Javascript injection

by Caezar M
Summary:

This Journal is about ways to detect malicious code in javascript. as of the time of the writing of this article there had been little success in determining if maicious code had been injected into your server. it is very difficult to differentiate between good and bad code. the authors of this journal have come up with a method that is successful in detecting malicious code. this is achieved by inserting comment statements at the beginning and end of legitimate blocks of code accompanied by identical random tokens. by testing response pages for blocks of un commented code they are able to remove attacker code. also if response pages do have comments they are scanned for the random tokens and any tokens present that are not valid are id’d as attacker code and removed. the drawback the authors ran into was that this approach made it very difficult to inject legitimate code because of the filtering system. the authors had good results and plan to make automated tools to handle the tasks.

Response:

it is interesting to see that there are more than one way to attack servers. in our database class we were enthralled in the rate that SQL injection was proliferating all over the place. it is interesting to know that there is no lack of creativity umong hackers. but this journal made me think that this proocess that they came up with, however efficient must take quite a bit of time to run, in this day and age we cannot waste any time in getting results and anything that slows us down will take a toll on business. other than that i am impressed with their unique strategy to solving javascript injection problems, and being able to block multiple types of injection attacks.

 

Shahriar H, Zulkernine M. (2011). Injecting Comments to Detect JavaScript Code Injection Attacks.  Computer Software and Applications Conference Workshops (COMPSACW), 2011 IEEE 35th Annual. 104-109

 

4 thoughts on “Javascript injection”

  1. Due to the fact that hackers are constantly coming up with new techniques to attack websites and or computers, it is imperative that the security experts in the world continue to monitor such attempts and combat them in the most efficient ways they can find. I have been in conferences where a SQL expert will be given a random website and within thirty minutes he is in the site changing the prices of the items for sale using SQL expressions. I am not at all surprised to see that people have been injecting JavaScript into websites. I would imagine that once this “bug” has been addressed, the hackers will simply find another way to circumvent the security in place.

  2. The technique sounds to be too tedious to handle as a everyday activity. If the creators had problems injecting legitimate code, then it sounds like a good first draft. But I agree with you completely, we do not have time to sit around and wait for results to pop up. The more time we spend waiting around, the more time we give to rogue hackers to achieve their goals.

  3. Maybe we should hire these hackers to hack proof our sites for us? If there is a guy at a conference proving he can get into it can’t he prevent himself from getting into it in the first place?

  4. It will always be hard to keep hackers away, and this method might work, but it sure will take some of your time away to implement. It’s ridiculous how easy some people can gain access, and I feel there will always be hackers that manage to squirm through, no matter how secure someone might think they are.

Comments are closed.