of the database.

• The main server.js file
• The modconnection.js file
• The encontact_db.sql file

So, with keeping all that in mind, here are a few takeaways I can gather from the files in question.

Upon initial inspection, there doesn't seem to be any sort of function or directive that utilizes a straight system call, so it doesn't appear that I can initiate any sort of command injection attack here. There is also the capability of sending an email, though it seems all of the code responsible for actually sending email is commented out. Another aspect I noticed of the code is that it seems to be fairly reliant on database calls, as well as client sessions. Nothing seems to stand out (initially) as a means of anything being SQL-injectable, though it does seem like the author haphazardly switches between using the escape() function and Q-Mark styles for safe insertion, but even with that nothing seemed to immediately stand out. So let's start mapping out what we know!