#! /usr/bin/node
/**
 * @file	xmlhttprequest-ssl.js
 *		This program demonstrates the SSL cert security vulnerability in
 *		xmlhttprequest-ssl versions 1.5 through 1.6.0.
 *
 *		Requirements: install xmlhttprequest-ssl package from public npm repository; e.g.
 *		npm init # create package.json
 *		npm i xmlhttprequest-ssl@1.6.0
 *
 * @author	Wes Garland, wes@kingsds.network
 * @date	April 2021
 */
const XMLHttpRequest = require('xmlhttprequest-ssl');

var xhr = new XMLHttpRequest();		/* pass empty object in version 1.5.4 to work around bug */

xhr.open("GET", "https://self-signed.badssl.com/");
xhr.addEventListener('readystatechange', () => console.log('ready state:', xhr.status));
xhr.addEventListener('loadend', loadend);

function loadend()
{
  console.log('loadend:', xhr);
  if (xhr.status === 0 && xhr.statusText.code === 'DEPTH_ZERO_SELF_SIGNED_CERT')
    console.log('test passed: self-signed cert rejected');
  else
    console.log('*** test failed: self-signed cert used to retrieve content');
}

xhr.send();