Server-side javascript code injection
- In this article, we will cover:
1. Introduction
2. What is Server-side javascript code injection?
3. How to find and test Server-side javascript code injection.
4. Exploitation of Server-side javascript code injection.
5. Mitigation of Server-side javascript code injection vulnerabilities.
6. References
1. Introduction
~Hello, Hackers. My name is Rishabh Singh. I am a bug bounty hunter and a penetration tester.
>> Follow me on Twitter @rsbarsania
>> Follow me on LinkedIn @rishabhkumarsingh20/
~ Hey you! Yes, You! … Grab your coffee let's dive into this Server-side javascript code injection journey.
2. What is Server-side javascript code injection?
Server-side code injection vulnerabilities occur when an application includes user-controlled data in a string that a code interpreter evaluates dynamically. If this data is not rigorously validated, an attacker can manipulate the input to alter the executed code and inject arbitrary commands that the server will run.
These vulnerabilities are typically severe, resulting in a full compromise of the application’s data and functionality, and frequently impacting the server itself. Additionally, the compromised server may be leveraged as a platform for launching attacks on other systems.
3. How do you find and test Server-side javascript code injection vulnerabilities?
Identify any parameters that interact with the server. For instance, in the example below, the _id parameter communicates with the server to verify the validity of the query id.
Use the following payload and monitor the server’s response, paying particular attention to any delay that matches the time value specified in the payload.
{
"query": {
"_id": "64xxxxxxxxe3"
,"$where":"if(typeof rlk6a==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<3000);rlk6a=1;}"},
"data": {
"fullName": "Txx xxO"
}
}4. Exploitation of Server-side javascript code injection:
It was observed that the application includes an update functionality where a query ID is used, allowing the user to update data such as the full name, as depicted in the figure below.
Add the payload to the request body and observe that the server responds after 10,000 milliseconds.
The payload successfully introduces a delay and sets a variable (rlk6a=1), which is used for subsequent conditions or logic.
Additionally, add 30,000 milliseconds and observe that the server responds after 30 seconds.
Below is the response to the request where the payload contains a syntax error, as shown in the figure below.
Here, the payload introduces a delay but contains a syntax error (1=1), which prevents any further useful operation and results in an error.
5. Mitigation of Server-side javascript code injection:
Applications should avoid integrating user-controlled data into dynamically evaluated code whenever possible. There are almost always safer methods to implement application functions that do not allow for arbitrary code injection.
If incorporating user-supplied data into dynamically evaluated code is unavoidable, then the data must be rigorously validated. Ideally, use a whitelist of explicitly accepted values. If that’s not feasible, restrict input to short alphanumeric strings only. Any input containing other characters, including potential code metacharacters, should be rejected.
6. References:
https://secops.group/a-deep-dive-into-server-side-javascript-injection-ssji-vulnerabilities/
