In a previous blog post I discussed about a critical class of web attacks known as code injection attacks. In particular, I presented a subset of such attacks where target entities exist on the server. Here we will talk about the emerging subset of dynamic code injection attacks, which, except for server-side entities, threaten network-oriented applications hosted in a client machine, such as the browser and messaging applications.
Python, Perl and PHP are languages that have the capability of interpreting themselves and execute code through a method called
eval. Specifically, eval is a function which evaluates a string as though it were an expression and returns a result; A simple example of a dynamic language-driven attack is an input string that is fed into an
eval() function call, e.g., in PHP:
$variable = $_GET[’var’]; $input = $_GET[’value’]; eval(’$variable = ’ . $input . ’;’);
Keep in mind that in PHP, the predefined
$_GET variable is used to collect values in an HTML form with
method="get". In this case, the user may pass into the
value parameter, code that will execute in the server. If
10; system (’’touch foo’’); then a file will be created on the server; it is easy to imagine more detrimental instances.
If a malicious user could post data containing the above script, web users reading this data could have their cookies stolen. Through this script the attacker calls an external CGI (common gateway interface) script and passes all the cookies associated with the current document to it as an argument via the
<div id=code style="background:url('java script:eval(document.all.code.expr)')" expr="alert('xss')"></div>
The attacker utilizes the
eval function and a newline character (“java\nscript”) to bypass the security checks measures and manoeuvre the user’s browser to execute the code contained in the
expr variable. This is done by using the
document.all array that contains all of the elements within a document. Malicious users can also use
eval to assemble innocuous-looking parts into harmful strings that the protecting mechanisms of a web page would normally consider dangerous and remove.