Giter VIP home page Giter VIP logo

nodejsssti's Introduction

Express with Pug SSTI Example

made-with-javascript built-with-love

This repository provides an example Express application using Pug templates to illustrate Server-Side Template Injection (SSTI) vulnerabilities and a safe implementation.

Installation

  1. Clone this repository:
git clone https://github.com/TheWation/NodeJsSSTI.git
cd NodeJsSSTI
  1. Install dependencies:
npm install

Usage

Run the Application

Start the Express application:

npm start

The application will be running at http://localhost:8000/.

Test SSTI Vulnerability

Visit the application in your browser or through tools like curl or Postman, providing the username parameter in the query string. For example:

http://localhost:8000/?username=%23{10 * 10}

Output:

Welcome 100!

Note: The default implementation is vulnerable to SSTI.

Test Safe Implementation

To test the safe implementation, uncomment the safe template string and comment out the vulnerable one in the app.get route handler in index.js. Restart the application:

npm start

Visit the application again with different username parameters to observe the difference.

Disclaimer

This application is intentionally vulnerable to demonstrate SSTI. Do not use it in a production environment. Always validate and sanitize user input.

License

NodeJsSSTI is made with โ™ฅ by Wation and it's released under the MIT license.

nodejsssti's People

Contributors

thewation avatar

Stargazers

avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.