The role of Javascript in hacking

Many of you may have heard about the "javascript code injection" technique. What we are going to see today are the necessary bases to understand the Javascript code injection attacks, how they work, what objectives can be achieved with this technique and how to avoid being victims of this type of attacks if we are the ones who play as a defense of a web portal.

What is Javascript?

Javascript is an interpreted programming language , it is not compiled, that is, it is read and interpreted directly by the browser as source code when it reads the page. This means that we do not download an .exe, .com file, or whatever it is already compiled so that when executing it from a result, we have the code to execute inserted in the source code of our website. As in HTML, the browser reads the code and does what it should do.

It is a scripting language, so a program in JavaScript would be made up of small scripts , each of these scripts would be mini-programs and interpreted line by line while the application follows its normal execution. 

It is an event-oriented language , Javascript is able to detect many events and react to them with an action programmed by us . An event is an event that occurs during the interaction of the user and the browser. When guided by events, we do not have a main function that is executed before the others, but we will have several functions that will be executed as appropriate.

It is an object-oriented language , although it would be better to say that its structure is based on objects. Apart from technical issues, the case is that it has a library of predefined objects that we can use to facilitate the task of programming our scripts.

What is Javascript used for?

The main function of Javascript is to give orders to the user's browser to do just what we want it to do . This from the point of view of hacking and computer security is undoubtedly a feature more than attractive because it allows us to interact with the user's browser directly. With javascript we can validate an html form  to prevent the user from sending us erroneous data, for example, we can detect empty fields that are mandatory and if the user clicks on send tell him to fill these fields first, because if he does not You will not be able to complete the registration. With Javascript we can create all these image transitions effectsthat we usually see in a multitude of web pages. Since a few years ago there is a library of JavaScript functions called Jquery . This library is free code, free and you can download it without problems. In short, Javascript was developed with the clear intention of improving a user's experience on a website . 

What role does Javascript play in hacking?

Javascript is a key and fundamental piece in a multitude of hacking techniques that we will see later, it has a place in P hising  techniques, advanced techniques in Cross Site Scripting XSS attacks,  and a multitude of techniques. that we will describe when we have the bases to understand how they work and how they are used.

As you may have noticed, any program that interacts directly with the user is a threat to it. When you are able to give orders to someone's PC without it "authorizing" it, then you are gaining control over your machine. Javascript does exactly this, giving orders to the user's browser; Normally to improve your experience when browsing a website, but like all technologies, it has also been used to cause damage to the victim's computer, access confidential information or take total control of the computer. Over the years the browsers have been evolving, gaining security and avoiding those scripts made in Javascript that attempt to undermine the security of the team, however, and in parallel plugins have also been developed for browsers that prevent it from running no Javascript code on the computer. A very popular plugin that does this is NoScript. The problem with this type of plugins is that preventing JavaScript from being executed will also prevent good code from being executed, they do not make any distinction between malicious code and good code. So what you gain in security you lose in usability, and in this particular case you lose much more than you earn. Hence the importance of always surfing the Internet with an updated browser that is able to block by itself those functions of malicious Javascript and allow innocuous.

It might even seem that the "negative" part of Javascript is only available to those webmasters who develop sites with the aim of gaining control of the internal sites that end up there. This is not like this. Obviously there are sites created specifically so that when someone visits them with an outdated browser (usually internet explorer) the computers become infected. But within hacking and javascript this type of techniques is the least common because Google usually detect this type of script quickly and warns the Internet.

And although the user is free to ignore this warning, this measure means that the vast majority of Internet users do not go to the website. In addition Google penalizes the pages that have malicious Javascript code doing that they do not appear in the searcher, and of appearing that they appear in quite low positions.

The great power of Javascript in the world of hacking is that using techniques and methodologies it is possible that a normal user without being the owner of a website is able to put javascript code on the site. This last sentence may seem a little difficult to understand, especially for those of you who are starting and have relatively little time in the world of computer security and ethical hacking . 

How can someone put Javascript code on my website?

There are many techniques to achieve this end, the first thing we must do is to know the language in order to understand how it works and assess its scope. Today's lesson aims to give an overview of the role that this language plays on the web from the point of view of computer security. 

In the Web 2.0 which are those in which the internátua is not only a receiver of information but can interact with the web (forums, social networks, portals ....) we are letting the user enter information on our website. We can not trust that it will fit exactly what we ask, since the user can enter anything and it is our responsibility to validate in the server the data that the internátua is facilitating us. We are going to put a practical example of this set design.

Suppose you arrive at a forum where registration is free, you register and you are ready to open threads or respond to those that are already open. You open a new thread in which you know that a lot of the forum is going to visit it because you have created a title for the most striking thread. Now instead of writing a normal text you enter a javascript code that makes every user that sees your thread send you a message with your "cookie" of the forum (cookies are small files that the browser has to control among other things the session of the user, and to which Javascript is able to read, modify, create and delete). This cookie you can integrate into your browser, and once this is done you will be logged in as the user to whom you have stolen the cookie,

This type of attacks are of the most basic and ancient that can be done with Javascript, the vast majority of forums will not allow you to enter javascript code, and to allow it will not be published or will be published "capado" so that it does not run. In the worst case (for the attacker) there will even be an alert to the administrator of the forum with the hacking attempt. So when in the next lessons we start to see small scripts in Javascript we do not recommend that you go out there to try to place them in forums. When someone tries to inject Javascript code in a site with these features, they must find a way to do it as silently as possible, a good webmaster will make it really difficult and will have the means to detect this type of attack, a more mediocre one will make it easier .

What is the difficulty or ease when injecting Javascript code?

The example seen in the previous lines illustrates an injection of basic Javascript code, a forum in which there is no restriction, we put javascript code and it is published without further ado. Normalente this will not work in any forum, a few years ago if it worked, but today no longer, at least not so trivially. Therefore, when an attacker wants to study how to inject javascript code, he should have as much information as possible about what he wants to do. And for this reason in previous lessons we showed you how to install a virtualized LAMP server  and we saw the different fields of the HTML forms so that before testing the target website you can replicate the site and do the tests on site without raising suspicions, once the technique is refined and working in your virtual testing environment then it is time to make the attack. Imagine that you detect that someone uses a forum based on PHPBB technology  then you can download it, and configure it as close as possible to the real forum, and within your virtual controlled environment you try different injections to see the result until you reach your goal.

Let's see a simple example of how you can cheat a javascript code filter. The first thing I'm going to show you is the structure of a Javascript script: 

<script> CODE ... CODE .... CODE .... CODE .... </ script>

If you notice the important thing is that the code is enclosed between the tags <script> and </ script> A filter that was very fashionable a few years ago was one that what it did was detect the word <script> and </ script> so that if someone wrote in the forum:

Hello, happy to be part of this community <script> codigoqueenvialacookie </ script> Regards

The following was published:

Hello, happy to be part of this community codigoqueenvialacookie Regards

And the javascript code in charge of stealing the cookie was "innocuous", it was not executed because the filter had deleted the tags <script> and </ script> What was the method that was devised to fool this filter ?. A fairly simple solution that consisted of publishing the following:

Hello, happy to be part of this community  <scr <script> ipt> codigoqueenvialacookie  </ scr </ script> ipt>  Regards

If you notice what I've done is put the same tag in the middle of the <script> tag. Why? Because I knew that the filter was going to erase the <script> tag and I was going to publish the rest so; As a final result the filter erased the <script> tag that had been embedded and without realizing it let me pass the tag that had broken:

Hello, I am delighted to be part of this community  <scr <script> ipt> codigoqueenvialacookie  </ scr </ script>  ipt>  Greetings 
Hello, glad to be part of this community  <script>  codigoqueenvialacookie  </ scr ipt>  Regards

To get to this solution I had to do a lot of tests, which I did in my virtual environment without making a noise. When I saw that it worked in the virtual environment I could verify that it really worked in the real one, so in my case I notified the administrators of the vulnerability and was corrected, since I worked improving the security of said portal.

With this lesson I hope that you have been able to verify the importance of Javascript in the world of computer security and what is its role in the world of hacking. In the next lessons we will learn to program in javascript from scratch.