Remote Code Injection | Server-Side Template Injection Node.js
Introduction
Remote Code Injection is a type of vulnerability that consists of injecting code that is then executed by the web application. This type of atatck happens when untrusted user input is directly executed by application. These types of attacks are usually performed due to a lack of proper input or output data validation.
Directly evaluating user input (which can be an HTTP request parameter) as code without properly sanitizing the input allows an attacker to do an arbitrary code execution. This can happen when user input is treated as JavaScript or passed to a framework that interprets it as an expression to be evaluated. Examples incorporate AngularJS expressions or JQuery selectors. This type of attack is also called as Template Injection.
How Code Injection Attacks Work
A Web Application is supposed to have a code injection vulnerability when both of the following conditions occur:
- Lack of proper input validation (CWE-94)
- Dynamic evaluation of user input in a dangerous way (CWE-95) (Eval Injection)
As most of the Web applications often use template systems to embed dynamic content in web pages. In the case of Node.js we have pug, jade are examples of template engines. Code Injection occurs when untrusted user input is embedded in a template without any validation.
The following example of Node.js illustrates a Pug template being constructed from user input, allowing attackers to run arbitrary code via a user input such as process.exit(1)
.
const express = require('express') const pug = require('pug'); const app = express() app.post('/', (req, res) => { let input = req.query.username; let template = ` doctype html head title= 'Hey This Is Title' body form(action='/submit' method='post') input#name.form-control(type='text) button.btn.btn-primary(type='submit') Submit p Hello `+ input var fn = pug.compile(template); var html = fn(); res.send(html); })
A web application is vulnerable to code injection if it takes untrusted data and directly uses it in program code. This typically involves the use of eval()
or an equivalent function that depends on the language
The following example of Node.js illustrates a code injection via eval() function. Lets assume the payload is process.exit(1)
const express = require('express') const app = express() app.post('/', (req, res) => { let payload = req.query.payload; eval(payload) })
Once the attacker put payload as process.exit(1)
. The running web application’s process will be killed.
How to Protect Web Applications from Code Injection Attacks
You can avoid code injection vulnerabilities and improve web application security by using given basic security practices:
- Avoid including user input in any expression which can be dynamically evaluated/executed.
- Validate and sanitize inputs: If user input must be included then scan the input for escape characters and other special symbols, such as comments, line termination characters and command delimiters.
- Avoid vulnerable evaluation constructs: Avoid using eval() and equivalent functions on raw user inputs.
Template Injection Mitigation Example in Node.js
Following example of Node.js is how to use a template engine without any risk of template injection.
const express = require('express') const pug = require('pug'); const app = express() app.post('/', (req, res) => { let input = req.query.username; let template = ` doctype html head title= 'Hey This Is Title' body form(action='/' method='post') input#name.form-control(type='text) button.btn.btn-primary(type='submit') Submit p Hello #{username}` var fn = pug.compile(template); var html = fn({username: input}); res.send(html); })
References
- OWASP: Code Injection.
- Wikipedia: Code Injection.
- Common Weakness Enumeration: CWE-94.
- Common Weakness Enumeration: CWE-79.
#rce #rci #rce in node.js #code injection node.js # code injection Vulnerability #code injection vulnerability node.js #how to prevent remote code injection in node.js #how to prevent remote code execution in node,js #how to prevent code injection in node.js #how to mitigate code injeciton node.js #code injection mitigation #owasp vulnerability node.js #rci in node.js #remote code injection in node.js #remote code execution in node.js #vulnerable system call in node.js #vulnerable api in node.js #what is a remote code injection attack #njection remote code injection #emote code injection attack in node.js #remote code execution vulnerability #remote code execution attacks #remote code execution -6 (cve-2014-6271, shellshock) #remote code execution example #remote code execution tutorial #remote code execution vulnerability #remote code execution exploit #remote code execution attacks #remote code execution attack #remote code execution vulnerability #remote code execution vulnerability #remote code execution attacks #remote code execution vulnerability #remote code execution attacks so popular #remote code execution vulnerability #remote code execution attacks #remote code execution vulnerabilities #remote code execution 2.2.x #remote code execution (metasploit) #remote code execution via http request #remote code execution attacks example zombie computer #remote code execution attempt #remote code execution vulnerability (swg22012395) #remote code execution buffer overflow #remote code execution 2671387 #remote code execution on java 6u31 #remote code execution attempt #remote code execution (3089664) #remote code execution (958687) – remote #remote code execution -6 (cve-2014-6271, shellshock) #remote code execution vulnerability (ms12-020) #remote code execution examples #remote code execution attacks skyrocketed #remote code execution attacks that have occurred? #remote code execution attack traffic analysis and exploit reconstruction #remote code execution metasploit #remote code execution flaw #remote code execution vulnerability #remote code execution vulnerability
remote code execution vulnerability #remote code execution vulnerability found #remote code execution vulnerability #remote code execution twittrt #remote code execution vulnerability #remote code execution vulnerability exists in remote desktop services on your windows 7 #remote code execution in apple os x and ios #remote code execution #remote code execution
remote code execution -6 (cve-2014-6271, shellshock) 2019 #remote code execution vulnerability #remote code execution vulnerability update #remote code execution php #remote code execution (3143146) #remote code execution vulnerability #remote code execution attacks #remote code execution internet explorer #remote code execution -6 (cve-2014-6271, shellshock)
August 31, 2021 at 12:33 pm |
เว็บเกมสล็อต ของเรา ได้เปิดให้บริการ เกมสล็อต จากค่ายดังต่างๆมากมาย เช่น slot pg , สล็อต xo ,
JOKERSLOT และค่ายสล็อตเกม ค่ายดังอื่นๆอีกมากมาย เว็บเกมสล็อต ที่รวมค่ายสล็อตในเว็บเดียว มากกว่า 3,000 เกม เว็บเกมสล็อต มาพร้อมโปรโมชั่นต่างๆมากมาย มี สูตรสล็อตออนไลน์ ที่ช่วยให้ทุกท่าน สามารถเอาชนะเงินรางวัลจาก สล็อต ได้อย่างแน่นอน มีโหมด สล็อตเดโม่
ให้ทุกท่านได้สัมผัสถึงบรรยากาศ ของ เกมสล็อต ได้ก่อนวางเดิมพันด้วยเงินจริง สมัครสมาชิกใหม่กับทาง
สล็อตเว็บใหญ่ ตอนนี้ รับโบนัสทันที 100% ขอยินดีต้อนรับทุกท่าน เข้ามาเป็นส่วนหนึ่งกับครอบครัวของเรา เว็บเกมสล็อต ที่ดีที่สุด เปิดให้บริการ ทางเข้าเล่น
Pg Slot , สล็อต xo , joker slot และอื่นๆอีกมากมาย ตลอด 24
ชม. เว็บสล็อต ยินดีให้บริการสมาชิกทุกท่าน บาคาร่า PRETTY
September 21, 2021 at 12:21 am |
Hello! I could have sworn I’ve been to this site before
but after reading through some of the post I realized it’s
new to me. Anyways, I’m definitely glad I found it and
I’ll be book-marking and checking back frequently!
April 30, 2023 at 8:47 am |
thank you very much
_________________
ipl live tv apps free download 2022
May 2, 2023 at 2:01 pm |
Design project
May 4, 2023 at 1:30 am |
very good
_________________
Беларуссиядағы жаңа букмекерлік кеңсе
May 6, 2023 at 1:27 am |
Hi, kam dashur të di çmimin tuaj
May 6, 2023 at 4:47 am |
Thanks, I’ve been looking for this for a long time
_________________
букмекерлік кеңеспен үнемі ұтып алыңыз
May 6, 2023 at 2:49 pm |
interesting post
_________________
казинолық жаңалықтары ohio
May 8, 2023 at 2:35 pm |
Thanks, I’ve been looking for this for a long time
_________________
Мен телефонымды 1xbet-ке байланыстыра алмаймын
May 13, 2023 at 2:59 pm |
Hi, I wanted to know your price.
May 13, 2023 at 6:06 pm |
Please send your queries to sumitsuthar94@gmail.com