Code Injection in Javascript: Prevention and Remediation

Nedim Maric

What is Code Injection in Javascript?

Code Injection is a common vulnerability that occurs when an attacker is able to inject malicious snippets of code into the victim’s web application. 

Exploiting this vulnerability could have catastrophic consequences for your website or application, as the attacker can gain complete control.

Let’s  take a look at how code injection works and what you, as a security-minded developer can do to prevent it. 

Code injection is considered a critical vulnerability because an attacker can completely take over your system after discovering code injection vulnerability on your website. There’s been countless examples over the years of code injection making its way into web applications and causing mayhem. Even though that’s been limited recently with higher global security standards, it’s still a weak point for many developers and a problem that won’t disappear so easily.  JavaScript is particularly vulnerable to malicious code injection because of the simple process an attacker can use to exploit this vulnerability, by simply using <script> tag in order to inject malicious code.

This typically  happens when a developer doesn’t pay attention to validating form inputs. However, input fields aren’t the only way for an attacker to send the malicious code into your website; adding  JavaScript via address bar, or console developer tools are also common attacks vectors. 

In this article:

Examples of Code Injection in JavaScript

Developer tools might sound like a completely safe environment, with all the changes made locally with no direct threat towards your website, however, this is a dangerous assumption. Although an attacker can’t cause any direct harm via using developer tools, they can test and debug your website endlessly without you ever knowing about it. 

Using Event Listeners

For example, let’s look at this simple situation: 

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Vulnerable Website</title>
</head>
<body>
    <input type="button" onclick="randomScript()">
</body>
</html>

Random function could have a line of code something like:

function randomScript(){
  alert("Test!");
}

All the attacker has to do after opening the website is to inspect element for  the button on the page. This will allow them to see the “Event Listeners” tab, where they could see the randomScript() function code. 

An attacker could then change the onclick event to a script that they create in a console (that supports JavaScript and jQuery). 

Even though this example is harmless in itself, it shows the power that an attacker could have in debugging your website. However, the next example will show you the real impact that  code injection can have on your website. 

Code Injection in User-submitted content

Let’s say that you created an online forum. Just like with any other forum, users can submit their comments amongst other things, such as a malicious attempt of injecting JavaScript into your website via comments.

So, instead of writing a regular comment, a user might add “Comment on a forum <script>alert(“Hacked Website”);</script>”. 

In case of an unprotected website, this snippet of code would be sent to the database, and then displayed for other users who open this page on the website. This directly affects all the visitors, and is a good example of a simple vulnerability that results in serious harm. In this specific example, an attacker could even place their own affiliate ads on your website, thus earning additional income .

Preventing Code Injection Attack in JavaScript

There are several things we could do in order to prevent code injection attacks in javascript. While they may not all be applicable for your projects, you’ll still find some of them useful and they might come in handy. 

Whitelisting 

Creating a whitelist for users to choose from. This one is pretty self-explanatory – your job is to set possible values in advance, thus giving the end-user a limit range of options to choose from. This is perhaps the safest way to go about preventing code injection in javascript, but it’s often impractical.

Input Validation

Unlike whitelisting, input validation is much more flexible in terms of possibilities for the end-user. It allows you to invalidate a certain set of characters that you might find threatening in that they could cause code injection. It’s a bit more demanding way of safekeeping your web apps than whitelisting, but it sure is the mandatory one as often you’ll have no other options. 

WAF

The web application firewall (WAF) is one of the best tools to utilize if you’re to protect your web applications. It prevents malicious attacks from hackers and makes sure that no important data leaks out to the end-user. You should make it a habit of setting up WAF as it could save you a lot of headaches in the future. 

Conclusion

Code injection is a massive security issue all around the web, and even more so when it comes to JavaScript. This is what makes JavaScript such a desirable target for the attackers, but if you’re able to apply some of the techniques in this article, then you should be able to go through deploying your web application stress-free, knowing that you’re protected from potential code injection.

However, if you want to be 100% sure, you might as well create a free Bright account and test your applications free of charge as soon as today!

Secure your app with every build

Sign up for a FREE Bright account.
Related Articles
Categories