Skip to content

Instantly share code, notes, and snippets.

@AdityaChaudhary

AdityaChaudhary/server.js

Last active July 17, 2018 09:06
Show Gist options
  • Save AdityaChaudhary/076f826fbcb5a2cec21552731a59962f to your computer and use it in GitHub Desktop.
Save AdityaChaudhary/076f826fbcb5a2cec21552731a59962f to your computer and use it in GitHub Desktop.
Download ZIP
Node.js insecure deserialization server
Raw
server.js
var express = require('express');
var cookieParser = require('cookie-parser');
var escape = require('escape-html');
var serialize = require('node-serialize');
var app = express();
app.use(cookieParser())
app.get('/', function(req, res) {
if (req.cookies.profile) {
var str = new Buffer(req.cookies.profile, 'base64').toString();
var obj = serialize.unserialize(str);
if (obj.username) {
res.send("Hello " + escape(obj.username));
}
} else {
res.cookie('profile', "eyJ1c2VybmFtZSI6IkFkaXR5YSIsImNvdW50cnkiOiJpbmRpYSIsImNpdHkiOiJEZWxoaSJ9", {
maxAge: 900000,
httpOnly: true
});
}
res.send("Hello World");
});
app.listen(3000);
console.log("Listening on port 3000...");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment