Rating:
Cookie named 'cart' is an nodejs json deserialization vulnerability injection point.
Because of node-serialize's RCE vulnerability, we can do Remode Code Execution.
But we cannot get the feedback of command execution. Thanks to server side error feed-back, we can get the output with error-based command injection.
Attack with backtick(``) in bash sub command
