Created
March 8, 2024 00:43
-
-
Save pi3ch/3ec4a7a8d737982dbb7ffb5148366399 to your computer and use it in GitHub Desktop.
This Node app takes a 'name' parameter from the URL query string and returns a personalised greeting message. However, it seems having a security bug.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "use strict"; | |
| // requirements | |
| const express = require("express"); | |
| // constants | |
| const PORT = process.env.PORT || 8080; | |
| // main express program | |
| const app = express(); | |
| // configurations | |
| app.use(express.json()); | |
| // routes | |
| // health check | |
| app.get("/status", (req, res) => { | |
| res.status(200).end(); | |
| }); | |
| app.head("/status", (req, res) => { | |
| res.status(200).end(); | |
| }); | |
| // Main | |
| app.get("/", (req, res) => { | |
| res.status(200).end("Tell me who to say hello? e.g. /sayHello/?name=alice"); | |
| }); | |
| app.get("/sayHello", (req, res) => { | |
| if (!req.query.name) { | |
| res.status(200).end("Tell me who to say hello? e.g. /sayHello/?name=alice"); | |
| return; | |
| } | |
| const { name } = req.query; | |
| res.status(200).end(`<h1>Hello, ${name}</h1>`); | |
| }); | |
| // Fix to avoid EADDRINUSE during test | |
| if (!module.parent) { | |
| // HTTP listener | |
| app.listen(PORT, (err) => { | |
| if (err) { | |
| console.log(err); | |
| process.exit(1); | |
| } | |
| console.log("Server is listening on port: ".concat(PORT)); | |
| }); | |
| } | |
| // CTRL+c to come to action | |
| process.on("SIGINT", function () { | |
| process.exit(); | |
| }); | |
| module.exports = { app }; | |
| // Try it live: https://play.secdim.com/game/javascript/challenge/xssjs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment