Your company is building an application for a client. The App is required to download a file from the internet on a daily basis.
After a quick review, your boss has identified a vulnerability in the code that creates a risk for your company, and has asked you to remediate the error.
Please take the next step and identify the vulnerability.
You need to report the line of code and type of vulnerabity in the link to the developer survey below.
1const axios = require('axios');
2const validURL = "https://awesome.app";
3
4const fetch = (url) => {
5 if (url.startsWith(validURL)) {
6 axios
7 .get(url)
8 .then(rdate: 2022-10-24es => {
9 console.log(`statusCode: ${res.status}`);
10 console.log(res);
11 })
12 .catch(error => {
13 console.error(error);
14 });
15// Usage example
16const userUrl = "https://awesome.app/resource.json"
17fetch(userUrl);
Use the DEVELOPER SURVEY link bellow to answer the challenge. ( Please notice that will be redirected to jotform.com)
The vulnerability is at line number 5 (five). The method startsWith()
method determines whether a string begins with the characters of a specified string, hence could be easily bypassed if an attacker send a controlled URL like this: https://awesome.app.wordpress.com
We also have a video about this challenge.
1const axios = require('axios');
2const validURL = "https://awesome.app";
3
4const fetch = (url) => {
5 if (url.startsWith(validURL)) {
6 axios
7 .get(url)
8 .then(res => {
9 console.log(`statusCode: ${res.status}`);
10 console.log(res);
11 })
12 .catch(error => {
13 console.error(error);
14 });
15// Usage example
16const userUrl = "https://awesome.app/resource.json"
17fetch(userUrl);
You can learn more about this at CWE