Broad Network


Tainted Scalar Values and Prevention in ECMAScript

ECMAScript Insecurities and Prevention – Part 3

ECMAScript 6

Foreword: In this part of the series I talk about tainted scalar values and prevention in ECMAScript.

By: Chrysanthus Date Published: 16 Jul 2016

Introduction

This is part 3 of my series, ECMAScript Insecurities and Prevention. In this part of the series I talk about tainted scalar values and prevention in ECMAScript. The verb, taint, means, to damage or spoil the quality of something. Tainted scalar value means input scalar value to an ECMAScript program (script) that is wrong datum (singular for data) or wrong code. You should have read the previous parts of the series before coming here, as this is a continuation.

In this series, once a user successfully sends wrong data or wrong code into an ECMAScript program, we say the program has been hacked. The consequences of the hacking, such as financial benefic, false information, knowing credentials or destruction of program flow and other ills, are not really addressed. In this series, you learn about ECMAScript insecure data expressions and how to prevent them from being exploited by hackers.

Prevention from hacking can be summarized as follows: Wrong data or wrong code, should not enter a program. While wrong data or wrong code is in the program, it should not disrupt the program flow. Wrong data or code should not leave the program for other destinations, because of wrong data inputted or wrong code inputted.

Taintedness is associated with a scalar value.

How can wrong scalar value affect a program flow adversely? A scalar value that has been assigned to a variable by the good programmer can be replaced by a new value at run time from input. This new value can be wrong datum or wrong code. A scalar variable that never had a value assigned to it, can still receive wrong datum or wrong code.

What is a scalar value? A scalar value is a number or a string or a reference or undefined or null. A scalar value is a primitive value. The argument to a function can be a scalar value.

Can a hacker figure out the name of an ECMAScript variable? – Yes: in two ways: Firstly, if the hacker has read permission to the ECMAScript executable file, then he can open the file for reading and see the names of all the scalar variables in the program. Secondly, if the hacker does not have read permission, with some patience, he can work out (determine) the name of the variable because of the following reasons:

Any good programmer chooses a variable name that is easy to remember and that has meaning for the normal use of the variable. The hacker can use this scheme to work out the name of the variable. With some more patience, he can test for all the combinations of characters for the variable, because the hacker is a programmer like the good programmer; he knows the rules that govern the naming of the variable:

So a hacker can write a program to display all the possible combinations of characters for a variable. The output will take time, but he will still arrive at what the good programmer has chosen.

The solution is not to write a variable that is complex, difficult to remember and does not indicate its meaning. The solution is to lock all the exploiting means of the hacker; and that, you learn in this series.

Effect of wrong Data Input or Wrong Code Input
If a good program is expecting an email address, it should not receive a URL. If it accepts a URL, the use of the input will be wrong. A wrong code input is input that will affect the program interpretation just to cause trouble, or to gain some selfish benefit for the hacker. Wrong data or wrong code can come in as scalar input. The problem of wrong code or wrong data is minimized using validation.

Validation is to check if the input you are expecting is the correct type of input. If you are expecting an email address, you should not have a URL. If you have a URL, do not use it; send a feedback message to the user (client) that the input was wrong, so that he can try again.

Validating a Number Input
If you are expecting a number, use the following code for validation:

    var variab;   // holds the supposed input number
    var isItNumber = isFinite(variab)  //true for number and false otherwise

isFinite() is a property of the global object in ECMAScript.

Validating a Boolean Input
If you are expecting a Boolean input, use the following code for validation:

    var variab;   // holds the supposed Boolean input

    function isBoolean(variab)
        {
            if (variab == true)
                {
                    return true;
                }
            else if (variab == false)
                {
                    return true;
                }
            else
                {
                    return false;
                }
        }

    var isItBoolean =  isBoolean(variab);   //true for Boolean and false otherwise

If variab is true, false, 1 or 0, then the return value is true, otherwise it is false.

Validating Email Input
If you are expecting an email address, you can use the following code for validation:

    var variab;    //holds the input address
    variab = variab.replace(/^\s*|\s*$/g, "");   //remove leading and trailing whitespaces

    function isEmail(variab)
        {
            var temp = 0;
        
            if (variab.search(/^[0-9a-zA-Z_\.-]{1,64}@[0-9a-zA-Z_-]{1,252}(\.[0-9a-zA-Z_\-]{2,4}){0,2}$/) != -1)
                {
                    temp = 1;
                }

            if (temp == 1)
                {
                    if (variab.length <=254)
                        {
                            return true;
                        }
                    else
                        {
                            return false;
                        }                                    
                }
            else
                {
                    return false;
                }
        }

    var isItEmail =  isEmail(variab);   //true for email and false otherwise

Validating URL Input
If you are expecting a URL, you can use the following code for validation:

    var variab;    //holds the input
    variab = variab.replace(/^\s*|\s*$/g, "");   //remove leading and trailing whitespaces

    function isURL(variab)
        {
            if (variab.search(/^(http|https):\/\/[0-9a-zA-Z_\-\.]{1,64}(\/[0-9a-zA-Z_\-\.]{1,64})?(\?[0-9a-zA-Z_\-=&]{1,64})?/) != -1)
                {
                    return true;
                }
            else
                {
                    return false;
                }
        }

    var isItURL =  isURL(variab);   //true for URL and false otherwise

Validating IP Input
If you are expecting an IP address, you can use the following code for validation:

    var variab;    //holds the input
    variab = variab.replace(/^\s*|\s*$/g, "");   //remove leading and trailing whitespaces

    function isIP(variab)
        {
            if (variab.search(/^[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}$|^[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}$/) != -1)
                {
                    return true;
                }
            else
                {
                    return false;
                }
        }

    var isItIP =  isIP(variab);   //true for IP and false otherwise

Validating Short Text Input
If you are expecting short text, such as the first name of a person or the name of an object or characteristic of an object, use the following code for validation. Such text should contain only word characters, and may contain hyphen, @, dot, apostrophe or space.

    var variab = "";    //holds the input
    variab = variab.replace(/^\s*|\s*$/g, "");   //remove leading and trailing whitespaces

    function isGoodText(variab)
        {
            if (variab.search(/^[-\@\w.' ]+$/) != -1)
                {
                    return true;
                }
            else
                {
                    return false;
                }
        }

    var isItGoodText = isGoodText(variab);   //true for short text and false otherwise

Validating Input with Known Text Pattern
If you are expecting input of text with known pattern, you can use code similar to the following (with regex):

    var variab;  // holds the input
    variab = variab.replace(/^\s*|\s*$/g, "");   //remove leading and trailing whitespaces

    function isPattern(variab)
        {
            if (variab.search(/c.rk/) != -1)
                {
                    return true;
                }
            else
                {
                    return false;
                }
        }

    var isItPattern = isPattern(variab);   //true for pattern and false otherwise

String
To test whether a variable holds a string , use:

    var variab;  // holds the input
    variab = variab.replace(/^\s*|\s*$/g, "");   //remove leading and trailing whitespaces

    function isString(variab)
        {
            if (variab.search(/\D/) != -1)
                {
                    return true;
                }
            else
                {
                    return false;
                }
        }

    var isItString = isString(variab);   //true for pattern and false otherwise

You will still need to test whether it is a URL, email, number, etc.

However, if the string is coming from a module, you should be careful. If the string in the module, is a template string, there might be interpolation.

Constant
Re-assigning a primitive value to a variable, in a program, can be a problem. If you do not want a variable to be reassigned, in the declaration, precede the variable with const, as in:

    const variable = value;

then the value (assignment) cannot be changed.

The Issue of Knowing Variable Name
If a hacker can know a variable name in your program, the obvious way for him to inject wrong code is as input argument or part of input argument to an eval function. He can also inject wrong code through a module. I will talk about the eval() function and module later.

Time to take a break. We stop here and continue in the next part.

Chrys

Related Links

ECMAScript Basics
ECMAScript Operators
Expressions in ECMAScript
Statements in ECMAScript
Custom Objects in ECMAScript
Functions in ECMAScript
ECMAScript Date Object
The ECMAScript String Object
ECMAScript String Regular Expressions
ECMAScript Template Literal
The ECMAScript Array
ECMAScript Sets and Maps
ECMAScript Number
Scopes in ECMAScript
Mastering the ECMAScript (JavaScript) eval Function
Sending Email with ECMAScript
ECMAScript Insecurities and Prevention
Advanced Course
Advanced ECMAScript Regular Expressions
Promise in ECMAScript 2015
Generator in ECMAScript 2015
ECMAScript Module
More Related Links
Node Mailsend
EMySQL API
Node.js Web Development Course
Major in Website Design
Low Level Programming - Writing ECMAScript Module
ECMAScript Course

BACK NEXT

Comments

Become the Writer's Follower
Send the Writer a Message