NodeXP: NOde.js server-side JavaScript injection vulnerability DEtection and eXPloitation
نویسندگان
چکیده
Web applications are widely used, and new ways for easier cost-effective methods to develop them constantly introduced. A common omission among the development implementation techniques when designing is security; Node.js no exception, as Server-Side JavaScript Injection (SSJI) attacks possible due use of vulnerable functions neglecting sanitize data input provided by untrusted sources. This specific kind injection attack stands out because it has potential compromise servers, where code executed. In this work, we fill a significant gap in literature introducing NodeXP, which, best our knowledge, first methodology (presented software tool) that detects automatically exploits SSJI vulnerabilities. Beyond capabilities current state-of-the-art tools, NodeXP uses obfuscation methods, making more stealth adaptive needs red teaming. To end, provide thorough analysis foundation upon which they rely on, along with concrete examples facilitate reader comprehend underlying concepts. Finally, evaluate compare its peers, discuss efficacy.
منابع مشابه
Node - Up and Running: Scalable Server-Side Code with JavaScript
Spend your few moment to read a book even only few pages. Reading book is not obligation and force for everybody. When you don't want to read, you can get punishment from the publisher. Read a book becomes a choice of your different characteristics. Many people with reading habit will always be enjoyable to read, or on the contrary. For some reasons, this node up and running scalable server sid...
متن کاملDetection of Javascript Vulnerability At Client Agen
These days, most of companies expanding their business horizon through dynamic web sites based on Web 2.0 concept. The JavaScript is a key choice of web developers to build sophisticated dynamic web 2.0 application such social network site, blogs, e-commerce websites. On the other hand vulnerable JavaScript code is also exploited by the hackers to launch the attacks. Hacker may tamper the JavaS...
متن کاملA Security Architecture for Server-Side JavaScript: Extended Abstract
Node.js is a popular JavaScript server-side framework with an efficient runtime for cloud-based eventdriven architectures. Its strength is the presence of thousands of third party libraries which allow developers to quickly build and deploy applications. These very libraries are a source of security threats as a vulnerability in one library can (and in some cases did) compromise one’s entire se...
متن کاملCross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense
We identify a class of Web browser implementation vulnerabilities, cross-origin JavaScript capability leaks, which occur when the browser leaks a JavaScript pointer from one security origin to another. We devise an algorithm for detecting these vulnerabilities by monitoring the “points-to” relation of the JavaScript heap. Our algorithm finds a number of new vulnerabilities in the opensource Web...
متن کاملJavaScript Zero: Real JavaScript and Zero Side-Channel Attacks
Modern web browsers are ubiquitously used by billions of users, connecting them to the world wide web. From the other side, web browsers do not only provide a unified interface for businesses to reach customers, but they also provide a unified interface for malicious actors to reach users. The highly optimized scripting language JavaScript plays an important role in the modern web, as well as f...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
ژورنال
عنوان ژورنال: Journal of information security and applications
سال: 2021
ISSN: ['2214-2134', '2214-2126']
DOI: https://doi.org/10.1016/j.jisa.2021.102752