Simple and vulnerable NodeJS app prone to Cross-Site Scripting (XSS) deployment with Google Cloud App Engine

Penetration Testing Wiki

Simple and vulnerable NodeJS app prone to Cross-Site Scripting (XSS) deployment with Google Cloud App Engine

   Academy    October 6, 2019  |  0

I wrote a little script in node.js for a hands-on lab to test Cross-Site Scriptings (XSS).

You can download it from my github: https://github.com/defensahacker/nodexss

To deploy in Google Cloud App Engine:

$ git clone https://github.com/defensahacker/nodexss.git
$ gcloud init
$ gcloud projects create xss-lab$RANDOM
$ gcloud config set project xss-lab$RANDOM
$ gcloud projects describe xss-lab$RANDOM
$ gcloud app create --project=xss-lab$RANDOM
$ gcloud app deploy
$ gcloud app logs tail -s default

To start the project from a local system:

git clone https://github.com/defensahacker/nodexss.git
docker build -t defensahacker/nodexss:1.3 --no-cache .
docker run --rm -p 8080:8080 -d defensahacker/nodexss:1.3

Now visit the vulnerable website:

http://localhost:8080/?name=world<script>alert(document.cookie);</script>

 

About me

My name is Jacobo Avariento. I got a Master’s Degree in Computer Science and specialized in cybersecurity in 2001. With more than 15 years in the cybersecurity industry as a consultant and penetration tester working for top tier banks, the European Central Bank, pharmaceutical, automotive and gaming companies.

I hold Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP) and Certified Blockchain Security Professional (CBSP) certifications.

OSCP Certification

CEH Certification

© 2021 DEFENSAHACKER Academy