Here, we will discuss the little-known evil side of JavaScript! You probably know that ever since it appeared, JavaScript gained so much traction in the world of the software development. I will introduce you to a situation where something can easily and ”accidentally’ introduce some vulnerability to the app. It happens through very simple misconfiguration. Let’s meet the enemy, the Server side code injection!
Server side JavaScript Code Injection Description
These vulnerabilities have a tendency to arise when the app itself incorporates the user’s controllable data and all that into a string which has been actually dynamically evaluated. The evaluation is coming from code interpreter. Let’s say that the user’s data isn’t validated, strictly. What can the attacker do in such a situation? He can easily use the crafted input with a purpose to modify that code once he or she wants it to be executed.
Also, the attacker will later inject some arbitrary code that fits his intent which will be also executed by the server itself. You need to remember very well that these vulnerabilities are very serious and also very dangerous. They can easily lead to the total compromise of the app’s functionality, and of course its data. In most situation happens that the server which is hosting the app receives the same ”destiny”. Before taking a look at server side injection’s impact, I would also like to say as an intro to it, that it can happen that the attacker uses one server as a platform for some further or planned attacks against so many other systems. Do you understand now how dangerous is server side JavaScript code injection? I think you do, clearly.
Server side JavaScript Code Injection Impact
I introduced you to this vulnerability very well. We will now together take a look at its impact. As I have said, always keep in mind how dangerous this injection is. The biggest problem with this issue is that it is almost impossible to recognize it. It may seem like a normal response. But, I will show you that later through the example. It has various kinds of destruction, and most common are of course denial of service, file system access and the execution of the binary files. So, the first thing we have here is a complete blockade of the system usage, later we have unauthorized access and finally the execution.
Example Of Server side JavaScript Code Injection Impact
As I have said, it would be the best to understand this injection through the example. I will show you how people can easily miss it, thinking like there is nothing vulnerable in this response. This injection acts very trickily, which I will explain after you take a look at the example.
var http = require(‘http’);
http.createServer(function (request, response) {
if (request.method === ‘POST’) {
var data = ‘ ‘ ;
request.addListener(‘data’, function(chunk) { data += chunk; });
request.addListener(‘end’; function(){
var bankData = eval (”(” + data + ”)”);
bankQuery(bankData.balance);
});
}
});
Can you see something vulnerable in this example? Most people cannot. But, what is a problem with this response is that it contains the -eval- function. That function is vulnerable. Most of the times, it is not visible to the untrained eye. What does that function do? It literally evaluates those data which are being passed in dynamically by some user. Let’s say that the user submits a JSON object. What happens then? The eval function will take place here and will easily evaluate that as a JSON object.
Recent Attacks Of Server side JavaScript Code Injection
I have talked about its impact, mentioning at first place the denial of access. What does that mean? It is the highly-effective denial-of-service kind of attack. Although, it can be executed in a simple way, by the commands below to eval ()function. It will look like this: while (1). What this input would cause is that target servers won’t be able to unable to process or even to stop it. I have mentioned file system access too. Imagine what could be another potential goal of the attacker? It would definitely be to read all of the content files that he or she wants or needs or to get the access to some sensitive information of the great value. Once he gains the access, he will be able to write on the server. And the third thing I’ve talked about was the execution of the binary files. The attacker just follows his plan and exploits the vulnerability by executing or even writing some harmful binary files.
How To Fix Server side JavaScript Code Injection
As I have said this vulnerability is sometimes ”hidden” and hardly visible to the untrained eye. The first thing you need to know is how to treat those vulnerabilities-carefully mitigated. If you are creating ”ad-hoc” JavaScript commands which have the user input, you need to be aware that unsanitized dynamic user input almost always results in these types of vulnerability. You heard so much here about the eval function. Avoid as much as you can, and in that case, you will decrease the chances of damage which may appear. Also, always validate all of the user inputs on the server’s side. Do it before processing.
A powerful vulnerability which requires a little bit of a knowledge to be recognized. But, that is what we have done now, right? You are able to detect and to protect your server!