Syhunt: Google V8 - Server-Side JS Injection in vulnerable web apps
2012-02-29 10:39
1031 查看
http://seclists.org/fulldisclosure/2012/Feb/409
Google V8 Server-Side JavaScript Injection joins the set of web application security vulnerabilities TIME-BASED PHP V8JS INJECTION & NOSQL/SSJS INJECTION Detecting server-side JavaScript (SSJS) injection vulnerabilities using time-based techniques. Article by Felipe Aragon - February 25, 2012 This article, which is an update of an article that we originally published on December 18, 2011, intends to highlight the risk of unvalidated input used to execute server-side JavaScript. As you read this, web developers are starting to learn how to use V8Js (Google's V8 JavaScript engine) in PHP: http://www.php.net/manual/en/v8js.examples.php http://stackoverflow.com/questions/9035567/why-is-a-function-re-definition-faster-than-calling-the-first-one ...or MongoDB, which is a scalable, high-performance, open source NoSQL database that also allows JavaScript to be used in queries: http://www.mongodb.org/ Today, the most common source of PHP security flaws is unvalidated input. They give rise to SQL Injection, XSS, Remote Command Execution, Local and Remote File Inclusion, etc (known as the PHP Top 5 https://www.owasp.org/index.php/PHP_Top_5). With the rising adoption of server-side JavaScript, we can expect server-side JS injection vulnerabilities caused by unvalidated user input to become prevalent, and the techniques for exploiting them, commonplace. At Syhunt, we already started our own collection of techniques for detecting server-side JS injection vulnerabilities. We want to proactively detect them before they are exploited. The Time-Based JS Injection Technique ********************************************** Injecting a custom sleep code is a technique that may be used to spot injection vulnerabilities in web applications using server-side JavaScript execution. This works with any web system that supports server-side JavaScript execution, such as JavaScript web application frameworks and servers like Jaxer (http://jaxer.org/), or PHP with V8Js, or NoSQL engines like MongoDB. Below you can find examples of server-side JavaScript injection vulnerabilities in PHP that could be spotted using the sleep technique. In the past, we used this same sleep code in the client-side to demonstrate how vulnerabilities we found in the A-A-S (Application Access Server) could be exploited (http://www.syhunt.com/?n=Advisories.Aas-multiple). Example 1: PHP V8JS Injection Vulnerabilities (PHP + V8Js) ************* The following requests would make these (or similar) vulnerable web applications sleep for 10 seconds: vulnerable.php?msg=a';d%20=%20new%20Date();do{cd=new%20Date();}while(cd-d<10000);foo='bar Vulnerable Code: $msg = $_GET['msg']; $v8 = new V8Js(); $v8->executeString("var msg = '$msg'; ..SOME CODE.."); vulnerable.php?msg=version());d%20=%20new%20Date();do{cd=new%20Date();}while(cd-d<10000);foo=('bar' Vulnerable Code: $msg = $_GET['msg']; $v8 = new V8Js(); $JS = <<< EOT len = print($msg + "\\n"); ..SOME CODE.. EOT; $v8->executeString($JS, 'basic.js'); Example 2: NoSQL SSJS Injection Vulnerability (PHP + MongoDB) ************* The MongoDB shell provides a sleep() function (see http://api.mongodb.org/js/current/symbols/src/shell_utils.js.html) which makes time-based detection much easier to perform. The following requests would make these (or similar) vulnerable web applications sleep for 10 seconds: vulnerable.php?msg=1';sleep(10000);var%20foo='bar The MongoDB sleep() function works with milliseconds. Alternative technique using a custom sleep code: vulnerable.php?msg=1';d=new%20Date();do{cd=new%20Date();}while(cd-d<10000);foo='bar Vulnerable Code: <? $mongo = new Mongo(); $db = $mongo->demo; $id = $_GET['id']; $js = "function() { var id = '$id'; SOME CODE... }"; $response = $db->execute($js); ... ?> Example 3: NoSQL SSJS Injection Vulnerability (PHP + MongoDB) ************* Vulnerable Code: <? $mongo = new Mongo(); $db = $mongo->demo; $year = $_GET['year']; $collection = $db->demo; $query = 'function() {var search_year = \'' . $year . '\';' . 'return this.publicationYear == search_year || ' . ' this.filmingYear == search_year || ' . ' this.recordingYear == search_year;}'; $cursor = $collection->find(array('$where' => $query)); ... ?> Example 4: SSJS Injection Vulnerability (PHP + Jaxer) ************* Example of a vulnerable application built using the Jaxer Ajax server and PHP. Vulnerable Code: <?php $myVar = $_GET['id']; echo "<script runat=server> myPHPVar = '$myVar'; onload = function(){ ..SOME CODE.. }; </script>"; ?> Example 5: Sleep in JavaScript ************* var date = new Date(); do { curDate = new Date(); } while(curDate-date < 10000); // delay time (ms) Additional Information The advent of Big Data and Cloud Computing is driving adoption of NoSQL in the enterprise. Because of this, NoSQL-related vulnerabilities are expected to become much more widespread (http://www.govtech.com/policy-management/9-Cybersecurity-Threat-Predictions-for-2012.html) In July last year, Bryan Sullivan, a senior security researcher at Adobe Systems, demonstrated server-side JavaScript injection vulnerabilities in web applications using MongoDB and other NoSQL database engines. He demonstrated how they could be used to perform Denial of Service, File System, Remote Command Execution, and many other attacks, including the easy extraction of the entire contents of the NoSQL database -- a blind NoSQL injection attack (paper available at https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf). Solution Always validate user input used in server-side JavaScript commands.
相关文章推荐
- Build Node.Js web server in Docker containers: nodejs+pm2+mongodb+redis
- Node.js: What is the best "full stack web framework" (with scaffolding, MVC, ORM, etc.) based on Node.js / server-side JavaScript? - Quora
- Android下用WebView搭建Web APP,官方的JS交互(Building Web Apps in WebView)
- Embed client-side JavaScript in an ASP.NET 1.1 web page from server side code
- Mongodb is vulnerable to SQL injection in PHP at least
- Node.Js + Socket.IO vs SignalR vs C# WebSocket Server
- SharePoint Portal Server 2003 Search does't like .Net Framework 2.0!!! (for Error in PortalCrawl Web Service solution)
- Google 的V8 JS引擎和Node.JS
- Web.js MVC between client and server
- Attach js from server side
- improving performance of your web page by use gzip in you web server.
- SharePoint 2013集成Office web apps server2013详细的安装和部署
- Cannot start session without errors, please check errors given in your PHP and/or webserver log file
- Google Web Apps开发指南之项目样例(上)
- Disabling Mobile Web Page Access in SharePoint Server 2010 and SharePoint Foundation 2010
- Lync 小技巧-40-Office Web Apps Server 2013-HTTP Error 500-21
- Creating a web server in pure C(c/c++ 写web server)
- SSI注入(server side includes injection 服务器端包含注入)
- WCF Server Configuration in Web.config or App.config
- Enable SSL in goAhead web server