Remote Code Injection | Server-Side Template Injection Node.js

Node.js / June 26, 2022 / TopCode / 11

Introduction

Remote Code Injection is a type of vulnerability that consists of injecting code that is then executed by the web application. This type of atatck happens when untrusted user input is directly executed by application. These types of attacks are usually performed due to a lack of proper input or output data validation.

Directly evaluating user input (which can be an HTTP request parameter) as code without properly sanitizing the input allows an attacker to do an arbitrary code execution. This can happen when user input is treated as JavaScript or passed to a framework that interprets it as an expression to be evaluated. Examples incorporate AngularJS expressions or JQuery selectors. This type of attack is also called as Template Injection.

How Code Injection Attacks Work

 A Web Application is supposed to have a code injection vulnerability when both of the following conditions occur:

1. Lack of proper input validation (CWE-94)
2. Dynamic evaluation of user input in a dangerous way (CWE-95) (Eval Injection)

As most of the Web applications often use template systems to embed dynamic content in web pages. In the case of Node.js we have pug, jade are examples of template engines. Code Injection occurs when untrusted user input is embedded in a template without any validation.

The following example of Node.js illustrates a Pug template being constructed from user input, allowing attackers to run arbitrary code via a user input such as process.exit(1).

const express = require('express')
const pug = require('pug');
const app = express()

app.post('/', (req, res) => {
    let input = req.query.username;
    let template = `
doctype
html
head
    title= 'Hey This Is Title'
body
    form(action='/submit' method='post')
        input#name.form-control(type='text)
        button.btn.btn-primary(type='submit') Submit
    p Hello `+ input
    var fn = pug.compile(template);
    var html = fn();
    res.send(html);
})

A web application is vulnerable to code injection if it takes untrusted data and directly uses it in program code. This typically involves the use of eval() or an equivalent function that depends on the language

The following example of Node.js illustrates a code injection via eval() function. Lets assume the payload is process.exit(1)

const express = require('express')

const app = express()

app.post('/', (req, res) => {
    let payload = req.query.payload;
    eval(payload)
})

Once the attacker put payload as process.exit(1). The running web application’s process will be killed.

How to Protect Web Applications from Code Injection Attacks

You can avoid code injection vulnerabilities and improve web application security by using given basic security practices:

1. Avoid including user input in any expression which can be dynamically evaluated/executed.
2. Validate and sanitize inputs: If user input must be included then scan the input for escape characters and other special symbols, such as comments, line termination characters and command delimiters. 
3. Avoid vulnerable evaluation constructs: Avoid using eval() and equivalent functions on raw user inputs.

Template Injection Mitigation Example in Node.js

Following example of Node.js is how to use a template engine without any risk of template injection.

const express = require('express')
const pug = require('pug');
const app = express()

app.post('/', (req, res) => {
    let input = req.query.username;
    let template = `
doctype
html
head
    title= 'Hey This Is Title'
body
    form(action='/' method='post')
        input#name.form-control(type='text)
        button.btn.btn-primary(type='submit') Submit
    p Hello #{username}`
    var fn = pug.compile(template);
    var html = fn({username: input});
    res.send(html);
})

References

• OWASP: Code Injection.
• Wikipedia: Code Injection.
• Common Weakness Enumeration: CWE-94.
• Common Weakness Enumeration: CWE-79.

#rce #rci #rce in node.js #code injection node.js # code injection Vulnerability #code injection vulnerability node.js #how to prevent remote code injection in node.js #how to prevent remote code execution in node,js #how to prevent code injection in node.js #how to mitigate code injeciton node.js #code injection mitigation #owasp vulnerability node.js #rci in node.js #remote code injection in node.js #remote code execution in node.js #vulnerable system call in node.js #vulnerable api in node.js #what is a remote code injection attack #njection remote code injection #emote code injection attack in node.js #remote code execution vulnerability #remote code execution attacks #remote code execution -6 (cve-2014-6271, shellshock) #remote code execution example #remote code execution tutorial #remote code execution vulnerability #remote code execution exploit #remote code execution attacks #remote code execution attack #remote code execution vulnerability #remote code execution vulnerability #remote code execution attacks #remote code execution vulnerability #remote code execution attacks so popular #remote code execution vulnerability #remote code execution attacks #remote code execution vulnerabilities #remote code execution 2.2.x #remote code execution (metasploit) #remote code execution via http request #remote code execution attacks example zombie computer #remote code execution attempt #remote code execution vulnerability (swg22012395) #remote code execution buffer overflow #remote code execution 2671387 #remote code execution on java 6u31 #remote code execution attempt #remote code execution (3089664) #remote code execution (958687) – remote #remote code execution -6 (cve-2014-6271, shellshock) #remote code execution vulnerability (ms12-020) #remote code execution examples #remote code execution attacks skyrocketed #remote code execution attacks that have occurred? #remote code execution attack traffic analysis and exploit reconstruction #remote code execution metasploit #remote code execution flaw #remote code execution vulnerability #remote code execution vulnerability
remote code execution vulnerability #remote code execution vulnerability found #remote code execution vulnerability #remote code execution twittrt #remote code execution vulnerability #remote code execution vulnerability exists in remote desktop services on your windows 7 #remote code execution in apple os x and ios #remote code execution #remote code execution
remote code execution -6 (cve-2014-6271, shellshock) 2019 #remote code execution vulnerability #remote code execution vulnerability update #remote code execution php #remote code execution (3143146) #remote code execution vulnerability #remote code execution attacks #remote code execution internet explorer #remote code execution -6 (cve-2014-6271, shellshock)

code-injection, cyber-security, node, node.js, nodejs, template-injection