NodeXP: NOde.js server-side JavaScript injection vulnerability DEtection and eXPloitation

Web applications are widely used, and new ways for easier and cost-effective methods to develop them are constantly introduced. A common omission among the new development and implementation techniques when designing them is security; Node.js is no exception, as Server-Side JavaScript Injection (SSJ...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:Journal of information security and applications Ročník 58; s. 102752
Hlavní autori: Ntantogian, Christoforos, Bountakas, Panagiotis, Antonaropoulos, Dimitris, Patsakis, Constantinos, Xenakis, Christos
Médium: Journal Article
Jazyk:English
Vydavateľské údaje: Elsevier Ltd 01.05.2021
Predmet:
Code injection
Deep learning
Detection
Exploitation
Node.js
Server-Side Javascript Injection
Deep learning
Node.js
Detection
Server-Side Javascript Injection
Code injection
Exploitation
ISSN:2214-2126
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:Web applications are widely used, and new ways for easier and cost-effective methods to develop them are constantly introduced. A common omission among the new development and implementation techniques when designing them is security; Node.js is no exception, as Server-Side JavaScript Injection (SSJI) attacks are possible due to the use of vulnerable functions and neglecting to sanitize data input provided by untrusted sources. This specific kind of injection attack stands out because it has the potential to compromise servers, where the JavaScript code is executed. In this work, we fill a significant gap in the literature by introducing NodeXP, which, to the best of our knowledge, is the first methodology (presented as a software tool) that detects and automatically exploits SSJI vulnerabilities. Beyond the capabilities of the current state-of-the-art tools, NodeXP uses obfuscation methods, making it more stealth and adaptive to the current needs of red teaming. To this end, we provide a thorough analysis of SSJI attacks and the foundation upon which they rely on, along with concrete examples to facilitate the reader to comprehend the underlying concepts. Finally, we evaluate NodeXP, compare it to its peers, and discuss its efficacy.
ISSN:2214-2126
DOI:10.1016/j.jisa.2021.102752