Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cocon-Server_side_javascript_Injection.pdf

Kavisha Sheth
November 17, 2021
Technology
0
470

 Cocon-Server_side_javascript_Injection.pdf

Ever since its humble inception, JavaScript has gained a lot of traction in
the world of software development. What originally started as an experimental
language meant to increase responsiveness in the browser has evolved into a
full-fledged language with the capability to produce full-stack web
applications.
Applications are widely used, and new ways for easier and cost-effective
methods to develop them are constantly introduced. A common omission among
the new development and implementation techniques when designing them is
security; Node.js and NoSQL are no exception, various data-leaks over the
recent years have been attributed to people leaving MongoDB and other NoSQL
databases unsecured and accessible to anyone.
In this session, we will talk about
* What is server-side javascript injection is?
* Approach to find server-side javascript injection
* What can be done with server-side javascript injection
* Why it's necessary to bring cyber awareness to individuals,
organizations?

Kavisha Sheth

November 17, 2021
Tweet

More Decks by Kavisha Sheth

See All by Kavisha Sheth
Amazon Cognito (Mis)Configurations
kavisha
2
1.6k
OWASP 20th Anniversary - AWS (Mis)configuration from attacker’s eye-view
kavisha
0
390
Cloud attack vectors and security controls
kavisha
1
91
Understanding AWS cloud attacks using CloudGoat
kavisha
3
9.6k

Other Decks in Technology

See All in Technology
「 SharePoint 難しい」ってよく聞くけど、そんなに言うなら8歳の息子に試してもらった
taichinakamura
1
620
急成長中のWINTICKETにおける品質と開発スピードと向き合ったQA戦略と今後の展望 / winticket-autify
cyberagentdevelopers
PRO
1
160
サイバーエージェントにおける生成AIのリスキリング施策の取り組み / cyber-ai-reskilling
cyberagentdevelopers
PRO
2
200
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170
Amazon_CloudWatch_ログ異常検出_導入ガイド
tsujiba
4
1.6k
Jr. Championsになって、強く連携しながらAWSをもっと使いたい!~AWSに対する期待と行動~
amixedcolor
0
190
pandasはPolarsに性能面で追いつき追い越せるのか
vaaaaanquish
4
4.6k
Shift-from-React-to-Vue
calm1205
3
1.3k
使えそうで使われないCloudHSM
maikamibayashi
0
170
30万人が利用するチャットをFirebase Realtime DatabaseからActionCableへ移行する方法
ryosk7
5
350
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
49k
Java x Spring Boot Warm up
kazu_kichi_67
2
490

Featured

See All Featured
Making Projects Easy
brettharned
115
5.9k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Adopting Sorbet at Scale
ufuk
73
9k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Testing 201, or: Great Expectations
jmmastey
38
7k
Build The Right Thing And Hit Your Dates
maggiecrowley
32
2.4k
Code Reviewing Like a Champion
maltzj
519
39k
GraphQLの誤解/rethinking-graphql
sonatard
66
9.9k
Typedesign – Prime Four
hannesfritz
39
2.4k
How to Think Like a Performance Engineer
csswizardry
19
1.1k

Transcript

  1. Server side javascript Injection Kavisha sheth

  2. About me • Security analyst by profession • Listed as

    security researcher by NCIIPC RVDP for finding issues in government websites • Infosec speaker, spoken at national and international conference like OWASP, Defcon cloud village, Bsides , Null ahmedabad, Owasp BAY area

  3. Agenda • Definition • Why are we discussing this? •

    How to find this vulnerability? • Exploit • Bonus Tips

  4. Server side javascript injection “Server-side code injection vulnerabilities arise when

    an application incorporates user-controllable data into a string that is dynamically evaluated by a code interpreter. If the user data is not strictly validated, an attacker can use crafted input to modify the code to be executed, and inject arbitrary code that will be executed by the server. “
  5. None
  6. None

  7. https://www.owasp.org/images/e/ed/GOD16-NOSQL.pdf

  8. https://infosecwriteups.com/nosql-injection-8732c2140576

  9. Useful Error Messages ReferenceError is a great indicator that we

    are injecting into a Server Side JavaScript parser, but the error indicates that response.end is not the correct response object name.

  10. Manually detect Server Side JavaScript Injection with Timestamp After the

    payload, result in a delay of at least 20 seconds Original request

  11. Exploitation

  12. None
  13. None

  14. • eval(), setTimeout(), setInterval(), Function() being used • No input

    validation Usage of Eval function
  15. None

  16. • Validate user inputs on server side before processing •

    Whitelist of specific accepted values should be used. • Do not use eval()function to parse user inputs. Avoid using other commands with similar effect, such as setTimeOut(), setInterval(), and Function(). • For parsing JSON input, instead of using eval(), use a safer alternative such as JSON.parse(). For type conversions use type related parseXXX()methods. parseInt() method usage

  17. Where else can found • Authentication mechanism • Filters, limit

    • Anything that’s require to request data

  18. What are the attacks possible using SSJI? • Authentication bypass

    • DOS attack • Command execution

  19. Bonus tips • Recon technique that might be helpful •

    Tools that help to speedup procedure • Approach

  20. Recon Tricks nmap -p 27017 --script mongodb-* <target> Useful in

    finding unauthenticated mongodb servers

  21. You got direct access to database ! Use Mongoaudit tool,

    which helps to test for security misconfigurations

  22. If you do not have direct access to the database,

    you are going to need to go through the web application

  23. Manual SSJI detection

  24. Approach so far!

  25. None

  26. References • https://github.com/OWASP/NodeGoat • https://www.syhunt.com/en/?n=Articles.NoSQLInjection • https://portswigger.net/kb/issues/00100d00_server-side-javascript-code-injection • https://github.com/S3cur3Th1sSh1t/SSJI---JSGen/blob/master/JSgen.py •

    https://github.com/stampery/mongoaudit • https://github.com/codingo/NoSQLMap.git