SANS Penetration Testing

Mining Meteor

By Tim Medin
SANS Instructor & Counter Hack Engineer

Meteor is a game-changing framework for rapid software development and is the top-rated web framework on Github. Meteor offers a number of benefits including offering real-time applications by default. With its great benefits, we are likely to see more Meteor applications...

...And you should know how to hack it!

Meteor Basics

TL;DR: The client pulls data with a subscription from a corresponding publication. All rendering takes place on the client. The client has all the code for the site to render the data.

Sometimes too much data (or code) is sent to the client even though it isn't displayed. If the client pushes too much data, either documents (rows in a traditional RDMS) or fields, we can exploit that. The data doesn't have to be rendered to extract it from the server. The data is sent to and from the server using a protocol called the Distributed Data Protocol (DDP). DDP handles both data synchronization as well as remote procedure calls. We get nicely typed data in our minimongo database in the browser. We can extract the data using the methods described below.

Extracting the Data

We can extract the local collections (collections are analogous to traditional RDMS tables) using the following JavaScript console command:


To extract the data from the collections we can use:


Or list the subscriptions:


Automation with Tampermonkey & Meteor Miner

We can extract the data manually or by running scripts in the context of the page. To automate the process, we need to be able to access the JavaScript variables, but unfortunately Firefox and Chrome WebExtensions don't allow access to JavaScript variables. IMHO, this is a silly separation. Extensions can already manipulate the entire DOM. I don't understand why this provides any signification security difference...but I digress.

Fortunately, the Tampermokey script allows access to JavaScript variables. I wrote a Tampermonkey script to extract information from Meteor sites and posted it on my github page. I call the project "Meteor Minor."

This script grabs information from the site, including the names of templates (analogous to pages), the template helpers (functions in the a template), subscriptions, and collections.


MeteorMiner can be used to find paths that are used with Iron Router. As a pen tester, we access these pages and see if authentication is properly implemented and that the associated pub/sub is properly filtered. In the MeteorTodosGoat application, the /admin/users route exists even though there is no link to it in the interface.


MeteorMiner analyzes the collections and looks for unique field sets. If the data has a non-uniform shape it is noted next to the collection. This can be helpful to find unique data that may have leaked. To see the field types in MeteorMiner simply click on the collection name in Meteor Miner.


You can use MyCollectionName.find().fetch() to access the all data in the collection and look for any sensitive information. In the MeteorTodosGoat application the password hash in "accidentally" pushed to the client since the developer didn't 1) restrict access to the data even though the page is not accessible and 2) didn't filter the sensitive fields from publications.



Active subscriptions and the parameters passed to the subscriptions are listed in Meteor Miner.


The publication and parameters can be fuzzed to see if there is a way to extract extra data from the web server. For example, in the JavaScript console we could try the following:

Meteor.subscribe('list', {$gt: ''})

In MeteorTodosGoat it will extract all the Todo Lists from the database.



While Meteor and NoSQL do offer a lot of protections against some of the common attacks (traditional SQL injection and XSS), there are still ways we can attack these systems. In some ways, it can be even easier to attack modern apps as so much processing is done on the client.

I do believe that pen testing Meteor-based applications is growing increasingly important, and I hope you have fun conducting such projects in the near future.

- Tim Medin

Upcoming SANS Special Event - Pen Test HackFest 2018


SANS Pen Test HackFest 2018 - Summit & Training
November 12-19, 2018 | Bethesda, MD (Washington DC Area)

  • (2) Day Summit Event with 20+ Amazing Speakers on Pen Test & Red Team Topics
  • Evening Networking Sessions
  • (3) Nights of SANS Core NetWars, with Coin-A-Palooza
  • (1) Night of CyberCity Missions
  • Choose from (8) SANS Pen Test Training Courses
  • Learn more:

"If you haven't attended a SANS Summit, it's hard to understand the immense value. This is even more true for Pen Test HackFest" - Jason Nickola, DTS


Posted December 8, 2016 at 3:46 PM | Permalink | Reply


Firebase also has similar problems as this. Check it out sometime. Basically without properly creating fire base rules the data can be completely extracted from the server using the firebase client or simple JavaScript on the client''

Post a Comment - Cancel Reply


* Indicates a required field.