NodeXP: NOde.js server-side JavaScript injection vulnerability DEtection and eXPloitation

Web applications are widely used, and new ways for easier and cost-effective methods to develop them are constantly introduced. A common omission among the new development and implementation techniques when designing them is security; Node.js is no exception, as Server-Side JavaScript Injection (SSJ...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:Journal of information security and applications Ročník 58; s. 102752
Hlavní autoři: Ntantogian, Christoforos, Bountakas, Panagiotis, Antonaropoulos, Dimitris, Patsakis, Constantinos, Xenakis, Christos
Médium: Journal Article
Jazyk:angličtina
Vydáno: Elsevier Ltd 01.05.2021
Témata:
Code injection
Deep learning
Detection
Exploitation
Node.js
Server-Side Javascript Injection
Deep learning
Node.js
Detection
Server-Side Javascript Injection
Code injection
Exploitation
ISSN:2214-2126
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:Web applications are widely used, and new ways for easier and cost-effective methods to develop them are constantly introduced. A common omission among the new development and implementation techniques when designing them is security; Node.js is no exception, as Server-Side JavaScript Injection (SSJI) attacks are possible due to the use of vulnerable functions and neglecting to sanitize data input provided by untrusted sources. This specific kind of injection attack stands out because it has the potential to compromise servers, where the JavaScript code is executed. In this work, we fill a significant gap in the literature by introducing NodeXP, which, to the best of our knowledge, is the first methodology (presented as a software tool) that detects and automatically exploits SSJI vulnerabilities. Beyond the capabilities of the current state-of-the-art tools, NodeXP uses obfuscation methods, making it more stealth and adaptive to the current needs of red teaming. To this end, we provide a thorough analysis of SSJI attacks and the foundation upon which they rely on, along with concrete examples to facilitate the reader to comprehend the underlying concepts. Finally, we evaluate NodeXP, compare it to its peers, and discuss its efficacy.
ISSN:2214-2126
DOI:10.1016/j.jisa.2021.102752