id: node-express-dev-env

info:
  name: Node.js Express NODE_ENV Development Mode
  author: FLX
  severity: medium
  description: |
    The Node.js application runs in development mode, which can expose sensitive information, such as source code and secrets, depending on the application.
  reference:
    - https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/express-development-mode-is-enabled/
    - https://www.synopsys.com/blogs/software-security/nodejs-mean-stack-vulnerabilities.html
  metadata:
    verified: true
    max-request: 2
    shodan-query: "X-Powered-By: Express"
  tags: nodejs,express,misconfig,devops,cicd,trace
flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        internal: true
        dsl:
          - "contains(tolower(all_headers), 'x-powered-by: express')"

  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Connection: close

        t

    matchers:
      - type: dsl
        dsl:
          - "status_code==400"
          - "contains(body, 'SyntaxError: Unexpected token')"
          - "contains(tolower(all_headers), 'x-powered-by: express')"
        condition: and
# digest: 4a0a004730450220761fa1a9c4121ca483493ae0f6a3a69b50db15d187e827a9abf4b50a8572c34a022100f96cde03c354a2eccf0c66b00269bcd75ff853d0d477d46d37e567af15ecc577:922c64590222798bb761d5b6d8e72950