id: node-express-dev-env

info:
  name: Node.js Express NODE_ENV Development Mode
  author: FLX
  severity: medium
  description: |
    The Node.js application runs in development mode, which can expose sensitive information, such as source code and secrets, depending on the application.
  reference:
    - https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/express-development-mode-is-enabled/
    - https://www.synopsys.com/blogs/software-security/nodejs-mean-stack-vulnerabilities.html
  metadata:
    max-request: 2
    verified: true
    shodan-query: "X-Powered-By: Express"
  tags: nodejs,express,misconfig,devops,cicd,trace

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        internal: true
        dsl:
          - "contains(tolower(all_headers), 'x-powered-by: express')"

  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Connection: close

        t

    matchers:
      - type: dsl
        dsl:
          - "status_code==400"
          - "contains(body, 'SyntaxError: Unexpected token')"
          - "contains(tolower(all_headers), 'x-powered-by: express')"
        condition: and
# digest: 4a0a00473045022100d0debb95087af51d1c60b5f8e1135fff6358308570e9fb9618ea54e87a1568e502202d94de6ec99ca826bb5c199ea960e571d6f9d5030885a415efc44f831f393244:922c64590222798bb761d5b6d8e72950