#ssjs

Jeff Darcy has written a while back about the (lack of) security in NoSQL database. Unfortunately things haven’t changed much and if you check the NoSQL + Node.js applications I’ve posted lately you’ll notice that some of them are completely ignoring security.

And there are some people realizing the risks and starting to express their concerns:

Playing with MongoDB lately, I’m getting scared. Because I’m seeing some really bad practices out there. Seeing it in live code. In tutorials.

Bryan Sullivan (Senior Security Researcher, Adobe Secure Software Engineering Team) has published a paper (PDF) explaining some of the possible server-side JavaScript injection attacks and the risks the apps and the data are exposed to. Teaser: he can do pretty much everything.

It should be noted that exploitation of server-side JavaScript injection vulnerabilities is more like that of SQL injection than of cross-site scripting. SSJS injection does not require any social engineering of an intermediate victim user the way that reflected XSS or DOM-based XSS do; instead, the attacker can attack the application directly with arbitrarily created HTTP requests.

Because of this, defenses against SSJS injection are also similar to SQL injection defenses:

Avoid creating “ad-hoc” JavaScript commands by concatenating script with user input.

Validate user input used in SSJS commands with regular expressions.

Avoid use of the JavaScript eval command. In particular, when parsing JSON input, use a safer alternative such as JSON.parse.

Remember there’s no such thing as security through obscurity.