hunt-nodejs

Solid

Hunt Node.js specific vulnerabilities — Prototype Pollution → RCE chains (lodash/merge/assign), Express trust proxy misconfiguration, child_process/eval injection, template engine SSTI (EJS/Pug/Handlebars), path traversal in file servers, require() injection, environment variable exfil via /proc/self/environ. Use when target runs Node.js/Express/Fastify/NestJS/Koa.

AI & Automation 1,912 stars 279 forks Updated 3 days ago NOASSERTION

Install

View on GitHub

Quality Score: 86/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# HUNT-NODEJS — Node.js Specific Vulnerabilities ## Crown Jewel Targets Prototype Pollution reaching a sink in Node.js backend = Critical RCE. **Highest-value chains:** - **Prototype Pollution → RCE** — `__proto__` injection via `lodash.merge` / `Object.assign` → polluted prototype reaches `child_process.exec` or `vm.runInNewContext` sink - **Express trust proxy** — `app.set('trust proxy', true)` without validation → attacker sets `X-Forwarded-For` to bypass IP allowlists or rate limits - **EJS/Pug SSTI** — template engine receives user input → `{{= process.mainModule.require('child_process').execSync('id') }}` - **`child_process` injection** — user input interpolated into shell command string → OS command injection - **`require()` path traversal** — attacker-controlled module path → load arbitrary file as JS --- ## Attack Surface Signals ``` X-Powered-By: Express Confirms Express.js Node.js in error messages Runtime detected package.json exposed Dependency list + versions /proc/self/environ accessible Environment variable exfil Error stack traces with .js paths Node.js confirmed __proto__ in JSON accepted Prototype pollution candidate ``` --- ## Phase 1 — Fingerprint ```bash # Confirm Node.js/Express curl -sI https://$TARGET/ | grep -i "x-powered-by\|nodejs\|express" # Check for package.json / node_modules exposure curl -s "https://$TARGET/package.json" curl -s "https://$TARGET/package-lock.json" curl -s "https://$TARGET/node...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
1 months ago
Last Updated
3 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI Express.js · Backend

Similar Skills

Semantically similar based on skill content — not just same category

Web & Frontend Solid

hunt-nextjs

Hunt Next.js specific vulnerabilities — Server Actions arbitrary function execution, Middleware auth bypass via static asset paths, ISR cache poisoning, Image Optimization SSRF (/_next/image), RSC payload leakage, getServerSideProps injection, source map exposure, debug endpoint leakage. Use when target runs Next.js 13/14/15 or any React SSR framework.

1,912 Updated 3 days ago
elementalsouls
Web & Frontend Solid

hunt-dom

Hunt client-side DOM vulnerabilities — DOM Clobbering (overwrite JS globals via HTML injection), PostMessage hijacking (missing origin check), Service Worker abuse (intercept requests from same-origin script), CSS Injection/Exfiltration (attribute selectors → token char-by-char via OOB), client-side template injection, dangerouslySetInnerHTML. Grounded in named public research: Gareth Heyes / PortSwigger DOM-clobbering + DOM-Invader, Michał Bentkowski DOMPurify clobbering bypasses, jQuery htmlPrefilter XSS (CVE-2020-11022 / CVE-2020-11023), d0nut CSS-exfil research. Use when hunting DOM-XSS, client-side auth bypass, or token exfiltration without server-side interaction.

1,912 Updated 3 days ago
elementalsouls
Testing & QA Solid

hunt-springboot

Hunt Spring Boot specific vulnerabilities — Actuator endpoints (heapdump, env, loggers, mappings, shutdown), Spring Expression Language (SpEL) injection → RCE, H2 console RCE, Jolokia JMX exposure, Spring4Shell (CVE-2022-22965), Spring Cloud Function SPEL (CVE-2022-22963), heap dump credential extraction. Use when target runs Spring Boot — detected via X-Application-Context header, /actuator, Whitelabel Error Page, or Java stack traces.

1,912 Updated 3 days ago
elementalsouls