📚 PortSwigger Web Security: RCE in 'Copy as Node Request' BApp via code injection

Description Copy as Node Request is a burp suite extension that allows users to copy requests as Node.js code. Due to improper sanitization of cookie, it's possible to inject arbitrary Node.js code in copied text, which may lead remote code execution with a significant amount of user interaction. Root cause This extension has a function named escapeQuotes. While this function escapes double quotes, it doesn't escape single quotes. https://github.com/PortSwigger/copy-as-node-request/blob/b34456463310836e93365541189626909adc70bb/src/burp/BurpExtender.java#L165-L167 As the cookie field of generated codes use single quote, it's possible to escape string literal and inject arbitrary Node.js codes. https://github.com/PortSwigger/copy-as-node-request/blob/b34456463310836e93365541189626909adc70bb/src/burp/BurpExtender.java#L123-L125 Step to reproduce Install Copy as Node Request extension. Open https://example.com Open DevTools and type document.cookie = "test='/require('child_process').exec('calc.exe')//" Enable intercept and reload the browser tab. Right click on intercepted request and click Copy as Node.js Request. Execute copied text in Node.js. calc.exe will be popped up. {F1269399} Impact Remote code execution via Node.js code injection with user... ...