Server Side Code JavaScript Injection in modern Node.js applications
1. Introduction
In order to be able to properly define what the term Server Side JavaScript Injection (SSJI) refers to, a brief reference to Node.js and Server Side Code Injection attacks (SSCI) must be made.
Node.js also known as NodeJS or simply Node, is an open-source, cross-platform JavaScript run-time environment that executes JavaScript code outside of a Web Browser. Node.js allows developers to use JavaScript to write and run server-side scripts that produce dynamic web page content before the page is sent to the users web browser. Consequently, Node.js represents a 'JavaScript everywhere' paradigm, unifying web application development around a single programming language, rather than different languages for server side and client side scripts.
Node.js has an event-driven architecture capable of asynchronous I/O. These design choices aim to optimize throughput and scalability in web applications with many input/output operations, as well as for real-time Web applications. The Node.js distributed development project, governed by the Node.js Foundation, is facilitated by the Linux Foundations Collaborative Projects program.
On the other hand, the term Server-Side Code Injection (SSCI) can be used to describe a very large group of attacks malicious users (hackers) can instill on Web Applications. Specifically, a Server Side Code Injection attack can occur when a malicious user takes advantage of a vulnerable input option a Web Application might expose to its clients. Instead of providing a valid value that the Web Applicationrsquo;s underlying functions would process as expected, the malicious user provides a value that once received by the underlying functions will cause an unintended behavior to occur such as instructing the application to expose confidential data, slowing down its performance or shutting it down altogether (Denial of Service – DoS) among other examples.
No Server-Side Web Application technology is safe by default from Server-Side Code Injection attacks. Like all other Web application Technologies Node.js applications can be exposed to the aforementioned attack. Specifically, certain JavaScript native methods such as “eval()”, “exec()” and “function()” while providing great freedom in easily accessing system resources to developers can equally pose a risk and can be leveraged by hackers. Like all Server-Side Code Injection attacks SSJI usually occurs when developers coding the application either do not properly validate user input or write code without completely knowing of its security implications. As mentioned earlier, Server-Side Injection attacks cannot be simply prevented by blindly following certain techniques during code development. The true way to prevent such vulnerabilities is for both application architects and developers to obtain an Information Security mindset when designing and building the application.
This thesis aims to study scenarios of Server Side JavaScript Injection attacks. For the purpose of accomplishing this task a PHP Web Application that contains a collection of Server Side PHP Injection attacks was converted to a Node.js application. Subsequently, the NodeXP (D. Antonaropoulos) and Commix (A. Stasinopoulos) specialized command injection tools were used to assess the vulnerability of the new Node.js application to code injection attacks.
2.Modern Web Development with Node.js
Node.js Web Applications are the main target of Server Side JavaScript Injection (SSJI) attacks since itrsquo;s the only popular Server Side JavaScript Environment in the modern Web Development ecosystem. While all Server-Side Code Injection attacks are equally fatal since they result in loss of confidential information and Denial of Service (DoS) among other damage, SSJI attacks are further aggravated by Node.jsrsquo;s current popularity. In order to better understand the impact of SSJI attacks the following paragraphs aim to provide readers with a basic understanding of Node.js place among other Web Application technologies, how it differs from them, enterprise scale use cases of it and the reasons for its popularity.
2.1 Brief History of Node.js
Node.js was first conceived, developed and maintained in 2009 by Ryan Dahl and who then got sponsored and supported by Joyent a cloud computing and hosting solutions provider. Ryan Dahl was not satisfied with the way the Apache Http server used to handle large amounts of concurrent connections and the way code was being created which either blocked the entire process or required multiple execution stacks in the case of simultaneous connections. This lead to the creation of the Node.js project which he went on to demonstrate at the inaugural European JSConf on November 8, 2009. He used Google Googlersquo;s V8 JavaScript engine, an event loop, and a low-level I/O API in his project which won lot of hearts and standing ovation.
In June 2011, Microsoft and Joyent implemented a native Windows version of Node.js. The first Node.js build supporting Windows was released in July 2011.In January 2012, Dahl stepped aside, promoting coworker and npm creator Isaac Schlueter to manage the project. In December 2014, Fedor Indutny started io.js, a fork of Node.js. Due to the internal conflict over Joyentrsquo;s governance, in February 2015, the intent to form a neutral Node.js Foundation was announced. By June 2015, the Node.js and io.js communities decided to work together under the Node.js Foundation.
2.2 Node.js Architectural reference
The Node.js run-time environment was built to enable programmers to build highly-scalable applications and write code that handles tens of thousands of simultaneous connections on one, and only one, physical machine. In order to better understand how Node.js achieves this, a brief
剩余内容已隐藏,支付完成后下载完整资料
说明:
封面之后放英文原文;英文原文之后放译文;译文后空两行,注明英文出处(请按照参考文献的书写要求书写,英文原文不能来自网站)。
例:
原文来源:
Y. Desmedt. Some recent research aspects of threshold cryptography. In : E. Okamoto , G. Davida , M. Mambo , eds. Proc. the 1st Intrsquo;l Information Security Workshop, Lecture Notes in Computer Science 1396. New York : Spring-Verlag , 1997. 158~173
原文:
Server Side Code JavaScript Injection in modern Node.js applications
A thesis submitted for the degree of M.Sc. in Digital Systems Security
University of Piraeus Athens, May 2019
Conducted by Maria Parara
Supervising Professor Dr. Christoforos Ntantogian
1. Introduction
In order to be able to properly define what the term Server Side JavaScript Injection (SSJI) refers to, a brief reference to Node.js and Server Side Code Injection attacks (SSCI) must be made.
Node.js also known as NodeJS or simply Node, is an open-source, cross-platform JavaScript run-time environment that executes JavaScript code outside of a Web Browser. Node.js allows developers to use JavaScript to write and run server-side scripts that produce dynamic web page content before the page is sent to the users web browser. Consequently, Node.js represents a 'JavaScript everywhere' paradigm, unifying web application development around a single programming language, rather than different languages for server side and client side scripts.
Node.js has an event-driven architecture capable of asynchronous I/O. These design choices aim to optimize throughput and scalability in web applications with many input/output operations, as well as for real-time Web applications. The Node.js distributed development project, governed by the Node.js Foundation, is facilitated by the Linux Foundations Collaborative Projects program.
On the other hand, the term Server-Side Code Injection (SSCI) can be used to describe a very large group of attacks malicious users (hackers) can instill on Web Applications. Specifically, a Server Side Code Injection attack can occur when a malicious user takes advantage of a vulnerable input option a Web Application might expose to its clients. Instead of providing a valid value that the Web Applicationrsquo;s underlying functions would process as expected, the malicious user provides a value that once received by the underlying functions will cause an unintended behavior to occur such as instructing the application to expose confidential data, slowing down its performance or shutting it down altogether (Denial of Service – DoS) among other examples.
No Server-Side Web Application technology is safe by default from Server-Side Code Injection attacks. Like all other Web application Technologies Node.js applications can be exposed to the aforementioned attack. Specifically, certain JavaScript native methods such as “eval()”, “exec()” and “function()” while providing great freedom in easily accessing system resources to developers can equally pose a risk and can be leveraged by hackers. Like all Server-Side Code Injection attacks SSJI usually occurs when developers coding the application either do not properly validate user input or write code without completely knowing of its security implications. As mentioned earlier, Server-Side Injection attacks cannot be simply prevented by blindly following certain techniques during code development. The true way to prevent such vulnerabilities is for both application architects and developers to obtain an Information Security mindset when designing and building the application.
This thesis aims to study scenarios of Server Side JavaScript Injection attacks. For the purpose of accomplishing this task a PHP Web Application that contains a collection of Server Side PHP Injection attacks was converted to a Node.js application. Subsequently, the NodeXP (D. Antonaropoulos) and Commix (A. Stasinopoulos) specialized command injection tools were used to assess the vulnerability of the new Node.js application to code injection attacks.
2.Modern Web Development with Node.js
Node.js Web Applications are the main target of Server Side JavaScript Injection (SSJI) attacks since itrsquo;s the only popular Server Side JavaScript Environment in the modern Web Development ecosystem. While all Server-Side Code Injection attacks are equally fatal since they result in loss of confidential information and Denial of Service (DoS) among other damage, SSJI attacks are further aggravated by Node.jsrsquo;s current popularity. In order to better understand the impact of SSJI attacks the following paragraphs aim to provide readers with a basic understanding of Node.js place among other Web Application technologies, how it differs from them, enterprise scale use cases of it and the reasons for its popularity.
2.1 Brief History of Node.js
Node.js was first conceived, developed and maintained in 2009 by Ryan Dahl and who then got sponsored and supported by Joyent a cloud computing and hosting solutions provider. Ryan Dahl was not satisfied with the way the Apache Http server used to handle large amounts of concurrent connections and the way code was being created which either blocked the entire process or required multiple execution stacks in the case of simultaneous connections. This lead to the creation of the Node.js project which he went on to demonstrate at the inaugural European JSConf on November 8, 2009. He used Google Googlersquo;s V8 JavaScript engine, an event loop, and a low-level I/O API in his project which won lot of hearts and standing ovation.
In June 2011, Microsoft and Joyent
剩余内容已隐藏,支付完成后下载完整资料
资料编号:[253958],资料为PDF文档或Word文档,PDF文档可免费转换为Word
以上是毕业论文外文翻译,课题毕业论文、任务书、文献综述、开题报告、程序设计、图纸设计等资料可联系客服协助查找。
