Redis

Redis¶

NPM Redis can be used either way to set values

client.set("some_key", "some_val"); 
client.set(["some_key", "some_val"]);

JSON Injection¶

If the source looks like this below we have control over the JSON key variable.

app.use(bodyParser.json());
app.post('/', function (req, res) {
    redis.set(req.body.key, "default");
});

Using a Normal request with the JSON body to {key : "foo"} creates the correct data.

redis.set("foo", "default");

But using a Inject Request with the JSON body to {key : ["foo", "evil"]} creates an injection

redis.set(["foo", "evil"], "default");

Query String Injection¶

If the source looks like this below we have control over the Query String key variable.

app.get('/', function (req, res) {  
    redis.set(req.query.key, "default");
});

Using a Normal request with the Query String to ?key=foo creates the correct data.

redis.set("foo", "default");

But using a Inject Request with the Query String to ?key[]=foo&key[]=evil creates an injection

redis.set(["foo", "evil"], "default");
````

### Form URL Encoded Body Parameter

If the source looks like this below we have control over the Query String key variable.

```javascript
app.use(bodyParser.urlencoded());

app.post('/', function (req, res) {
    redis.set(req.body.key, "default");
});

Using a Normal request with the Form Body to key=foo creates the correct data.

redis.set("foo", "default");

But using a Inject Request with the Form Body to key[]=foo&key[]=evil creates an injection

```javascript
redis.set(["foo", "evil"], "default");
````