Cocon-Server_side_javascript_Injection.pdf

Transcript

1. Server side javascript Injection Kavisha sheth

2. About me • Security analyst by profession • Listed as

   security researcher by NCIIPC RVDP for finding issues in government websites • Infosec speaker, spoken at national and international conference like OWASP, Defcon cloud village, Bsides , Null ahmedabad, Owasp BAY area

3. Agenda • Definition • Why are we discussing this? •

   How to find this vulnerability? • Exploit • Bonus Tips

4. Server side javascript injection “Server-side code injection vulnerabilities arise when

   an application incorporates user-controllable data into a string that is dynamically evaluated by a code interpreter. If the user data is not strictly validated, an attacker can use crafted input to modify the code to be executed, and inject arbitrary code that will be executed by the server. “
5. None
6. None

7. https://www.owasp.org/images/e/ed/GOD16-NOSQL.pdf

8. https://infosecwriteups.com/nosql-injection-8732c2140576

9. Useful Error Messages ReferenceError is a great indicator that we

   are injecting into a Server Side JavaScript parser, but the error indicates that response.end is not the correct response object name.

10. Manually detect Server Side JavaScript Injection with Timestamp After the

    payload, result in a delay of at least 20 seconds Original request

11. Exploitation

12. None
13. None

14. • eval(), setTimeout(), setInterval(), Function() being used • No input

    validation Usage of Eval function
15. None

16. • Validate user inputs on server side before processing •

    Whitelist of specific accepted values should be used. • Do not use eval()function to parse user inputs. Avoid using other commands with similar effect, such as setTimeOut(), setInterval(), and Function(). • For parsing JSON input, instead of using eval(), use a safer alternative such as JSON.parse(). For type conversions use type related parseXXX()methods. parseInt() method usage

17. Where else can found • Authentication mechanism • Filters, limit

    • Anything that’s require to request data

18. What are the attacks possible using SSJI? • Authentication bypass

    • DOS attack • Command execution

19. Bonus tips • Recon technique that might be helpful •

    Tools that help to speedup procedure • Approach

20. Recon Tricks nmap -p 27017 --script mongodb-* <target> Useful in

    finding unauthenticated mongodb servers

21. You got direct access to database ! Use Mongoaudit tool,

    which helps to test for security misconfigurations

22. If you do not have direct access to the database,

    you are going to need to go through the web application

23. Manual SSJI detection

24. Approach so far!

25. None

26. References • https://github.com/OWASP/NodeGoat • https://www.syhunt.com/en/?n=Articles.NoSQLInjection • https://portswigger.net/kb/issues/00100d00_server-side-javascript-code-injection • https://github.com/S3cur3Th1sSh1t/SSJI---JSGen/blob/master/JSgen.py •

    https://github.com/stampery/mongoaudit • https://github.com/codingo/NoSQLMap.git