Categories of Tainted Data Expressions in ECMAScript

ECMAScript Insecurities and Prevention – Part 2

ECMAScript 6

Foreword: In this part of the series I talk about the categories of expressions, which an attacker (hacker) can use to send in wrong data or wrong code into an ECMAScript program.

By: Chrysanthus Date Published: 16 Jul 2016

Introduction

This is part 2 of my series, ECMAScript Insecurities and Prevention. In this part of the series I talk about the categories of expressions, which an attacker (hacker) can use to send in wrong data or wrong code into an ECMAScript program. An ECMAScript program is an ECMAScript script. In this series, once a user sends successfully wrong data or wrong code into an ECMAScript program, we say the program has been hacked. The consequences of the hacking, such as financial benefit, false information, knowing credentials or destruction of program flow and other ills, are not really addressed. In this series, you learn about insecure expressions and how to prevent them from being exploited by hackers. You should have read the previous part of the series before coming here, as this is a continuation.

Prevention of hacking can be summarized as follows: Wrong data or wrong code, should not enter the program. While wrong data or wrong code is in the program, it should not disrupt the program flow or result in wrong values. Wrong data should not leave the program for other destinations, because of wrong data inputted or wrong code inputted.

Tainted
The verb, taint, means to damage or spoil the quality of something. Tainted, is the adjective. In ECMAScript, I describe any expression that a hacker can use to cause damage as tainted. However, do not worry; in this series, you will learn tainted data expressions and also how to block them from being abused by hackers. A tainted expression is legitimate coding; you need to learn how to prevent them from being exploited by hackers. Untainting, means preventing the expression from being exploited by the hacker.

Tainted Data Expressions
Taintedness is associated with a scalar value. What is a value? A scalar variable can have a value, which is undefined, null, a number, a string or a reference. If a function is identified by a reference variable, then the whole function code is a kind of value; actually, the reference is a value to the scalar variable.

In this section I give you the categories of tainted expressions in ECMAScript:

- Scalar Value

- Array, Set and Map

- Function Expressions
Function expressions are of the forms:

fn = function (args) {}
fn = (args)=>{}

These are function definitions with arguments, (args), where the function name is a dereference of the function reference.

- Prototype
Assigning prototype to a function constructor or assigning properties to the prototype.

- eval Function

Compile Time and Run Time
When you code an ECMAScript program and you execute it, there are two phases to the execution, which are compilation and running. When any ECMAScript program is executed, there is a minimal compilation of the whole program before the running of the whole program. Compile time is when syntax errors are checked. Runtime is when the program receives input and sends output.

Brief Explanation of Tainted Data Expression
In this section, I give brief explanations of the tainted data expressions in ECMAScript, (and I also indicate prevention).

Scalar Value
A scalar valued coded (assigned to a variable) in the program, is not much of a problem. Problem comes with scalar values received as input from a user, input as command line arguments, input from environment variables, input as feedback result from system (operating system) calls such as readdir(), input as operating system password. Problem can also result from a variable that is not constant.

The way to prevent such input value from having wrong data or wrong code, is to validate the input. I talk about the details in a different part of the series.

Array, Set and Map
An element can be deleted, changed or the number of elements can be increased. I will say more about this and prevention, in a later part of the series.

Function Expressions
Examples of function expressions are:

foo = function (args) {}
foo = (args)=>{}

In these two examples, foo() is a dereference operation. In either of them foo is holding the reference to the function. Either of the functions is called by using the reference to the function. This means, in each case, the function is a kind of value to the reference variable; actually, the reference is a value to the scalar variable. For these two examples, both calls are for the same function foo.

A hacker can figure out (determine) the variable, foo, and replace the reference with a reference to a different function. This other function can be a function in your code; it can be a function in a module (library) that you are using; or it can be a function code sent into your code as ordinary input for an eval function.

As you can see, this is clearly dangerous. I will say more about symbolic sub references and prevention, in a later part of the series. Also note that the hacker can just replace the code for the variable with, undefined (or null).

Prototype
An example of prototype coding is:

        function ConstfFn()
            {

            }

        proto = new Object();

        proto.num1 = 3;
        proto.num2 = 4;
        proto.add = function ()
            {
                sum = this.num1 + this.num2;
                return sum;
            }

        ConstfFn.prototype = proto;

        obj = new ConstfFn();

        answer = obj.add();

        alert(answer);

Now, obj is a kind of copy of the prototype object. A different prototype can be assigned to the constructor function to cause trouble. Try the following code:

        function ConstfFn()
            {

            }

        proto = new Object();

        proto.num1 = 3;
        proto.num2 = 4;
        proto.add = function ()
            {
                sum = this.num1 + this.num2;
                return sum;
            }

        protoTrouble = new Object();

        protoTrouble.num1 = "trouble ";
        protoTrouble.num2 = " trouble";
        protoTrouble.add = function ()
            {
                sum = this.num1 + this.num2;
                return sum;
            }

        ConstfFn.prototype = protoTrouble;

        obj = new ConstfFn();

        answer = obj.add();

        alert(answer);

The output is “trouble trouble” instead of 7.

I will say more about this and prevention, in a later part of the series.

eval Function
The syntax for the eval() function is:

    eval(x)

where x is a non-string literal or a string (quotes) consisting of one or more statements separated by semicolons.

If x has input at runtime, then any unsafe code can be injected.

I will say more about the eval function, and prevention, in a later part of the series.

A Hacker
The word, hacker, actually has two meanings: a good meaning and a bad meaning. In this series, it is the bad meaning we use for the word, hacker. A hacker can be somebody who has no permission for the ECMAScript program. In this case his work is most difficult and he has to rely on operating system input to the program, network input to the program, environment variable input to the program, and input as feedback result from system calls.

If he has at least the read permission, his work becomes less difficult. If he has the read and execute permissions, his work becomes even less difficult.

So, with ECMAScript, a hacker may be a non-user of the program, or he may be a user who has some permissions to the program.

Never give the write permission to any user you do not trust. Because, if the person is a hacker, you open all the doors to him.

That is it for this part of the series. Let us stop here and continue in the next part.

Chrys

Broad Network

Related Articles

Categories of Tainted Data Expressions in ECMAScript

ECMAScript Insecurities and Prevention – Part 2

ECMAScript 6

Introduction

Related Links

Comments