SANS Penetration Testing

Mining Meteor

By Tim Medin
SANS Instructor & Counter Hack Engineer

Meteor is a game-changing framework for rapid software development and is the top-rated web framework on Github. Meteor offers a number of benefits including offering real-time applications by default. With its great benefits, we are likely to see more Meteor applications...

...And you should know how to hack it!

Meteor Basics

TL;DR: The client pulls data with a subscription from a corresponding publication. All rendering takes place on the client. The client has all the code for the site to render the data.

Sometimes too much data (or code) is sent to the client even though it isn't displayed. If the client pushes too much data, either documents (rows in a traditional RDMS) or fields, we can exploit that. The data doesn't have to be rendered to extract it from the server. The data is sent to and from the server using a protocol called the Distributed Data Protocol (DDP). DDP handles both data synchronization as well as remote procedure calls. We get nicely typed data in our minimongo database in the browser. We can extract the data using the methods described below.

Extracting the Data

We can extract the local collections (collections are analogous to traditional RDMS tables) using the following JavaScript console command:


To extract the data from the collections we can use:


Or list the subscriptions:


Automation with Tampermonkey & Meteor Miner

We can extract the data manually or by running scripts in the context of the page. To automate the process, we need to be able to access the JavaScript variables, but unfortunately Firefox and Chrome WebExtensions don't allow access to JavaScript variables. IMHO, this is a silly separation. Extensions can already manipulate the entire DOM. I don't understand why this provides any signification security difference...but I digress.

Fortunately, the Tampermokey script allows access to JavaScript variables. I wrote a Tampermonkey script to extract information from Meteor sites and posted it on my github page. I call the project "Meteor Minor."

This script grabs information from the site, including the names of templates (analogous to pages), the template helpers (functions in the a template), subscriptions, and collections.


MeteorMiner can be used to find paths that are used with Iron Router. As a pen tester, we access these pages and see if authentication is properly implemented and that the associated pub/sub is properly filtered. In the MeteorTodosGoat application, the /admin/users route exists even though there is no link to it in the interface.


MeteorMiner analyzes the collections and looks for unique field sets. If the data has a non-uniform shape it is noted next to the collection. This can be helpful to find unique data that may have leaked. To see the field types in MeteorMiner simply click on the collection name in Meteor Miner.


You can use MyCollectionName.find().fetch() to access the all data in the collection and look for any sensitive information. In the MeteorTodosGoat application the password hash in "accidentally" pushed to the client since the developer didn't 1) restrict access to the data even though the page is not accessible and 2) didn't filter the sensitive fields from publications.



Active subscriptions and the parameters passed to the subscriptions are listed in Meteor Miner.


The publication and parameters can be fuzzed to see if there is a way to extract extra data from the web server. For example, in the JavaScript console we could try the following:

Meteor.subscribe('list', {$gt: ''})

In MeteorTodosGoat it will extract all the Todo Lists from the database.



While Meteor and NoSQL do offer a lot of protections against some of the common attacks (traditional SQL injection and XSS), there are still ways we can attack these systems. In some ways, it can be even easier to attack modern apps as so much processing is done on the client.

I do believe that pen testing Meteor-based applications is growing increasingly important, and I hope you have fun conducting such projects in the near future.

- Tim Medin

Upcoming SANS Special Event - 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge - KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • "On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team." - @mikehodges
  • "#SANSHolidayHack Confession — I have never used python or scapy before. I got started with both today because of this game! Yay!" - @tww2b
  • "Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa" - @dnlongen


Posted December 8, 2016 at 3:46 PM | Permalink | Reply


Firebase also has similar problems as this. Check it out sometime. Basically without properly creating fire base rules the data can be completely extracted from the server using the firebase client or simple JavaScript on the client''

Posted September 5, 2017 at 11:28 AM | Permalink | Reply


thanks for your great jobs.

Post a Comment


* Indicates a required field.