https://github.com/fguisso/backoffice-balm
BackOFFice Balm is a minimal Node.js/Express demo illustrating the Unvalidated Dynamic Method Call vulnerability in JavaScript.
https://github.com/fguisso/backoffice-balm
appsec codeql dojo-shield
Last synced: 3 months ago
JSON representation
BackOFFice Balm is a minimal Node.js/Express demo illustrating the Unvalidated Dynamic Method Call vulnerability in JavaScript.
- Host: GitHub
- URL: https://github.com/fguisso/backoffice-balm
- Owner: fguisso
- Created: 2025-05-29T16:30:31.000Z (8 months ago)
- Default Branch: main
- Last Pushed: 2025-07-21T22:33:17.000Z (6 months ago)
- Last Synced: 2025-07-22T01:12:00.099Z (6 months ago)
- Topics: appsec, codeql, dojo-shield
- Language: HTML
- Homepage:
- Size: 928 KB
- Stars: 1
- Watchers: 0
- Forks: 1
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# BackOFFice Balm
*Soothe your spine—and your spreadsheets.*
## Introduction
BackOFFice Balm is a minimal Node.js/Express demo illustrating the **Unvalidated Dynamic Method Call** vulnerability in JavaScript. It exposes two unprotected routes that allow any method on our in-memory `UserManager` to be invoked via URL parameters, including the admin-only `_admin_delete`. Your task is to learn how to exploit and then fix this flaw.
### What is Unvalidated Dynamic Method Call
An unvalidated dynamic method call happens when an application constructs a method name from user-controlled input and invokes it without checking against a whitelist.
```js
// vulnerable pattern in src/app.js
const method = `${action}_user`;
userManager[method](params);
```
Because action comes directly from the URL, an attacker can invoke any method on userManager—including private/admin routines like `_admin_delete`—without authorization.
### What is the impact for companies?
- Privilege escalation: Attackers invoke admin-only logic from public endpoints.
- Data loss or tampering: Unauthorized deletion or modification of records.
- Business logic bypass: Security, validation, and audit checks can be skipped.
- Hidden risk: Concise code hides critical security holes, often slipping into production unnoticed.
## Quickstart
1. **Clone & build**
```bash
git clone https://github.com/yourname/backoffice-balm.git
cd backoffice-balm
docker build -t backoffice-balm .
```
2. **Run with Docker**
```bash
docker run --rm -it --init \
--env-file .env \
-p 3000:3000 \
backoffice-balm
```
3. **Open the UI**
Browse to http://localhost:3001
## Exploitation
Because we dynamically resolve `userManager[ action ]` without validation, you can call admin methods on the public routes:
```bash
# Create a test user
curl -X POST localhost:3000/v1/user/42/create \
-H "Content-Type: application/json" \
-d '{"name":"Bob","cellphone":"+55"}'
# Exploit: delete without auth
curl -X GET localhost:3000/v1/user/42/_admin_delete
```
## Your Challenge
**Patch** `src/app.js` so that only `/v1/user/:id/:action` can invoke `create_user` and `get_user_info`.
Good luck—and hack the planet! 🚀