Server-Side JavaScript Injection: Attacking NoSQL and Node.js

Presented at Black Hat USA 2011, Aug. 3, 2011, 1:45 p.m. (75 minutes).

Fallout from the browser wars has given us blazingly fast JavaScript engines - engines so fast that they're now being used for much more than just browsers. Server-side JavaScript (SSJS) is integral to many NoSQL databases such as MongoDB and Neo4j, and the web server framework Node.js is also built on SSJS. These projects score high benchmarks for speed and scalability, but does this speed come at the cost of security?

If you thought client-side JavaScript injection (better known as XSS) was dangerous, wait until you see what an attacker can do with server-side JavaScript injection (SSJI). In this talk, we'll demonstrate SSJI exploits against NoSQL and Node.js applications that allow attackers to read, write, upload and execute arbitrary files anywhere on the server. We'll also demonstrate that the programming errors that lead to these vulnerabilities are just as simple as the ones that lead to XSS. Finally, we'll conclude the presentation with techniques you can use to find and fix SSJI vulnerabilities in your own applications.


Presenters:

Links:

Similar Presentations: