TypeScript Snippet #05

This challenge covers the review of a snippet of code written in TypeScript

PRO
Tier
Medium
< 1 Hr.
712

In this code review challenge, you are presented with a TypeScript snippet that includes an Express application. The goal is to identify a security flaw within the code. The code imports several libraries, including Express, EJS for templating, and modules for file system access. It then sets up an Express server and creates a route to handle file downloads. The code attempts to prevent directory traversal attacks by filtering out filenames that contain "..". However, the filter is only applied to query parameters, while the actual file serving uses parameters that can come from both GET and POST requests. This discrepancy allows attackers to bypass the filter by using POST parameters, potentially gaining unauthorized access to files on the server.

The video transcript details each part of the code and highlights the security flaw. Specifically, it points out that the filter function checks req.query.filename, but the file serving uses req.param("filename"), which includes both query and body parameters. This mismatch in parameter sources enables an attacker to exploit the vulnerability by crafting a malicious POST request. The video concludes by explaining that this oversight could allow directory traversal attacks, such as accessing sensitive files like "/etc/passwd".

Want to learn more? Get started with PentesterLab Pro! GOPRO