AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Remote Client Side Code Injection

The attacker can inject unauthorized client-side code by utilizing a remote code repository and run it on the target container which leads to information disclosure or total system ownage

Severity

Critical

Fix Cost

Low

Trust Level

High

Rarely applications have the requirement of dynamically running user supplied client-side code. In order to implement this requirement, programming languages provide APIs for dynamic interpretation of strings as code.

Let the backend code is similar to the following snippet;

                            
Page.ClientScript.RegisterClientScriptInclude(
"RequestParameterScript",  
HttpContext.Current.Request.Params["includedURL"]
);
                 
            

Or let it similar to following code snippet;

                
public void Page_Load(Object sender, EventArgs e)
{
// Define the name, type and url of the client script on the page.
String csname = "ButtonClickScript";
String csurl = Request.Params["url"];
Type cstype = this.GetType();

// Get a ClientScriptManager reference from the Page class.
ClientScriptManager cs = Page.ClientScript;

cs.RegisterClientScriptInclude(cstype, csname,csurl);
}

                    
            

Finally here’s another code piece that accepts user input for forming dynamic client side code;

                
HtmlGenericControl Include = new HtmlGenericControl("script");
Include.Attributes.Add("type", "text/javascript");
Include.Attributes.Add("src", Request.Params["url"]);
this.Page.Header.Controls.Add(Include);
                
            

The all of the above code executes a C# code as string provided by the user at the backend. Here a malicious user can manage to include any remote client side code that runs on the target users’ browsers allowing the attacker to steal user information.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!