A1 - 1 Server Side JS Injection
Function()are used to
process user provided inputs, it can be exploited by an attacker to inject and
eval()function to parse the incoming
data without any type of input validation are vulnerable to this attack. An
setInterval()functions can take code in string
format as a first argument causing same issues as
This vulnerability can be very critical and damaging by allowing attacker to send various types of commands.
Denial of Service Attack:
An effective denial-of-service attack can be executed simply by sending the
commands below to
This input will cause the target server's event loop to use 100% of its processor time and unable to process any other incoming requests until process is restarted.
An alternative DoS attack would be to simply exit or kill the running process:
File System Access
Another potential goal of an attacker might be to read the contents of files from the server. For example, following two commands list the contents of the current directory and parent directory respectively:
Once file names are obtained, an attacker can issue the command below to view the actual contents of a file:
An attacker can further exploit this vulnerability by writing and executing
harmful binary files using
How Do I Prevent It?
To prevent server-side js injection attacks:
- Validate user inputs on server side before processing
- Do not use
eval()function to parse user inputs. Avoid using other commands with similar effect, such as
- For parsing JSON input, instead of using
eval(), use a safer alternative such as
JSON.parse(). For type conversions use type related
"use strict"at the beginning of a function, which enables strict mode within the enclosing function scope.
Source Code Example
eval()to covert user supplied contribution amounts to
// Insecure use of eval() to parse inputs var preTax = eval(req.body.preTax); var afterTax = eval(req.body.afterTax); var roth = eval(req.body.roth);
This makes application vulnerable to SSJS attack. It can fixed simply by using
//Fix for A1 -1 SSJS Injection attacks - uses alternate method to eval var preTax = parseInt(req.body.preTax); var afterTax = parseInt(req.body.afterTax); var roth = parseInt(req.body.roth);
In addition, all functions begin with