Authentication

Case Study Overview

Practical whitebox pentesting exercise demonstrating advanced code injection that requires source code access to identify and exploit.

Requirements

• VSCode installed

• Node.js installed

• Source code archive

---

Data Gathering

Scenario

Given code base in archive without further details (minimum requirement for whitebox pentest).

Setup

# Download and extract
wget <archive_url> && unzip intro_to_whitebox_pentesting.zip
cd intro_to_whitebox_pentesting

# Open in VSCode
code .

Project Structure

intro_to_whitebox_pentesting/
├── .vscode/
│   └── launch.json
├── src/
│   ├── controllers/
│   │   ├── auth-controllers.js
│   │   └── service-controllers.js
│   ├── routes/
│   │   ├── auth-routes.js
│   │   └── service-routes.js
│   └── app.js
└── package.json

---

Code Analysis

app.js - Entry Point

// set up express
const app = express();
const port = parseInt("5000");

// set up body parser and cors
app.use(bodyParser.json());

// set up API routes
app.use("/api/auth", authRoutes);
app.use("/api/service", serviceRoutes);

Key Points:

• Express server on port 5000

• JSON body parser → endpoints expect JSON body

• Two route groups: /api/auth and /api/service

Server Startup

// start the Express server
app.listen(port, () => {
  console.log(`⚡️[server]: Server is running at http://localhost:${port}`);
  console.log(`⚡️[api]: APIs are running at http://localhost:${port}/api`);
});

---

Authentication Routes

auth-routes.js

const router = express.Router();
router.post("/authenticate", getUserToken);
module.exports = router;

Endpoint: POST /api/auth/authenticate

---

Authentication Controllers

auth-controllers.js Functions

Function	Purpose	Exported
validateEmail	Validate email format	No (local)
getUserToken	Generate JWT token	Yes
verifyToken	Verify JWT token	Yes

validateEmail

function validateEmail(email) {
  return String(email)
    .toLowerCase()
    .match(/^...SNIP...$/);
}

Simple regex validation for email format.

getUserToken

function getUserToken(req, res) {
  const { email } = req.body;
  
  // Validate email format
  if (!validateEmail(email)) {
    return res.status(400).json({ error: "Invalid email" });
  }
  
  try {
    // Sign JWT token
    const token = jwt.sign(
      {
        email: email,
        role: determineRole(email)
      },
      SECRET_KEY
    );
    return res.json({ token });
  } catch (error) {
    return res.status(500).json({ error: "Token generation failed" });
  }
}

Flow:

1. Get email from POST body (JSON)

2. Validate email format

3. Sign JWT with email and role

4. Return token

verifyToken

function verifyToken(req, res, next) {
  const token = req.headers.authorization;
  
  if (!token) {
    return res.status(403).json({ error: "Unauthorized" });
  }
  
  try {
    const decoded = jwt.verify(token, SECRET_KEY);
    req.user = decoded;
    next();
  } catch (error) {
    return res.status(403).json({ error: "Invalid token" });
  }
}

Flow:

1. Get token from Authorization header

2. If no token → 403 Unauthorized

3. Verify JWT signature

4. Add decoded data to req.user

5. Call next() to proceed

Usage: Middleware for authenticated endpoints

---

Using AI for Code Understanding

VSCode Copilot

Can use AI to:

• ✅ Confirm your understanding

• ✅ Clarify unclear code

• ⚠️ Don't overly rely on it

• ⚠️ Always double-check responses

Example Query

"What does this function do?"

AI explains JWT token generation with email and role claims.

---

Identifying Vulnerable Function

Service Controllers Analysis

Looking at service-controllers.js:

function validateString(input, onError) {
  if (
    typeof input !== "string" ||
    input.length == 0 ||
    input.match(/['"`;]/g)
  ) {
    eval(onError);  // 🚨 VULNERABLE
    return false;
  }
  return true;
}

Why It's Vulnerable

Issue	Description
eval() usage	Executes arbitrary code
User-controlled input	onError parameter
Blacklist filtering	Can be bypassed

Answer

Most likely vulnerable function: validateString

The use of eval() in validateString creates a security vulnerability that could potentially be exploited to execute arbitrary code.

---

Code Review Findings

Authentication (auth-controllers.js)

Function	Status	Notes
validateEmail	✅ Safe	Regex validation
getUserToken	✅ Safe	Proper JWT signing
verifyToken	✅ Safe	Proper JWT verification

Service (service-controllers.js)

Function	Status	Notes
validateString	🚨 VULNERABLE	eval() with user input

---

Next Steps

1. Analyze validateString - Understand full context

2. Trace input flow - How does user input reach eval()?

3. Check filters - Can blacklist be bypassed?

4. Local Testing - Set up environment and test

5. Exploitation - Develop PoC

---

Key Takeaways

1. Start with entry points - app.js shows route structure

2. Follow the code - CMD/CTRL + click in VSCode

3. Look for dangerous functions - eval(), exec(), etc.

4. Understand the flow - How data moves through app

5. Use AI wisely - Confirm, don't rely blindly