When I am trying to find vulnerabilities in web applications, I always perform fuzzing of all http parameters, and sometimes it gives me something interesting:
The demo.paypal.com server was responding differently for '\' and '%0a' requests and was throwing a 'syntax error' in responses. At the same time for single quote, double quote and other characters the server was responding with HTTP 200 OK.
The old version of Dust.js supports "if" helpers , you can use them in your code like that:
Eval! Yeah, why not? It's a simple and elegant solution.
Which throws a syntax error.
Hmmm, but what if the 's' parameter is not a string? In Node.js we can send a request like paypal.com/?device=1&device=2 and the 'device' parameter will be parsed by qs module as an Array, instead of string.
I quickly made a request to https://_demo.paypal.com/demo/navigation?device=&device=' and when the server responded with 'syntax error' my chair started to shake under me.
I am a bit friendly with Node.js, so it took me few minutes to craft a test payload that sends '/etc/passwd' file to my server.
This string was worth $10.000 for me.