JavaScript Injection

JavaScript is a widely used technology within websites and web based applications. JavaScript can be used for all sorts of useful things and functions. But along with this comes some additional security issues that need to be thought of and tested for. JavaScript can be used not only for good purposes, but also for malicious purposes.

Using JavaScript an individual can modify and change existing information within a form. It can be used not only to change form input tags, but also the cookie’s that are currently set in the browser, and any other value within a website or web application. Any type of parameter manipulation that you want to perform can typically be done with Javascript injection.

To execute any javascript within a current session, a user would enter the specific javascript commands within the browser’s url bar minus the [You must be registered and logged in to see this link.] All javascript commands must start with the javascript: tag followed by any javascript command that will be executed. All javascript is ended with a ; so a user could enter multiple javascript commands, as long as each command ended with the ;

JavaScript cookie modification
Using JavaScript a user can modify the current cookie settings. This can be performed with some basic JavaScript commands. To view the current contents of your current cookie/s, use the following JavaScript command.

Code:

javascript:alert(document.cookie);

This command will popup a box which lists your current cookies. A malicious user could use this to change values in the cookie. For example lets say a web application you are testing sets an authorization cookie to true when a user has successfully logged in and passed the authorization test. To change the values within the cookie, a malicious user would execute javascript like the following from the url bar within the browser.

Code:

javascript:void(document.cookie="authorization=true");

This would cause the current cookie parameter authorization=false to be changed to authorization=true. Which the malicious user might not have passed the original authorization test. The malicious user has just bypassed the authorization test and gained access to the sensitive content. As you could imagine, this could cause severe problems in privilege escalation, if the malicious user could use JavaScript injection to bypass the correct authorization process.

If you are testing for JavaScript injection and wish to see if the cookie has been altered you would execute a command simiar to the following, except you would want to replace the cookie name and value with the cookie you desire to test. Start with the javascript command to alter the cookie and then tack on the javascript alert function to view what the cookie was changed to. For example

Code:

javascript:void(document.cookie="authorization=true");

Code:

javascript:alert(document.cookie);

JavaScript HTML Form modification
You can also use javascript to modify any value with an html form, including hidden forms, and disabled forms. The following is an example of how you would set an input tag named email within form number 0 (or the first form on the page)

Code:

javascript:void(document.forms[0].email.value="test@test.com");

How to protect against Javascript Injection
Always validate the input received against a whitelist. If you use a blacklist you could and probably will come up against encoding issues. Always use a whitelist when validating input.

Do not rely on client side validation to validate the user input. Client side validation is great for helping the user input correct data. But a malicious user will not use this and could bypass the client side validation. Client side validate is should never be considered as a security fix. Using javascript to validate input should not be used. As you can see javascript is very easy to change and modify on any html page.

Additionally validate the input everytime, not just when the data is initally accepted. For example if you set a cookie, make sure that cookie is the same value and it is correct on each and every request. A malicious user could modify and change the value anytime during the session.

Injecting javascript into existing pages
Not only can you use javascript to manipulate parameters, cookies, but you can also inject javascript into dynamic pages to cause the page to render differently, do something else, or some other malicious thing. Think of a XSS attack.

Come back soon and we will post some examples of this.

Using JavaScript is difficult. Isn’t there an easier way?
Actually there is an easier way to test for any type of parameter manipulation you can do with javascript injection. Using sometype of proxy that allows you to manipulate parameters on the fly is much easier. You can do this with a number of different applications. I’ve included a list of some of the proxy applications that allow you to do this.

* Paros Proxy
* TamperData

There are many, many more security testing proxy tools, this is just a short list of a few of the quick, easy, and nice tools to use.

Paros Proxy
Paros is a valuable testing tool for your security and vulnerability testing. Paros can be used to spider/crawl your entire site, and then execute canned vulnerability scanner tests. But Paros goes beyond that, it comes with a built in utility that can proxy traffic. This Paros Proxy utility can be used to tamper or manipulate any http or https traffic on the fly. This makes some of the more interesting security types of testing. It will help you isolate potential area’s of security concern and then manual attempt to perform the type of testing you desire.

Paros also comes with a built in Session ID analyzer. It will display a graph of all the types of Session ID’s it has been presented with using a multiple threaded session initiater. You then can determine if the graph appears random enough for the Session ID. It is a pretty unique and interesting tool to use. Although typically most developers will rely upon another technology tomcat, apache, or some other application to generate Session ID’s. This is not always the case and as such a Session ID analysis should be performed. Sometimes the Session ID will not be randomized enough and the hash used to create the Session ID is easily predictable.

Paros also comes with a built in Fuzzer. You will need to generate your own Fuzzer library to use the Fuzzer, but it will perform all the fuzzing for you.
[You must be registered and logged in to see this link.]

TamperData
TamperData is an extension for Mozilla Firefox. You can use TamperData to halt the traffic http requests that are processing and to “Tamper”, change, modify any of the data that is being submitted to the website.

TamperData is easily installed within your Firefox browser and is extremely easy to use. It only takes a moment to install and become familiar with the way it works.

The one thing that I haven’t figured out to do with TamperData, is to modify HTTP GET parameters, I can see how to modify the HTTP headers, post parameters, but the GET parameters are a bit more misleading to me.

All in all TamperData is an easy, excellent way to see what your web application is doing, and start testing with different and various other types of data. Parameter manipulation is very easy to do, there is no need to use Javascript Injection or re-posting webpages. This is a much easier way to just tamper with the data as it is being submitted to the web application.
[You must be registered and logged in to see this link.]