Planning

Overview

With code review complete and functions shortlisted, we now set up the web application locally for testing.

---

Setting Up Local Environment

Scenario

• Provided: Source code + instructions

• Backend: Debian-based Linux

• No VM/Docker provided

Note: If using Windows, run on Linux VM or PwnBox to match production.

Installation

# Navigate to project
cd ./intro_to_whitebox_pentesting

# Install dependencies
npm install

Running the Application

npm run dev

Output:

> academy_intro_to_whitebox_pentesting@1.0.0 dev
> nodemon src/app.js

[nodemon] 3.0.1
[nodemon] watching path(s): *.*
[nodemon] watching extensions: js,mjs,cjs,json
[nodemon] starting `node src/app.js`
⚡️[server]: Server is running at http://localhost:5000
⚡️[api]: APIs are running at http://localhost:5000/api

Verify Application Works

curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email": "test@test.com"}' \
  http://localhost:5000/api/auth/authenticate

Response:

{"token":"eyJhbGciOiJIU...SNIP...KmC7FqcwI4JOLiiI6aaN_feUY"}

✅ Application running correctly!

---

Checking for Public Vulnerabilities

npm audit

npm audit

Output:

found 0 vulnerabilities

If Vulnerabilities Found

Update Type	Action
Patch (x.x.X)	Safe to update
Minor (x.X.0)	Usually safe
Major (X.0.0)	May have breaking changes

Note: Major updates may require code changes - recommend developers implement.

---

Testing validateString

Test /api/service/generate Endpoint

# Get token first
TOKEN=$(curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email": "test@test.com"}' \
  http://localhost:5000/api/auth/authenticate | jq -r '.token')

# Call generate endpoint
curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"text": "this is a test"}' \
  http://localhost:5000/api/service/generate

Response:

<img src="data:image/png;base64,iVBORw0KGgo...SNIP...5ErkJggg==" alt="QR Code" />

✅ QR code generated successfully!

Tip: To preview QR code, save to HTML file and open in browser.

---

Debugging with VSCode

Run in Debug Mode

1. Open Run and Debug tab in VSCode

2. Click Run icon next to "Launch Program"

3. Bottom bar turns red = debug mode active

Add Breakpoint

1. Open controllers/service-controllers.js

2. Click on line number (or Shift+F9)

3. Red dot appears = breakpoint enabled

Breakpoint on validateString (Line 4)

function validateString(input, onError) {
  if (  // ← Breakpoint here
    typeof input !== "string" ||
    input.length == 0 ||
    input.match(/['"`;]/g)
  ) {

Re-send Request

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"text": "this is a test"}' \
  http://localhost:5000/api/service/generate

Application breaks at breakpoint!

Inspect Variables

In VARIABLES pane:

• input: "this is a test"

• onError: "throw new Error('Invalid input for role: user')"

---

Breakpoint on Line 20 (generateQR)

Add Breakpoint

Line 20 in service-controllers.js (after try {):

async function generateQR(req, res) {
  const { text } = req.body;
  const role = req.user?.role;

  try {  // ← Breakpoint after this

Inspect Variables

Variable	Value
text	"this is a test"
role	"user"
req.user	{ email: "test@test.com", role: "user", ... }

Answer: The value of role is user

---

Debug Workflow Summary

1. Run app in debug mode (VSCode)
         ↓
2. Add breakpoints at target functions
         ↓
3. Send test requests
         ↓
4. Inspect variables when breakpoint hits
         ↓
5. Step through code to understand flow
         ↓
6. Identify injection points

---

VSCode Debug Controls

Button	Action
▶️ Continue	Resume execution
⏭️ Step Over	Execute next line
⏬ Step Into	Enter function call
⏫ Step Out	Exit current function
🔄 Restart	Restart debugging
⏹️ Stop	Stop debugging

---

Key Findings So Far

Observation	Implication
role comes from JWT	Need to control JWT to inject
role = "user" for test@test.com	Role determined by email
onError contains role	Injection via role → eval
No public CVEs	Must exploit custom code

---

Next Steps

1. Understand eval injection - How to exploit eval()

2. Control the role - How is role determined?

3. Craft payload - Bypass filters, achieve execution

4. Test exploitation - Confirm vulnerability