Slide 1
Slide 1 text
Server side javascript Injection
Kavisha sheth
Slide 2
Slide 2 text
About me
● Security analyst by profession
● Listed as security researcher by NCIIPC
RVDP for finding issues in government
websites
● Infosec speaker, spoken at national and
international conference like OWASP,
Defcon cloud village, Bsides , Null
ahmedabad, Owasp BAY area
Slide 3
Slide 3 text
Agenda
● Definition
● Why are we discussing this?
● How to find this vulnerability?
● Exploit
● Bonus Tips
Slide 4
Slide 4 text
Server side javascript injection
“Server-side code injection vulnerabilities arise when an application incorporates
user-controllable data into a string that is dynamically evaluated by a code
interpreter. If the user data is not strictly validated, an attacker can use crafted
input to modify the code to be executed, and inject arbitrary code that will be
executed by the server. “
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
https://www.owasp.org/images/e/ed/GOD16-NOSQL.pdf
Slide 8
Slide 8 text
https://infosecwriteups.com/nosql-injection-8732c2140576
Slide 9
Slide 9 text
Useful Error Messages
ReferenceError is a great indicator
that we are injecting into a Server
Side JavaScript parser, but the error
indicates that response.end is not
the correct response object name.
Slide 10
Slide 10 text
Manually detect Server Side JavaScript Injection with Timestamp
After the payload, result in a
delay of at least 20 seconds
Original
request
Slide 11
Slide 11 text
Exploitation
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
● eval(), setTimeout(),
setInterval(), Function()
being used
● No input validation
Usage of Eval
function
Slide 15
Slide 15 text
No content
Slide 16
Slide 16 text
● Validate user inputs on server side before
processing
● Whitelist of specific accepted values should be
used.
● Do not use eval()function to parse user inputs.
Avoid using other commands with similar effect,
such as setTimeOut(), setInterval(), and
Function().
● For parsing JSON input, instead of using eval(),
use a safer alternative such as JSON.parse(). For
type conversions use type related
parseXXX()methods.
parseInt() method
usage
Slide 17
Slide 17 text
Where else can found
● Authentication
mechanism
● Filters, limit
● Anything that’s require to
request data
Slide 18
Slide 18 text
What are the attacks possible using SSJI?
● Authentication bypass
● DOS attack
● Command execution
Slide 19
Slide 19 text
Bonus tips
● Recon technique that might be helpful
● Tools that help to speedup procedure
● Approach
Slide 20
Slide 20 text
Recon Tricks
nmap -p 27017 --script mongodb-*
Useful in finding
unauthenticated
mongodb servers
Slide 21
Slide 21 text
You got direct access to database !
Use Mongoaudit tool,
which helps to test for
security
misconfigurations
Slide 22
Slide 22 text
If you do not have direct access to the database, you are going
to need to go through the web application
Slide 23
Slide 23 text
Manual SSJI detection
Slide 24
Slide 24 text
Approach so far!
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
References
● https://github.com/OWASP/NodeGoat
● https://www.syhunt.com/en/?n=Articles.NoSQLInjection
● https://portswigger.net/kb/issues/00100d00_server-side-javascript-code-injection
● https://github.com/S3cur3Th1sSh1t/SSJI---JSGen/blob/master/JSgen.py
● https://github.com/stampery/mongoaudit
● https://github.com/codingo/NoSQLMap.git