Save 37% off PRO during our Black Friday Sale! »

Cocon-Server_side_javascript_Injection.pdf

1e6cfe94614ed96ac769e93f2e0c63f0?s=47 Kavisha Sheth
November 17, 2021

 Cocon-Server_side_javascript_Injection.pdf

Ever since its humble inception, JavaScript has gained a lot of traction in
the world of software development. What originally started as an experimental
language meant to increase responsiveness in the browser has evolved into a
full-fledged language with the capability to produce full-stack web
applications.
Applications are widely used, and new ways for easier and cost-effective
methods to develop them are constantly introduced. A common omission among
the new development and implementation techniques when designing them is
security; Node.js and NoSQL are no exception, various data-leaks over the
recent years have been attributed to people leaving MongoDB and other NoSQL
databases unsecured and accessible to anyone.
In this session, we will talk about
* What is server-side javascript injection is?
* Approach to find server-side javascript injection
* What can be done with server-side javascript injection
* Why it's necessary to bring cyber awareness to individuals,
organizations?

1e6cfe94614ed96ac769e93f2e0c63f0?s=128

Kavisha Sheth

November 17, 2021
Tweet

Transcript

  1. Server side javascript Injection Kavisha sheth

  2. About me • Security analyst by profession • Listed as

    security researcher by NCIIPC RVDP for finding issues in government websites • Infosec speaker, spoken at national and international conference like OWASP, Defcon cloud village, Bsides , Null ahmedabad, Owasp BAY area
  3. Agenda • Definition • Why are we discussing this? •

    How to find this vulnerability? • Exploit • Bonus Tips
  4. Server side javascript injection “Server-side code injection vulnerabilities arise when

    an application incorporates user-controllable data into a string that is dynamically evaluated by a code interpreter. If the user data is not strictly validated, an attacker can use crafted input to modify the code to be executed, and inject arbitrary code that will be executed by the server. “
  5. None
  6. None
  7. https://www.owasp.org/images/e/ed/GOD16-NOSQL.pdf

  8. https://infosecwriteups.com/nosql-injection-8732c2140576

  9. Useful Error Messages ReferenceError is a great indicator that we

    are injecting into a Server Side JavaScript parser, but the error indicates that response.end is not the correct response object name.
  10. Manually detect Server Side JavaScript Injection with Timestamp After the

    payload, result in a delay of at least 20 seconds Original request
  11. Exploitation

  12. None
  13. None
  14. • eval(), setTimeout(), setInterval(), Function() being used • No input

    validation Usage of Eval function
  15. None
  16. • Validate user inputs on server side before processing •

    Whitelist of specific accepted values should be used. • Do not use eval()function to parse user inputs. Avoid using other commands with similar effect, such as setTimeOut(), setInterval(), and Function(). • For parsing JSON input, instead of using eval(), use a safer alternative such as JSON.parse(). For type conversions use type related parseXXX()methods. parseInt() method usage
  17. Where else can found • Authentication mechanism • Filters, limit

    • Anything that’s require to request data
  18. What are the attacks possible using SSJI? • Authentication bypass

    • DOS attack • Command execution
  19. Bonus tips • Recon technique that might be helpful •

    Tools that help to speedup procedure • Approach
  20. Recon Tricks nmap -p 27017 --script mongodb-* <target> Useful in

    finding unauthenticated mongodb servers
  21. You got direct access to database ! Use Mongoaudit tool,

    which helps to test for security misconfigurations
  22. If you do not have direct access to the database,

    you are going to need to go through the web application
  23. Manual SSJI detection

  24. Approach so far!

  25. None
  26. References • https://github.com/OWASP/NodeGoat • https://www.syhunt.com/en/?n=Articles.NoSQLInjection • https://portswigger.net/kb/issues/00100d00_server-side-javascript-code-injection • https://github.com/S3cur3Th1sSh1t/SSJI---JSGen/blob/master/JSgen.py •

    https://github.com/stampery/mongoaudit • https://github.com/codingo/NoSQLMap.git