Server Side Js Injection

Server Side Js Injection

Hi, in this tutorial we will see how server-side js injection is performed in the Extreme Vulnerable Node Application.

As we know the application is running on Nodejs, so we know what are its command or its predefined tags which could be utilized to attack the application.

Few of them are as follows:

  • process.arch
  • process.argv
  • process.argv0
  • process.channel
  • process.cwd()
  • process.geteuid()
  • process.getegid()
  • process.getgroups()
  • process.pid
  • process.platform
  • process.version

You can see how the attacks is been performed in the video below.

Extreme vulnerable node application is available at Github https://github.com/vegabird/xvna and you can download it and test in your localhost.

Prevention:

Sanitize the user input and avoid using eval function which could cause lot of damage.

    • Related Articles

    • OS Injection

      Hi, This post is regarding OS Injection. Injection always possible on user input field only. In OS injection first, we need to determine the Operating System (OS) on which the server running. So we are running on Windows and the payload varies. For ...

    • XVNA

      XVNA is an Extreme Vulnerable Node Application that helps security enthusiasts to learn application security and it’s helps to developers better understand the processes of securing applications and It’s totally legal to break or hack into this. ...

    • Error Based SQL Injection

      Hi, In this post, we will learn about Error-based SQL injection. We know that there are three types of SQL injection. Union Based Injection Error Based injection Blind SQL injection Now to find SQL injection we generally use ' single quote, using ...

    • XML Injection

      In this post, we will see about XML injection. XML injection can also be said as XPath injection where we inject our payload which is more or less similar to SQL injection. We could check the availability of XML injection by using single quote. If it ...

    • NoSql Injection

      In this tutorial, we will see how we can bypass NoSQL (MongoDB) in Extreme Vulnerable Node Application (XVNA). In normal SQL injection, we have few special characters which could use to find the vulnerability and so we have for NoSql. Most of the ...