This is a precise demonstration of how easily dynamic evaluation can compromise a server when sandboxes are improperly implemented. It serves as a sobering reminder that even advanced chatbots remain vulnerable to fundamental injection flaws.
Install our extension to search inside any video instantly.
I Broke a Chatbot Using This TrickAdded:
Hello everyone. Welcome back to the new video and today we are talking about chatbots. [music] We know the chatbot functionality in literally every application or support chat where you can interact with the bot and it will help with your queries. So, for the sake of this video we are going to see how you can test for vulnerabilities in the chatbot functionality or how you can disable a chatbot or kill a chatbot when you're testing this feature. So, obviously we are doing this in a safe environment. We are using a lab and as you can see my lab is running over here. It's OS 2 Shop.
Okay, so this is a intentionally vulnerable application. So, let's go to the support chat and we have the support chat feature over here. We can just simply interact with it and we can see that it is replying to [music] us.
Okay, so as you can see I'm logged in as well.
And okay, and this is actually a token and you must be wondering why it's giving me a token. We will go into that soon. This is the functionality of this bot actually.
If you give it your name it's going to respond with a token.
Anyways, but that's not important right now.
We want to test for bugs here.
We want to see how we can kill the chatbot so it's unresponsive to [music] everyone.
Okay, so before we move into that let's go to the inspect.
Let's see what we got in the sources.
Let's type in chatbot.
Increase the size a bit.
And we can see some references over here.
Let's go to this get chatbot status.
This one [music] looks very interesting.
Chatbot status and >> [music] >> handle response send a message.
Okay, this is some basic functionalities we can see over here where it's telling how >> [music] >> to handle the message and how to give a response in the UI.
But we want to understand how we can play with this chatbot and what we can exploit here.
So, the vulnerability that we are exploiting in this case is a server-side JavaScript injection. A lot of you might not have heard about it. Let me know in the comment section if you know about it.
So, let me Google it.
Server-side JavaScript [music] injection.
So, you can get an idea.
As you can see server-side JavaScript injection it's a critical vulnerability that occurs when a web application incorporates [music] unsanitized user input into strings that are dynamically evaluated by the server's JavaScript interpreter. While similar to cross-site scripting [music] which targets the user browser, SSGI allows attackers to execute arbitrary code directly on the application server typical within Node.js environments.
Okay, it gave us a little hint as well. Let's look at the common vulnerable functions evaluation functions like eval function set timeout. You must have noticed eval functions also being used in SSTI server-side template [music] injection cases, but it is also used in SSGI cases as well. So, there are some system interaction as well. Improperly handled functions from child process module like these exact spawn fork can lead to OS command injection, but I don't think this is interest to us right now. It's just giving us extra information. What is interesting to us is this one evaluation functions. But there are more than this actually. It has not mentioned it over here, but let's go back to the OS 2 Shop and let's look at the Wappalyzer.
In Wappalyzer we can see the programming language is in Node.js and we have Angular. So, now we know that okay, it's using Node.js. Let's look at some functionalities or some evaluation functionalities in Node.js that can lead to SSGI.
For that I'm going to open Gemma.
Okay, so let's type in the prompt.
Give me some functions in [music] Node.js that can lead to SS GI vulnerability.
Okay.
It sure takes a little time, but I think it's not that bad actually. [music] Considering the restrictions it doesn't have like if you're a bug bounty hunting and you don't have >> [music] >> a premium subscription to Claude or ChatGPT, then I think you can use Gemma for.
Cuz it doesn't have restrictions. So, if you're going to ask for prompts for bug bounty hunting it will give you.
Okay, so first one we have is eval. And second function okay, not something important. I'm looking for a specific function so I can show you. Yeah, this [music] one. The VM module virtual machine. This one is very interesting for us. The VM module is designed to run code in a separate context like in a sandbox. Crucially the VM module is not a security mechanism. It is intended for isolation. Okay, I thought it is similar to sandboxing but not. Not sandboxing and attacker can almost always escape the VM context to reach the main Node.js process.
>> [music] >> Seems like it's not very secure. So, we have few functions from this module run in context, run in new context and scripts.
And this is how you initiate a sandbox. It's calling it isolation but not sandboxing cuz I think it thinks like sandboxing is more secure, but any sandbox that can be escaped is not secure. Literally depends on the condition, but I'm going to call it sandboxing. That's not a wrong way to say it.
Attack payload.
Attackers can use a prototype chain to get back in the main process.
We'll look into that later. So, we have some template engines as well indirect SSGI's, but again we're not going to look into that.
So, now that you know about the VM module what we're going to do? We are going to look at the source code. We're going to review the source code cuz you should learn how to read source code as well if you have access to it. For example, if you're in pen testing, but in but but in bug bounty hunting you don't have access to source code so it's going to be a blind approach, but you can get the lead by looking at the technologies. Any application that is using Node.js and has a support chat feature, you [music] can definitely start testing out for the exact vulnerability I'm testing here.
So, let's open up OS 2 Shop GitHub page.
We're going to go to routes.
>> [music] >> And then we going to look for chatbot.
Any file [music] that has the chatbot.
Where is it? Yeah, over here. chatbot.ts.
Okay, so here is the file.
I just wanted to show you cuz there are more files that we need to look at the important ones, but let's start with this one initialize chatbot. So, this is basically initializing the chatbot and loading up the training file that contains the training data for the chatbot so it can interact with the user. So, as you can see it's doing some function with the training file and then >> [music] >> it is processing the user input and it's giving 503 if the chatbot is not available, but if the chatbot is just working fine it's going to >> [music] >> respond like this. So, if I scroll down we can see over here we have another function set username.
[music] So, set username function receives this input whatever input that user passes and passes it directly to a library.
[music] This file over here is just handle some web communication. It receives your HTTP request that the JSON you send and checks if you're logged in and then passes your input to the chatbot library.
So, let me go back to the application and if I click on inspect and where is Yeah, Rep Plus.
Okay, so this is one of the extensions that I use and I think it's pretty cool.
So, [music] let me send another message. Hey.
So, as you can see this is very similar to repeater. I'm not promoting this actually. I just came across this and I'm just using it.
Never mind.
>> [music] >> Okay, so if I open this up you can see it shows my target and the request I'm sending. So, we have the endpoint the rest chatbot respond. [music] So, I just wanted to show you how the JSON body looks like. It's a query and this is >> [music] >> the message hey we send over here. Hey goes over here in the query we get a response action and body.
Anyway, so this is the kind of request and response we are getting. Just wanted to show you.
But all of this UI thing happening over here is happening in the chatbot.ts file. Now, let's look at what actually happens once the user passes uh, input.
For that we have to go to a different file.
I'll provide the link in the description of these particular files, so you can have a look at it.
Okay, cool. So, we are now looking at index.ts file, and this is exactly where >> [music] >> some back-end logic happening. Cool. As you can see, this is importing VM, the exact function uh, we saw over here, the VM module.
So, it means that there's a chance we can escape out of [music] the sandbox and inject our own payload some way, and we can make the chatbot do whatever we want.
But, the goal is to disable the chatbot in this case, so that's what we are going to do.
So, there's a lot of stuff in here, but we going to look at this function exactly, add user, token, name, void this factory.run.
>> [music] >> So, this function is really important over here. Cuz it builds executable string.
So, what this method do is it basically takes your input, and it places it in JavaScript template string. As you can see, this is the template string, and your name simply goes over here.
So, this constructed string is passed to different function, [music] which is this.factory.run, which treats the string as live code and executes it using virtual machine, the VM module we saw. This is very similar to what we do with eval. In eval, we pass in a code, and eval simply executes the code for us. Exactly same thing is happening here, but with a different function and module, that is VM.
So, in this case, we can just simply escape out from here, just like we escape out of the XSS payload by adding in a quote to close the string, and then injecting our own payload. Similar to that, we can add uh, our own payload that can disable the chatbot.
Okay, [music] so let's do it.
I'm going to open my notepad.
Okay.
>> [music] >> So, we're going to set our username as admin, let's say, and then we are going to close the string.
>> [music] >> Circular braces, then we are closing it with a semicolon, so we can add our new statement. The new statement goes like this, process.
query = null.
And then, [music] semicolon, we're going to say users. add user.
And then, we are going to add a random user ID, and then, and then a quote, and name of the user, which in [music] our case is test.
Okay. So, now we are going to copy this and go to the OWASP Juice Shop, and and over here, we're just going to [music] type it in the text box, and hit enter.
Okay, it says that we have solved the challenge, kill chatbot, permanently disable the support chat, so that it can no longer answer customer queries. So, it is permanently disabled for everyone.
So, why we added this value null is because, let me go to chatbot.ts. Over here, you can see process.
Uh, there was a function called process.query.
Where did it go?
Yeah, process.query. So, as you can see, if the bot value is set to null, it's going to be [music] uh, unresponsive to the users. Figuring out we set the value to null, and then the next thing we did is we simply tried to add another user in the database, uh, with the name test.
So, yeah, not just killing the chatbot, but also, um, adding my own user as well in this statement.
Anyways, this is crazy, and this is how you can test for it. There are obviously very different kind of payloads that you can try, and you can play with using any of your favorite AI you like, and you can learn more about it there. If you have any questions, let me know in the comment section. [music] Thank you so much for watching, and >> [music]
Related Videos
Agentforce NOW AMA: Build with React and Salesforce Multi-Framework
SalesforceDevs
490 viewsβ’2026-05-28
How agent o11y differs from traditional o11y β Phil Hetzel, Braintrust
aiDotEngineer
450 viewsβ’2026-05-28
Re: π£οΈπthepropheduπ2026 GST 103 CLASS (E-EXAM REVISION)
theprophedu
636 viewsβ’2026-06-04
WEB TECHNOLOGIES UNIT-2 | Degree 4th sem BCOM Computers web technologies unit-2 full explanationπ―β
LearnwithSahera
1K viewsβ’2026-05-29
More tests are always better? How to use AI to identify tests that bring little value
Alliance4Qualification
335 viewsβ’2026-05-29
Search Algorithms Explained in 60 Seconds! π€π¨
samarthtuliofficial
218 viewsβ’2026-06-01
People of Game of Thrones using JavaScript DOM
AltCampus
296 viewsβ’2026-05-30
Instagram accounts got PWNed
EricParker
13K viewsβ’2026-06-03
