NodeXP: NOde.js server-side JavaScript injection vulnerability DEtection and eXPloitation

Web applications are widely used, and new ways for easier and cost-effective methods to develop them are constantly introduced. A common omission among the new development and implementation techniques when designing them is security; Node.js is no exception, as Server-Side JavaScript Injection (SSJ...

Full description

Saved in:
Bibliographic Details
Published in:Journal of information security and applications Vol. 58; p. 102752
Main Authors: Ntantogian, Christoforos, Bountakas, Panagiotis, Antonaropoulos, Dimitris, Patsakis, Constantinos, Xenakis, Christos
Format: Journal Article
Language:English
Published: Elsevier Ltd 01.05.2021
Subjects:
Code injection
Deep learning
Detection
Exploitation
Node.js
Server-Side Javascript Injection
Deep learning
Node.js
Detection
Server-Side Javascript Injection
Code injection
Exploitation
ISSN:2214-2126
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Web applications are widely used, and new ways for easier and cost-effective methods to develop them are constantly introduced. A common omission among the new development and implementation techniques when designing them is security; Node.js is no exception, as Server-Side JavaScript Injection (SSJI) attacks are possible due to the use of vulnerable functions and neglecting to sanitize data input provided by untrusted sources. This specific kind of injection attack stands out because it has the potential to compromise servers, where the JavaScript code is executed. In this work, we fill a significant gap in the literature by introducing NodeXP, which, to the best of our knowledge, is the first methodology (presented as a software tool) that detects and automatically exploits SSJI vulnerabilities. Beyond the capabilities of the current state-of-the-art tools, NodeXP uses obfuscation methods, making it more stealth and adaptive to the current needs of red teaming. To this end, we provide a thorough analysis of SSJI attacks and the foundation upon which they rely on, along with concrete examples to facilitate the reader to comprehend the underlying concepts. Finally, we evaluate NodeXP, compare it to its peers, and discuss its efficacy.
ISSN:2214-2126
DOI:10.1016/j.jisa.2021.102752