Threat intelligence API Docs Pricing Resources Contact us

Blog

Read the other articles

How To Avoid JavaScript Injection Attack

Posted on March 18, 2020
3 Ways to Prevent JS Injection Attack

As a web application tool, JavaScript is often run on the client-side so that the developers of a web service can implement a desktop-like view and provide a similar experience to users. JavaScript Injection, also known as JS Injection, injects a JavaScript code that can run on the user's end of the website. It is the client-side injection where a user can insert JS code onto a page through the URL link bar or by finding a Cross-Site Scripting vulnerability on the website. An attacker creates a way to inject a payload (malicious JS code) onto a web page visited by the victim, which the attacker can then engineer to perpetrate their crime(s).

Implications of a JS Injection Attack

JS injection vulnerability is commonly addressed by Cross-Site Scripting (XSS). JavaScript Injection attacks cause disruptive implications including identity theft and hijacking. The crimes can include hijacking users’ browsing sessions and cookies. It is also used as a precursor for phishing attacks, webworms, and keystroke logging. Therefore, the entering of a sensitive piece c information on a JS injection compromised page opens the data to being grabbed and sent to another location/website. Various JS injection targets include:

  • forums
  • guestbooks
  • comment fields
  • any other form with user-editable text box

JS injection typically changes the website's appearance and is able to let the attacker change certain parameters. The consequences range from information leak to damaged website designs, which can be done with the aid of social engineering tricks.

Checking for JS injection

The testing of JS injection is very important, and the vulnerability test should be incorporated as a standard test in an organization’s security testing routines.

  • The first test to run is the possibility of JS injection. This is done by going to the browser's address bar and inputting the code: JavaScript:alert(‘Executed!');
  • An 'Executed!' pop-up on the screen shows that the website is vulnerable to JS injection attack.
  • Use regex on user's input. There are different libraries and each uses a varying and customized regex.

Using regex, though, can be complex, depending on the complexity of the regex string in the library used. Knowing the part of the website injected with a JS attack is the precursor to figuring out the best way to check for such attacks.

Prevention and Protection from JS Injection Attacks

The first step to protection is the prevention of the attack, and this starts with validating every received input before submission. Input details should be validated at all times and not only at the point of data entry. Security protocols should be installed and website owners or managers must not only rely on the client-side validation, but also on a logic analysis on the server-side.

1. HTML Encode in the View

HTML encoding is one of the most popular JS injection mitigation techniques. In this approach, the data entered by website users, during display are encrypted with the use of special characters. By encoding a feedback.message with HTML, the value that will be shown in the view is:

<%=Html.Encode(feedback.Message)%>

To HTML encode, a string of characters including, < and > are replaced with different entities such as < and >. Therefore, in a typical string like <script>alert("Confirm!")</script> becomes <script>alert("Confirm!")</script> . This language is then interpreted by the browser, to show a harmless message, <script>alert("Confirm!")</script> , instead of a Pop-up alert.

2. HTML Encode in Controller

Instead of HTML encoding data when displayed, the data can be alternatively encoded before it is submitted to the database. This is done in the controller case controller.cs.

To do this right, the message value must be HTML-encoded before the value is submitted to the database within the create ( ). With this method, however, you will have HTML-encoded data in your database.

Some also make an attempt to protect JavaScript injection by changing the quotes to double. The issue with this is that the JavaScript code will not be executed. For example, a <code> ... <code/> will be rewritten as <<code>> ... <</code>>. The latter will not be executed.

3. Using Vulnerability Test Tools

Certain technological tools, like Domain Reputation API, exist to help detect JavaScript vulnerabilities in your code at every Software Development Life Cycle (SDLC) stage. By integrating a security tool into your Integrated Development Environment (IDE), you can stay up to date with updated and standard security protocols.

Conclusion

Being a widely used technology, JavaScript injection should be reckoned as a way that websites can be exploited in. Websites and apps that use this technology must be tested against this attack in question. JS injection testing should be incorporated in every security process of an enterprise.

Read the other articles
Have questions?

We work hard to improve our services for you. As part of that, we welcome your feedback, questions and suggestions. Please let us know your thoughts and feelings, and any way in which you think we can improve our product.

For a quick response, please select the request type that best suits your needs.

Or shoot us an email to

Threat Intelligence Platform uses cookies to provide you with the best user experience on our website. They also help us understand how our site is being used. Find out more here. By continuing to use our site you consent to the use of cookies.