Intersting Vulnerability in express.bodyParser [Node.js]

December 13, 2013

HTML Code :

<!DOCTYPE html>
<meta charset="utf-8" />
<title>Please login!</title>
<div id="contact">
<h1>Send an email</h1>
<form action="http://application.nodejs/authenticate" method="post">
<label for="name">Username:</label>
<input type="text" id="username" name="username" placeholder="Username" />
<label for="Password">Password:</label>
<input type="password" id="password" autocomplete="off" />
<input type="submit" value="Authenticate" />

Node JS code :
var express = require('express');
var app = express();
app.use(express.bodyParser());'/authenticate',function(req, res) {
app.listen(80, function() {
console.log('Server running...');

As the information is given in the code is very limited / not enough. The code for authenticate may be necessary for further deep testing but there is one server vulnerability which can lead to server crash / hang

Vulnerability possible classification
1) Filling up the complete TMP disk space vulnerability.

Explanation For Vulnerability 1 :
First, the above code look so innocent, However this is very common type of vulnerability , which is known by the most of developers. In the above code we are using express.bodyParse in the Line number 1 , and obviously it is vulnerable to an attack to create unlimited number of files on the server. Which can lead to filling up the disk and lead to an unwanted memory consumption, possibly server will get hanged.

Second, on the line number 4 we are using app.use(express.bodyParser()); this can lead to upload the tmp files on the server for every POST request. For Instance, to test the vulnerability , try to execute the above vulnerable code.

Before execution check the tmp files count .
Step 1 :
g4h-root$ ls /tmp | wc -l

Step 2:
$ curl -X POST -F test=@tmp/test.p http://localhost/check


wget –post-file=@tmp/test.p http://localhost/check

Step 3:
g4h-root$ ls /tmp | wc -l
1337 (Count is increased)

Mitigation of vulnerability 1 :
1) As this method is deprecated into express.js and common mitigation is , when every time code is executed then delete the TMP files.
2) Avoid using bodyParser and try to use defer option in the multipart middleware

Check out for more details of this vulnerability here :

We Provide Penetration Testing

Leave a Reply

Your email address will not be published. Required fields are marked *


We Provide Penetration Testing