EJS, Server side template injection RCE (CVE-2022-29078) - writeup

Note: The objective of this research or any similar researches is to improve the nodejs ecosystem security level. Recently i was working on a related project using one of the most popular Nodejs templating engines Embedded JavaScript templates - EJS In my weekend i started to have a look around to see if the library is vulnerable to server side template injection. Since the library is open source we can have a whitebox approach and look at the source code....

April 23, 2022 · 4 min · Me

The unsecure node vm module

As any nodejs developer you should often check the nodejs documentation look for new modules or new features or even a change in the current API. If you do you will notice a module called “VM” (Executing Javascript). This is a very interesting module as per nodejs documentation defination “The vm module enables compiling and running code within V8 Virtual Machine contexts” Although the documentation state that “The vm module is not a security mechanism....

November 22, 2020 · 4 min · Me

SSRF vulnerability in Uppy, Detected by Shieldfy

In this post, we will explain how Shieldfy detected an SSRF ( Server-side request forgery ) vulnerability in Uppy, one of the popular packages in NPM, diving into the technical details of the vulnerability, exploitation and the fix. Uppy is a sleek, modular JavaScript file uploader that integrates seamlessly with any application. It’s fast, easy to use and lets you worry about more important problems than building a file uploader. Uppy has more than 130,000 downloads a month....

March 3, 2020 · 2 min · Me

Practical Exploitation of Error Based Sql Injection

Hi everybody I don’t post much write-ups online because most of the work done privately and under NDA. But this time i decided to publish this (anonymously after website owner agreed ) because too many developers insists that you can’t exploit complicated SQL , or non result SQL (example: count(*) sql). Note: You can automate everything in this article using SQLMap, but i choose to exploit it manually to explain under the hood proccess....

February 20, 2017 · 4 min · Eslam Salem