Services

Service Routes Analysis

routes/service-routes.js

const router = express.Router();

router.use(verifyToken);  // Requires authentication

router.post("/generate", generateQR);

module.exports = router;

Key Observations:

• Single endpoint: POST /api/service/generate

• Requires authentication (verifyToken middleware)

• Calls generateQR function

---

Service Controllers

controllers/service-controllers.js

Contains two functions:

Function	Purpose
validateString	Input validation
generateQR	QR code generation

---

generateQR Function

async function generateQR(req, res) {
  const { text } = req.body;
  const role = req.user?.role;
  
  // Validate input
  if (!validateString(text, `throw new Error('Invalid input for role: ${role}')`)) {
    return res.status(400).json({ error: "Invalid input" });
  }
  
  // Generate QR code
  const qrCode = await QRCode.toDataURL(text);
  return res.json({ qr: qrCode });
}

Data Flow

req.body.text → text
req.user.role → role (from JWT token)
         ↓
  validateString(text, onError)
         ↓
  QRCode.toDataURL(text)
         ↓
    Return QR image

External Package: qrcode

Hovering over QRCode.toDataURL:

"Returns a Data URI containing a representation of the QR Code image"

Note: Testing external packages is usually outside whitebox scope, except for checking public vulnerabilities with npm audit.

---

validateString Function 🚨

function validateString(input, onError) {
  if (
    typeof input !== "string" ||
    input.length == 0 ||
    input.match(/['"`;]/g)
  ) {
    eval(onError);  // 🚨 DANGEROUS
    return false;
  }
  return true;
}

Validation Checks

Check	Purpose
typeof input !== "string"	Must be string type
input.length == 0	Cannot be empty
input.match(/['";]/g)`	Cannot contain ', ", `, ;

Regular Expression Analysis

/['"`;]/g

Matches: Single quote, double quote, backtick, semicolon

Purpose: Filter against exploitation - block "bad characters" before QR generation.

The Vulnerability

eval(onError);
return false;

Problem: onError is passed as a parameter and executed via eval()!

How It's Called

validateString(text, `throw new Error('Invalid input for role: ${role}')`)

Parameters:

• input = text (user-controlled via POST body)

• onError = throw new Error('Invalid input for role: ${role}') (contains role from JWT)

Attack Vector Analysis

Parameter	Source	User Control
text	req.body.text	✅ Direct control
role	req.user.role	⚠️ From JWT token

Question: Can we control role in the JWT token?

---

Vulnerability Summary

validateString Issues

Issue	Severity	Description
eval() usage	🔴 Critical	Executes arbitrary code
User input in eval	🔴 Critical	role ends up in eval
Blacklist filtering	🟡 Medium	Can potentially be bypassed

Attack Chain (Hypothesis)

1. Get JWT token with malicious role
         ↓
2. Call /api/service/generate with invalid text
         ↓
3. validateString fails → triggers eval(onError)
         ↓
4. onError contains our malicious role
         ↓
5. Code execution!

---

Prioritization

Shortlisted Findings

Finding	Type	Priority
eval(onError) in validateString	Code Injection	High
External packages	Public CVEs	Medium

Why High Priority?

• eval() with partially user-controlled input

• Could lead to Remote Code Execution (RCE)

• Requires understanding of JWT token generation

External Package Audit

npm audit

Check for known vulnerabilities in dependencies.

---

Next Steps

1. Local Testing - Set up environment

2. Trace role parameter - How is it generated?

3. Test JWT manipulation - Can we inject into role?

4. Bypass filters - Can we avoid ['";]` regex?

5. Achieve code execution - Exploit eval

---

Key Takeaways

1. eval() is dangerous - Especially with user input

2. Trace all parameters - Even indirect ones (JWT claims)

3. Blacklists can be bypassed - Look for alternatives

4. Authentication ≠ Safe - Authenticated endpoints can still be vulnerable

5. Small codebases - May have fewer findings, but can be critical