JavaScript Injection With Example:

-

Overview:

Javascript injection (or Javascript source code injection) is closely related to HTML injection and Cross site scripting. In all these cases the input is interpreted as code rather than data. The code may break out of the current context and switch to another context. Alternatively an injection may stay in the current context but modify the source code.



"Context" is the type of code and object into which the injection occurs. For Javascript injection, this is often the value of a Javascript string being dynamically set.



An example of breaking context is injecting script tags into HTML output. The developer believes the context should be HTML (perhaps a table), but the input of script tags (with embedded script) causes the browser to stop processing HTML and switch to processing script. The context switch occurs when the browser stops executing the HTML instructions and instead executes the JS.


Injection within context could be injecting HTML into HTML output. Although the page source code is altered, the context remains the same.


Discovery Methodology


To find the injection, a canary can be used to check for two conditions. The first condition is user supplied or user controlled input is incorporated into Javascript. The second condition is that input is not encoded when output.

Identify the possible input parameters. Does the page take input from a form, URL parameter, cookie, or other input? HTTPFox and Burp Suite are a good tools to see all the input as you "GET" a page (the request) and all the output with which the server responds (the response).


Once you find the page input, try injecting a simple canary like "CANARY-INPUT-1" then search the resulting page to see where the canary showed up. If the input is used to create a portion of the Javascript, it may be possible to break out of the context and inject user-controlled Javascript. To test if the output is encoded, inject a test string such as "CANARY123!@#$%^&*()_+-=[]{};':",./<>?".


Searching for a canary on the actual browser output is not a good idea. Use the browsers "view source" to see the "real" response. Tools like HTTPFox are great for this as well. Tools with more features like Burp are even better but have more of a learning curve. Burp will remember the source of each page you visit as you spider the site.


Exploitation


Once the canary(ies) is located, identify what characters need to be injected to "end" the current instruction. Identify the characters that are needed to block out any instruction that comes after the canary. Put your injection in the middle.


Example

METHOD 1) DEVELOPER’S CONSOLE INJECTION

SIMPLE HTML PAGE

<script>
function verbose () { alert("Hello World!"); }
</script>
 
<input type="button" value="Test" onclick="verbose()"/>

For this first example, we will be using this bare minimum HTML page with only one button – Clicking on it will show an alert box with “Hello World”, and we are going to use the developer’s console to hijack this behavior.

METHOD 2) ADDRESS BAR JAVASCRIPT

SAMPLE PAGE

2-page.html
<input type="text" id="txt-field" value="uvuwewewe onyetenyevwe uvwewenum osas"/>

This method is probably one of the oldest ways to do Javascript injection – By entering Javascript into the address bar itself. For that, we will be working on this simple input field.

METHOD 3) CROSS-SITE SCRIPTING (XSS)

DUMMY PAGE WITH COMMENT FORM

3-xss.html
<h1>LE NOOB WEBPAGE</h1>
<p>
  Lorem ipsum dolor sit amet, consectetur adipiscing elit. 
</p>
<h3>COMMENTS</h3>
<div>
  Well done! <script>alert("HAHA!");</script>
</div>

This final example is a tad bit different. How it works is simple, just submit a comment or review, but insert your own <script> tag inside.For example, Well done! <script>alert("HAHA!");</script>.

But take note, this will only work on websites with poor security. Without any checks, the website will save this comment into the database, and load the <script> tag into the comments section as-it-is. That’s it. The page is done, and we can do all sorts of funny things by inserting our own scripts.

Comments

Post a Comment

Popular posts from this blog

Hack Android with Infect Virus Installation and Usees

-
Image
HACK ANDROID WITH INFECT TERMUX HACKING TOOL Android devices are popular in the world. Imagine how funny if you infect your friend’s device even if you don’t have hacking skills. Infect best Termux hacking tool will help us to do that. What is infect? Infect is a bash-based script that is officially made for Termux users and from this tool you can spread the android virus by just sending a link. Also, Infect is available on Termux, developers of this tool tested in on Termux. What are it’s features? Infect have some interesting features. Which are following:- [+] Dangerous virus tool! [+] Updated maintenance! [+] Easy for beginners! [+] Working virus tool for Termux! Installation process:- Now, before you install infect make sure you update and upgrade Termux. you can use these commands: $ apt-get update $ apt-get upgrade Then, after Termux finishes updating and upgrade, we move to the second step which is to install python. Do it only if you have not yet install python otherwise, you
Read more

JavaScript Object Notation (JSON) Injection

-
Image
Overview JSON injection may occcur when user or attacker controlled input is later incorporated without being encoded into the web server response. In other words, the attacker can send input which later is incorporated into the JSON response. Discovery Methodology JSON injection starts like any injection; find the possible input parameters including adding custom parameters (parameter addition attack) to see if the application will process them and place those inputs into the JSON returned by the server. (If we cannot get our input into the JSON returned by the server, we cannot inject the JSON.) Finding input parameters can be done using an ordinary Firefox browser. No special tools are required. This particular page has a drop down which is an input. Developers sometimes think that they control the web page. This of course is incorrect. The web page is running in the users browser. The user can do anything they want like change the page using Firebug. If you dont like that drop-down
Read more

Client-side Security Control Bypass with HTML ,CSS ,JavaScript

-
Image
  Client-side Security Control Bypass Overview Some web applications rely on client-side controls such as disabling form fields, limiting field size, JavaScript validation or other controls to prevent the user from sending malicious input. In all cases, any client-side control can be bypassed or ignored entirely. Not all applications that use client-side controls are vulnerable. Application which pair all client-side controls with an equivalent server-side version of the control may be secure. Quality applications often mirror all server-side controls with the client-side counterpart to reduce network traffic, prevent honest users from sending known-bad values and provide guidance. However applications depending solely on client-side controls are often vulnerable to injection and/or attacks on application logic. Discovery Methodology (Static source-code analysis) Applications using client-side controls will write the controls using client-side languages such as HTML, JavaSc
Read more