-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbank-server.js
171 lines (142 loc) · 4.1 KB
/
bank-server.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
// Copyright 2022 Google LLC.
// SPDX-License-Identifier: Apache-2.0
import nunjucks from "nunjucks";
import session from "express-session";
import catNames from "cat-names";
import express from "express";
function randomBetween(min, max) {
return Math.floor(Math.random() * (max - min + 1) + min);
}
function loginRequired(req, res, next) {
if (req.session.user) {
return next();
} else {
return res.redirect("/bank");
}
}
function bankServer(port) {
const defaultReferenceMessage = "From online banking";
const app = express();
app.use("/assets", express.static("assets"));
app.use("/assets/node_modules", express.static("node_modules"));
app.use(express.urlencoded({ extended: false }));
app.use(
session({
secret: "abc",
resave: true,
saveUninitialized: true,
// Insert your security fix for cookies below this line ⬇️
// 3. Insert your cookie fix here
// Add your security fix for cookies above this line ⬆️
})
);
app.use((req, res, next) => {
res.locals.user = req.session.user;
next();
});
app.use((req, res, next) => {
// Insert your security fixes for clickjacking and XSS below this line ⬇️
// 1. Insert your clickjacking fix here
// 2. Insert your XSS fix here
// Add your security fixes for clickjacking and XSS above this line ⬆️
next();
});
nunjucks.configure("html/bank", {
autoescape: true,
express: app,
noCache: true,
});
app.get("/", (req, res) => {
res.redirect("/bank");
});
app.get(
"/bank/get-transaction-message/:type/:id",
loginRequired,
(req, res) => {
const id = req.params.id;
const type = req.params.type;
const { reference } = req.session.user.transactions[type].find(
(transaction) => {
return transaction.id === parseInt(id);
}
);
return res.send(reference);
}
);
app.get("/bank", (req, res) => {
res.render("bank-home.html", {
title: "Bank home",
});
});
app.get("/bank/send", loginRequired, (req, res) => {
res.render("send-money.html", {
title: "Send money",
exampleFriend: catNames.random(),
defaultReference: defaultReferenceMessage,
});
});
app.get("/bank/transactions", loginRequired, (req, res) => {
res.render("transactions.html", {
title: "Transactions",
transactions: req.session.user.transactions,
});
});
app.post("/bank/send", loginRequired, (req, res) => {
const name = req.body.name;
const referenceMessage = req.body.reference;
const amountToSend = parseInt(req.body.amount);
if (!amountToSend || !Number.isInteger(amountToSend)) {
return res.redirect("/bank");
}
req.session.user.transactions.moneyOut.push({
id: req.session.user.transactions.moneyOut.length + 1,
name,
amount: amountToSend,
reference: referenceMessage,
});
const balance = req.session.user.balance;
req.session.user.balance = balance - amountToSend;
return res.redirect("/bank");
});
app.get("/bank/login", (req, res) => {
if (req.session.user) {
return res.redirect("/bank");
}
const maliciousMoney = `fetch('/bank/send',{headers:{'content-type':'application/x-www-form-urlencoded'},body:'name=Attacker&amount=4&reference=Via+XSS+⚠️',method:'POST'});`;
const xss = `Fake message</span><img src="nope" onerror="alert('XSS successful!');${maliciousMoney}" />`;
req.session.user = {
balance: randomBetween(8, 60),
name: catNames.random(),
transactions: {
moneyIn: [
{
id: 1,
name: "Friend",
amount: 3,
reference: defaultReferenceMessage,
},
{
id: 2,
name: "Attacker",
amount: 1,
reference: xss,
},
],
moneyOut: [],
},
};
return res.redirect("/bank");
});
app.get("/bank/logout", (req, res) => {
req.session.user = undefined;
return res.redirect("/bank");
});
// Add your fix for an information disclosure vulnerability below this line ⬇️
// 4. Insert your information disclosure fix here...
// Add your fix for an information disclosure vulnerability above this line ⬆️
app.listen(port, () => {
const message = `Bank Server Started: Use: http://localhost:${port}`;
console.log(message);
});
}
export default bankServer;