What Is a Javascript Injection Attack and How Is It Orchestrated?

What Is a Javascript Injection Attack and How Is It Orchestrated?

An injection vulnerability allows a malicious actor to inject harmful code into a system through another application. Hackers typically use injection attacks to access the backend server configuration, shell commands, or OS calls when the application fails to validate user input adequately. Since the web application accepts untrusted user data as part of a query or command, injection attacks allow for arbitrary dynamic code execution and user session hijacking.

This article discusses how attackers perform JavaScript injections to manipulate web pages and alter resource parameters while learning measures to prevent such attacks.

What is a JavaScript Injection Attack?

In a JavaScript injection attack, an attacker injects malicious code into the client-side JavaScript directly. This code launches and renders when the victim loads the website with the malicious script in their client application/browser. An attacker may rely on various techniques to enter malicious code into a vulnerable site, including:

  • Using the browser’s developer console to insert JavaScript or change the source code

  • Adding a script by entering JavaScript: SCRIPT element to the client’s address bar

  • Using cross-site scripting to add scripts into a comment or input form field

An exploit script is designed to perform several actions depending on the exact content type. Malicious exploits through JavaScript injection code include:

  • Obtaining sensitive user information when they enter information submitted in an input field

  • Forcing unwanted actions on behalf of the victim

  • Complete user session hijacking

  • Manipulation of website parameters

JavaScript injection exploits are known to cause severe consequences, such as:

  • Loss of sensitive content – Attackers can abuse JavaScript injection vulnerabilities to steal sensitive personally identifying information, such as name, address, and credit card data

  • Revenue loss – Successful JavaScript injection attacks impact user experience, user traffic disruption, trust in the affected service, and financial loss

  • Compliance issues – Loss of sensitive data can subject organizations to penalties and lawsuits enforced by security and compliance frameworks, such as PCI-DSS and GDPR.

JavaScript Injection Examples

Various JavaScript injection attack types are based on the payload and exact content type. Common injection attack examples include:

Dependency Injection in JavaScript

JavaScript dependency injection (DI) is a web design pattern that enables the passing of dependencies without instantiating them within classes or functions. DI simplifies source code development and testing since dependencies are provided and loaded from external resources.

A JavaScript dependency injection confusion attack targets the DI framework, where the attacker tricks the website into pulling custom scripts from their chosen repository. When installing packages for JavaScript applications, installers typically pick the latest version when faced with a choice between two versions of the same file. Suppose a malicious user can obtain the name of an internal dependency or script file. In that case, they can publish malicious application code with a higher version number in a public repository referenced as a package.json or another source code file. When installing packages or dependencies, the malicious code gets injected into the application source code when the application installer selects the updated-altered version.

JavaScript HTML Injection Attack

Most applications rely on several methods to inject HTML markup through JavaScript. JavaScript injection through HTML involves injecting executable HTML code through a vulnerable input field. The HTML injection attack targets the browser’s HTML content and interprets it on the client side. A common approach by hackers to perform this is by embedding malicious script tags into the website. Since the browser interprets scripts embedded within HTML by default, the browser plugins execute the malicious scripts.

JavaScript injection HTML attacks commonly target forums, comment sections, or application interfaces that allow the insertion of user input without sanitation. Through such attacks, attacker gain access to the user’s session cookies, alter the website’s appearance or add event listeners that send the user’s keystrokes to a server they control.

Common tags used to embed HTML code into JavaScript applications include:

<SCRIPT> <OBJECT> <APPLET> <EMBED> <FK> <LI> <BR> <DIV> <TITLE>

Javascript Code Injection

JavaScript code injection attacks are common on applications that accept user input and execute it on the server side. Orchestrating such attacks require attackers to use the developer tools console or an input field to supply the malicious script, which is parsed to the server for dynamic code execution.

The following code snippet shows an example of a vulnerable website:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Darwin Website</title>
</head><body>
    <input type="button" onclick="randomScript()">
</body>
</html>

In such a code pattern, an attacker can submit malicious code to the randomScript() random function to deploy an event listener. This is achieved by building a custom script in a JavaScript and JQuery compliant console to change the onclick event.

The code will look similar to:

function randomScript(){
  alert("Test!");
}

Following this, all the hackers must inspect the button element after opening the web page. This grants the hacker access to an event listeners tab that displays code run by the randomScript() function.

Javascript SQL Injection

A JavaScript SQL injection attack is executed by leveraging input validation flaws to inject malicious SQL queries into the application. This modifies the original database queries, which enables the attacker to read sensitive content, modify/delete database entries, or alter server behavior.

Assume a Node.js web application uses a search term to generate a query. A vulnerable application may use literal strings to include the search term directly into the code string, as shown:

const query = `SELECT * FROM Repository WHERE TAG = 
'${userQuery}' AND public = 1`;

As per the above query construct, the SQL query string to search the term Darwin would be similar to:

SELECT * FROM Repository WHERE TAG = 'darwin' AND 
public = 1;

An attacker can supply the malicious search term darwin’ ;–, which modifies the SQL statement to:

SELECT * FROM Repository WHERE TAG = 'darwin';--' 
AND public = 1;

This comments out every part after the — characters, effectively leaving the executed SQL command similar to:

SELECT * FROM Repository WHERE TAG = 'darwin';

As this removes the additional clause that prevents the exposure of private repositories in the database server’s response, an attacker can gain access to source code, server configuration files, and other intellectual properties of the organization.

How to Prevent JavaScript Injection

As there are different approaches to prevent JavaScript injection, each method may only apply to a specific injection security vulnerability or attack type. The following section discusses the two most commonly exploited JavaScript injection prevention methods.

Preventing JavaScript SQL Injections

Some methods to prevent SQL injection in JavaScript applications include:

  • Performing value validation and masking at the user input and data control level

  • Using the name and query placeholders to escape user input before extrapolating it into the SQL query

  • Query scope and type checking

Preventing JavaScript Code Injection Attacks

Preventive measures for JavaScript code injection attacks include:

  • Avoiding the use of unsafe characters and functions including the eval(), setInterval(), setTimeout() and function constructor statements at the user input field

  • Avoiding dynamic code execution when necessary

  • Creating a whitelist of input values for users to choose from

  • Using a web application firewall (WAF) to detect code strings from malicious users

  • Locking down the browser application interpreter and limiting its capacities to the minimum required by the web server configuration

  • Using a security linter to enforce a secure code style

FAQs

What is the difference between JavaScript injection and cross-site scripting?

While there are multiple ways of performing JavaScript injection, cross-site scripting is one of them. XSS attacks allow a malicious actor to inject scripts into web pages viewed by legitimate users, allowing them to bypass security controls such as the same-origin policy. On the other hand, JavaScript injection encompasses a wide range of security flaws that allow the adversary to execute JavaScript on a browser, typically to extract session information and send it to a site of their choice.

Why is JavaScript more susceptible to theft?

Being executed on the client side, JavaScript ranks highly as one of the most vulnerable programming languages. The scripts are publicly readable because JavaScript is not compiled as a binary (machine language). JavaScript also interacts with the web page’s Document Object Model, which allows malicious actors to inject malicious scripts and run them on a victim’s browser.

This article has already been published on crashtest-security.com/js-injection-attack and has been authorized by Crashtest Security for a republish.