Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cocon-Server_side_javascript_Injection.pdf

Kavisha Sheth
November 17, 2021
Technology
0
470

 Cocon-Server_side_javascript_Injection.pdf

Ever since its humble inception, JavaScript has gained a lot of traction in
the world of software development. What originally started as an experimental
language meant to increase responsiveness in the browser has evolved into a
full-fledged language with the capability to produce full-stack web
applications.
Applications are widely used, and new ways for easier and cost-effective
methods to develop them are constantly introduced. A common omission among
the new development and implementation techniques when designing them is
security; Node.js and NoSQL are no exception, various data-leaks over the
recent years have been attributed to people leaving MongoDB and other NoSQL
databases unsecured and accessible to anyone.
In this session, we will talk about
* What is server-side javascript injection is?
* Approach to find server-side javascript injection
* What can be done with server-side javascript injection
* Why it's necessary to bring cyber awareness to individuals,
organizations?

Kavisha Sheth

November 17, 2021
Tweet

More Decks by Kavisha Sheth

See All by Kavisha Sheth
Amazon Cognito (Mis)Configurations
kavisha
2
1.6k
OWASP 20th Anniversary - AWS (Mis)configuration from attacker’s eye-view
kavisha
0
400
Cloud attack vectors and security controls
kavisha
1
91
Understanding AWS cloud attacks using CloudGoat
kavisha
3
9.7k

Other Decks in Technology

See All in Technology
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
130
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
Lexical Analysis
shigashiyama
1
150
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
Terraform Stacks入門 #HashiTalks
msato
0
360
AIチャットボット開発への生成AI活用
ryomrt
0
170
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
130
Can We Measure Developer Productivity?
ewolff
1
150
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
327
21k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Done Done
chrislema
181
16k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
GitHub's CSS Performance
jonrohan
1030
460k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
4 Signs Your Business is Dying
shpigford
180
21k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Faster Mobile Websites
deanohume
305
30k

Transcript

  1. Server side javascript Injection Kavisha sheth

  2. About me • Security analyst by profession • Listed as

    security researcher by NCIIPC RVDP for finding issues in government websites • Infosec speaker, spoken at national and international conference like OWASP, Defcon cloud village, Bsides , Null ahmedabad, Owasp BAY area

  3. Agenda • Definition • Why are we discussing this? •

    How to find this vulnerability? • Exploit • Bonus Tips

  4. Server side javascript injection “Server-side code injection vulnerabilities arise when

    an application incorporates user-controllable data into a string that is dynamically evaluated by a code interpreter. If the user data is not strictly validated, an attacker can use crafted input to modify the code to be executed, and inject arbitrary code that will be executed by the server. “
  5. None
  6. None

  7. https://www.owasp.org/images/e/ed/GOD16-NOSQL.pdf

  8. https://infosecwriteups.com/nosql-injection-8732c2140576

  9. Useful Error Messages ReferenceError is a great indicator that we

    are injecting into a Server Side JavaScript parser, but the error indicates that response.end is not the correct response object name.

  10. Manually detect Server Side JavaScript Injection with Timestamp After the

    payload, result in a delay of at least 20 seconds Original request

  11. Exploitation

  12. None
  13. None

  14. • eval(), setTimeout(), setInterval(), Function() being used • No input

    validation Usage of Eval function
  15. None

  16. • Validate user inputs on server side before processing •

    Whitelist of specific accepted values should be used. • Do not use eval()function to parse user inputs. Avoid using other commands with similar effect, such as setTimeOut(), setInterval(), and Function(). • For parsing JSON input, instead of using eval(), use a safer alternative such as JSON.parse(). For type conversions use type related parseXXX()methods. parseInt() method usage

  17. Where else can found • Authentication mechanism • Filters, limit

    • Anything that’s require to request data

  18. What are the attacks possible using SSJI? • Authentication bypass

    • DOS attack • Command execution

  19. Bonus tips • Recon technique that might be helpful •

    Tools that help to speedup procedure • Approach

  20. Recon Tricks nmap -p 27017 --script mongodb-* <target> Useful in

    finding unauthenticated mongodb servers

  21. You got direct access to database ! Use Mongoaudit tool,

    which helps to test for security misconfigurations

  22. If you do not have direct access to the database,

    you are going to need to go through the web application

  23. Manual SSJI detection

  24. Approach so far!

  25. None

  26. References • https://github.com/OWASP/NodeGoat • https://www.syhunt.com/en/?n=Articles.NoSQLInjection • https://portswigger.net/kb/issues/00100d00_server-side-javascript-code-injection • https://github.com/S3cur3Th1sSh1t/SSJI---JSGen/blob/master/JSgen.py •

    https://github.com/stampery/mongoaudit • https://github.com/codingo/NoSQLMap.git