Solving a CTF challenge with NodeBee - part 2

In part 1, we created a custom NodeBee checker and found two vulnerabilities (an SSRF and a FTP CRLF injection) in a PlaidCTF challenge.

In this post we will show how set up an automated check with NodeBee to alert developers when newly committed code in a Github pull request contains any vulnerabilities, including our newly defined CRLF injection.

Fortunately, enabling NodeBee on Github is really simple. All you have to do is to install the NodeBee app in your Github account (contact us for a beta access at beta@nodebee.io!) and grant access to a repo:

For illustration, let's first remove the image handler from the api service, then add to the repo our checker.js from part 1 and create a simple lerna config to convert it to a “proper” monorepo:

NodeBee can use lerna to find packages and determine which ones are affected by changes in a PR.

NodeBee also has to know about how to build and install an application. Although most of the time it can guess it by itself, let’s make it explicit by adding a build config:

Once this is done, we can push our changes and we're ready to scan our first PR:

NodeBee concludes that there are no vulnerabilities in the code, which is a good sign (remember, we just removed the vulnerable code!).

Now, let’s see what happens if we put it back again:

This demonstrates two of our favourite features of NodeBee. The first is speed. Unlike a traditional DAST or SAST scan, NodeBee concludes the test in a matter of minutes. Usually by the time we find someone to do a code review, NodeBee has already finished the analysis and the results are available.

The another great feature is that NodeBee doesn't suffer from false positives the way a static analyzer does. Reported issues always come with a curl command that, when sent to the application, trigger the condition specified in the sanitizer.

If you'd like to try out NodeBee on your own code, contact us at beta@nodebee.io! Stay safe and happy fuzzing!