Planning

Overview

With code review complete and functions shortlisted, we now set up the web application locally for testing.

Setting Up Local Environment

Scenario

Provided: Source code + instructions
Backend: Debian-based Linux
No VM/Docker provided

Note: If using Windows, run on Linux VM or PwnBox to match production.

Installation

# Navigate to project
cd ./intro_to_whitebox_pentesting

# Install dependencies
npm install

Running the Application

npm run dev

Output:

> academy_intro_to_whitebox_pentesting@1.0.0 dev
> nodemon src/app.js

[nodemon] 3.0.1
[nodemon] watching path(s): *.*
[nodemon] watching extensions: js,mjs,cjs,json
[nodemon] starting `node src/app.js`
⚡️[server]: Server is running at http://localhost:5000
⚡️[api]: APIs are running at http://localhost:5000/api

Verify Application Works

curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email": "test@test.com"}' \
  http://localhost:5000/api/auth/authenticate

Response:

{"token":"eyJhbGciOiJIU...SNIP...KmC7FqcwI4JOLiiI6aaN_feUY"}

✅ Application running correctly!

Checking for Public Vulnerabilities

npm audit

npm audit

Output:

found 0 vulnerabilities

If Vulnerabilities Found

Update Type

Action

Patch (x.x.X)

Safe to update

Minor (x.X.0)

Usually safe

Major (X.0.0)

May have breaking changes

Note: Major updates may require code changes - recommend developers implement.

Testing validateString

Test /api/service/generate Endpoint

# Get token first
TOKEN=$(curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email": "test@test.com"}' \
  http://localhost:5000/api/auth/authenticate | jq -r '.token')

# Call generate endpoint
curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"text": "this is a test"}' \
  http://localhost:5000/api/service/generate

Response:

<img src="data:image/png;base64,iVBORw0KGgo...SNIP...5ErkJggg==" alt="QR Code" />

✅ QR code generated successfully!

Tip: To preview QR code, save to HTML file and open in browser.

Debugging with VSCode

Run in Debug Mode

Open Run and Debug tab in VSCode
Click Run icon next to "Launch Program"
Bottom bar turns red = debug mode active

Add Breakpoint

Open controllers/service-controllers.js
Click on line number (or Shift+F9)
Red dot appears = breakpoint enabled

Breakpoint on validateString (Line 4)

function validateString(input, onError) {
  if (  // ← Breakpoint here
    typeof input !== "string" ||
    input.length == 0 ||
    input.match(/['"`;]/g)
  ) {

Re-send Request

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"text": "this is a test"}' \
  http://localhost:5000/api/service/generate

Application breaks at breakpoint!

Inspect Variables

In VARIABLES pane:

input: "this is a test"
onError: "throw new Error('Invalid input for role: user')"

Breakpoint on Line 20 (generateQR)

Add Breakpoint

Line 20 in service-controllers.js (after try {):

async function generateQR(req, res) {
  const { text } = req.body;
  const role = req.user?.role;

  try {  // ← Breakpoint after this

Inspect Variables

Variable

Value

text

"this is a test"

role

"user"

req.user

{ email: "test@test.com", role: "user", ... }

Answer: The value of role is user

Debug Workflow Summary

1. Run app in debug mode (VSCode)
         ↓
2. Add breakpoints at target functions
         ↓
3. Send test requests
         ↓
4. Inspect variables when breakpoint hits
         ↓
5. Step through code to understand flow
         ↓
6. Identify injection points

VSCode Debug Controls

Button

Action

▶️ Continue

Resume execution

⏭️ Step Over

Execute next line

⏬ Step Into

Enter function call

⏫ Step Out

Exit current function

🔄 Restart

Restart debugging

⏹️ Stop

Stop debugging

Key Findings So Far

Observation

Implication

role comes from JWT

Need to control JWT to inject

role = "user" for test@test.com

Role determined by email

onError contains role

Injection via role → eval

No public CVEs

Must exploit custom code

Next Steps

Understand eval injection - How to exploit eval()
Control the role - How is role determined?
Craft payload - Bypass filters, achieve execution
Test exploitation - Confirm vulnerability

Previous[Local Testing Case Study]NextEval Injection

Last updated 1 month ago

hashtagOverview

hashtagSetting Up Local Environment

hashtagScenario

hashtagInstallation

hashtagRunning the Application

hashtagVerify Application Works

hashtagChecking for Public Vulnerabilities

hashtagnpm audit

hashtagIf Vulnerabilities Found

hashtagTesting validateString

hashtagTest /api/service/generate Endpoint

hashtagDebugging with VSCode

hashtagRun in Debug Mode

hashtagAdd Breakpoint

hashtagBreakpoint on validateString (Line 4)

hashtagRe-send Request

hashtagInspect Variables

hashtagBreakpoint on Line 20 (generateQR)

hashtagAdd Breakpoint

hashtagInspect Variables

hashtagDebug Workflow Summary

hashtagVSCode Debug Controls

hashtagKey Findings So Far

hashtagNext Steps

Overview

Setting Up Local Environment

Scenario

Installation

Running the Application

Verify Application Works

Checking for Public Vulnerabilities

npm audit

If Vulnerabilities Found

Testing validateString

Test /api/service/generate Endpoint

Debugging with VSCode

Run in Debug Mode

Add Breakpoint

Breakpoint on validateString (Line 4)

Re-send Request

Inspect Variables

Breakpoint on Line 20 (generateQR)

Add Breakpoint

Inspect Variables

Debug Workflow Summary

VSCode Debug Controls

Key Findings So Far

Next Steps