Common JavaScript Vulnerabilities - Information Security Stack Exchange
javascript - JS code vulnerable? - Information Security Stack Exchange
Looking for Vulnerable Code Example Site
Collection of vulnerable code snippets (updated every friday)
Videos
Full disclosure: the following guide was written by the research team of Checkmarx, creator of CxSAST (static code analysis tool), where I am employed.
Here is a JavaScript Secure Coding Practices guide:
- GitHub - https://github.com/Checkmarx/JS-SCP
- GitBooks - https://checkmarx.gitbooks.io/js-scp/
Since JavaScript is used these days both in front and back ends of applications, a plethora of vulnerabilities and issues are relevant and important to know while developing in JavaScript:
- Cross Site Scripting (XSS) - Reflected, Stored and DOM based.
- SQL and NoSQL injections
- Authentication and password management issues
- Session management issues
- Access control issues
- Unsafe use of cryptography - Hashing, Encryption, Decryption and Random number generators
- Error Handling and Logging issues
To name a few... :)
I wrote an article about JavaScript vulnerabilities, so I believe I can help here:
Most security vulnerabilities in javascript come as a result of end-user interaction.
Malicious users can input query strings into forms to access or contaminate protected data.
It is, therefore, a responsibility on engineering teams to add a validation middleware on user inputs.
Listed below are the most common JavaScript vulnerabilities:
- Cross-Site Scripting (XSS)
- SQL injection (SQLi)
- Open-source vulnerabilities
Cross-Site Scripting (XSS)
One of the most common attacks involving web applications and JavaScript are Cross-site Scripting vulnerabilities which are included in the OWASP Top 10 web application security risks.
An XSS attack is a flaw in web applications which allow malicious users to execute JavaScript code on a website hence its popularity because almost every website requires JavaScript turned on in users browsers.
Cross-Site Scripting is primarily of two types namely: - Client XSS - Server XSS
Client XSS
This type of vulnerability occurs when untrusted data supplied from a remote location (mostly APIs) is used to update the DOM with an unsafe JavaScript call. As an example, the following snippet below gets weather information from an untrusted API to display current weather information.
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>DEMO XSS</title>
</head>
<body>
<p>Today's weather information reads: </br>
<div id="temp"></div>
</p>
<script type="text/javascript">
let untrusted_ajax_res = document.write(location.replace("https://www.w3schools.com"));
document.getElementById("temp").innerHTML=untrusted_ajax_res;
</script>
</body>
</html>
The snippet above shows how malicious code from an untrusted API can be injected into the DOM.
To prevent client xss attacks, developers can install secure xss filters which can be used to sanitise inputs gotten from untrusted domains/locations. A snippet for a web use-case can be seen below:
<!DOCTYPE html>
...
<script src="dist/xss-filters.min.js"></script>
<script>
let untrusted_ajax_res = document.write(location.replace("https://www.w3schools.com"));
document.getElementById("temp").innerHTML=xssFilters.inHTMLData(untrusted_ajax_res);
</script>
-The xss-filters package must only be applied to UTF-8 encoded documents. HTML5 mode is also required.
Server XSS This type of vulnerability occurs when untrusted data is included as user input and sent into the backend to be stored on the database. This data is used to compute a response to be sent back to the user which contains malicious JavaScript code when sent back to the user.
An example of a server XSS attack on an express based node server can be seen in the snippet below:
...
app.get('/search', (req, res) => {
const results = db.search(req.query.product);
if (results.length === 0) {
return res.send('<p>No results found for "' + req.query.product + '"</p>');
}
...
});
The snippet above shows the definition of a products search route for http://www.domain.com. An XSS attack can be performed by passing javascript code as a query for the server like so:
https://www.domain.com/search?product=<script>alert(XSS:Gat Ya!!)</script>
Since there wouldn’t be any record like
<script>alert(XSS:Gat Ya!!)</script>
on the database, the server’s response will be:
<p>No results found for "<script>alert(XSS:Gat Ya!!)</script> </p>
After the server’s response is received and No results found for is displayed, the script is then injected into the DOM to give the output shown below:
Even though this doesn’t look very severe as this script doesn’t pose any serious threat of sort. Attackers, however, can save malicious code as “comments” in blogs/social media sites. These so-called comments, when served to other users, is then injected into the DOM and performs the wishes of the attacker. To fix this vulnerability we can install the xss-filter package using npm like so:
$ npm i xss-filters --save
After installing, we can now filter the user’s input in our server’s response like so:
...
var xssFilters = require('xss-filters');
app.get('/search', (req, res) => {
var productParam = req.query.product;
const results = db.search(req.query.product);
if (results.length === 0) {
res.send('<p>No result found for "' + xssFilters.inHTMLData(productParam) + '"</p>');
}
});
...
- Using the xss-filters packages comes with certain warnings that can be found on its installation page
SQL Injection
SQL Injection is a type of attack which makes it possible to execute SQL statements to control a database behind a web application. An SQL Injection attack can be seen in the code snippet below:
...
const db = require('./db');
app.get('/products', (req, res) => {
db.query('SELECT * FROM products WHERE id = ' + req.query.id);
.then((product) => {
...
res.send(product);
})
});
There are two things wrong with the code snippet above:
- The user’s input which is not to be trusted is directly concatenated with the query string.
The database query is built via string concatenation.
db.query('SELECT * FROM products WHERE id = $1', req.query.id);
In the snippet above, the database client will pass in the req.query.id as the first argument. Although the MySQL package for node doesn’t support parameterised queries, you can escape users input (i.e remove all special characters ) before it’s concatenated with the query string like so:
const query = 'SELECT * FROM products WHERE id = ' + connection.escape(req.query.id);
Yes, it's vulnerable to XSS. A simple exploit would be something like this:
example.com/index.php?rpath=javascript:alert(document.cookie)
The rpath parameter will be grabbed by your getUrlVars() function and be assigned to redirectPath. The element redirectpg will have its href attribute changed to the XSS code. When the user clicks on the redirectpg element (presumably an anchor <a>), the malicious JavaScript code will be executed.
This can lead to cookie theft and impersonating a legitimate user, and probably re-render the login form and steal the actual password of the user. Basically, the attacker is able to show the user anything they want within your website.
Yes, this code seems to be vulnerable to an XSS injection.
What does this code do?
It checks the URL the user typed for GET-arguments. GET-arguments are everything behind a question-mark and are typical a bunch of key/value pairs with an equal-sign between them separated by &.
In this example URL
http://example.com/somesite.html?somevar=42&rpath=someothersite.html
the argument there are two such variables. somevar = 42 and rpath = someothersite.html
Your script will then search for a specific link on your website, take the value of rpath, and replace the target of the link with it. In this example, that link would then be changed to point to someothersite.html.
How could this be abused?
A link on a website can not just point to another website. It is also possible to have links which start with javascript: followed by javascript code. When a user clicks on this link, that code would get executed in the context of the currently loaded website.
That means an attacker could send the user a link like this:
http://example.com/somesite.html?rpath=javascript:alert('hello world')
When the user would click on that link and then on the redirect-link on your website, that javascript code would get execute.
Why is this a problem?
The current website might contain sensitive information. A javascript executed in the context of that website can grab that information and send it to a server the attacker controls.
The script also has access to any cookies and the users localstorage. When you use cookies to track user sessions, an attacker could have the script send the users cookie to his server. This might allow to hijack the session of the user and take over their account.
Depending on what your website actually does, there could also be a lot of other ways an attacker could cause all kinds of mischief by tricking users into executing javascript code.
How could this be done better?
Putting unfiltered user-data into a HTML document is always dangerous. In this case you might think that it might be sufficient to just reject any arguments containing javascript:, but the exploit shown above is only the most obvious one. There are likely much more subtile ones. Trying to filter anything that might be evil seems to be beyond the programming skill of the author of above code snippet, so I would advise against trying it. Instead I would recommend them to take a much safer approach. Instead of just putting any string in the website the user provides, have a limited set of possible strings to insert and choose one depending on the argument provided:
switch(redirectPath) {
case 'home':
document.getElementById('redirectpg').href = 'home.php';
break;
case 'about':
document.getElementById('redirectpg').href = 'about.php';
break;
case 'contact':
document.getElementById('redirectpg').href = 'contact.php';
break;
default:
document.getElementById('redirectpg').href = 'index.php';
break;
}