Counter Javascript Injection Attacks with Comments Containing Random Tokens{2}


Code injection via cross site scripting (XSS) is one of the major vulnerabilities of javascript that hackers exploit. What happens during this type of attack,  is “an attacker invokes a method that is defined by a user, or supported by native (e.g., Array) or host (e.g., Document) objects. An attacker might inject a method definition followed by a call to perform malicious activities. In a method definition overriding attack, an attacker modifies the definition of an already implemented method that is provided by a programmer or supported by native or host objects” (2011, p. 105).  This is very simple to do, and its implications are pretty dire. However, the solution the authors came up with to combat this type of attack was to create a random token (the example used in the paper was a randomized string of 32 characters) which would be contained in a comment at the beginning and end of each method. Below is a table used in the article that explains how this would look once implemented (2011, p.107)

In addition to the above approach, they created a unique ID for each method that is called, and appended that to the end of the token that is at the beginning and end of each method. That way if the method call that is injected  does not contain both the correct token and the correct ID assigned to that method, then it would be detected as malicious, and thus dealt with accordingly.

Wow, this paper really intrigued me. I love to read about how people use little logical tricks like the ones displayed here to get around vulnerabilities in a platform. As I’m just learning javascript in this class, I had no idea what types of weaknesses were inherent in the language. Luckily, the language itself can be used to overcome its own weaknesses.

I had actually heard from random adventures throughout the internet that injections were one of the simplest and easiest tricks employed by people who are looking to do malicious things, but I had no idea they were that simple. Now I see why people were so angry over rumor that Sony’s big cyber security fiasco from last year caused by an injection.

Source:

Sharhiar, H. and Zulkernine, M. (2011) Injecting Comments to Detect Javascript Code Injection Attacks. Computer Software and Applications Conference Workshops (COMPSACW), 2011 IEEE 35th Annual. 104-109.