Show simple item record

dc.contributor.advisorΝταντογιάν, Χριστόφορος
dc.contributor.advisorNtantogian, Christoforos
dc.contributor.authorAntonaropoulos, Dimitris
dc.date.accessioned2018-10-16T11:06:06Z
dc.date.available2018-10-16T11:06:06Z
dc.date.issued2018-09
dc.identifier.urihttp://dione.lib.unipi.gr/xmlui/handle/unipi/11440
dc.format.extent63el
dc.language.isoenel
dc.publisherΠανεπιστήμιο Πειραιώςel
dc.rightsΑναφορά Δημιουργού - Μη Εμπορική Χρήση - Παρόμοια Διανομή 4.0 Διεθνές*
dc.rights.urihttp://creativecommons.org/licenses/by-nc-sa/4.0/*
dc.titleNodeXP - An automated and integrated tool for detecting and exploiting Server Side JavaScript Injection vulnerability on Node.js servicesel
dc.typeMaster Thesisel
dc.contributor.departmentΣχολή Τεχνολογιών Πληροφορικής και Επικοινωνιών. Τμήμα Ψηφιακών Συστημάτωνel
dc.description.abstractENThe intent of this thesis was to develop a tool (referred as NodeXP) capable of detecting possible vulnerabilities on Node.js services and exploiting them in order to create proof-of-concept (PoC). The above processes are making use of Server Side JavaScript Injection (SSJI) vulnerability and its attack methods and are completely separated, yet integrated on the same tool and interacting with each other with minimum user insertion. The detection process is done through dynamic analysis using two different injection techniques (Blind Based Injection Technique and Results Based Injection Technique). Through the execution of any of the injection techniques, payloads listed on a certain text file are parsed and injected, through HTTP requests (wordlist method). The exploitation process aims to create a Meterpreter session between the user and the vulnerable service which is done through interacting with Metasploit framework. When detection process is successfully done then the exploitation process is taking place based on detection’s findings. During both the detection and the exploitation processes, only one GET or POST parameter could be injected at a time. The tool’s intention is to point those security issues out through accuracy and mitigation of false positives and false negatives. The above requirement might lead to some time and performance penalty. Thus, some helpful flags provided are able to handle this ratio depending on user’s need. Through the thesis are presented real-world and custom-made examples on Node.js services, demonstrating the detection as well as the exploitation of the vulnerabilities found. The tool’s purpose is strictly informational and educational, and the tool could also be very helpful during the process of a penetration test. Any other malicious or illegal usage of the tool is strongly not recommended and is clearly not a part of the purpose of this research.el
dc.contributor.masterΑσφάλεια Ψηφιακών Συστημάτωνel
dc.subject.keywordExploitationel
dc.subject.keywordDetectionel
dc.subject.keywordInjectionel
dc.subject.keywordSSJIel
dc.subject.keywordNode.jsel
dc.subject.keywordNidejsel
dc.subject.keywordNodeXPel
dc.subject.keywordWeb securityel
dc.date.defense2018-08-31


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record

Αναφορά Δημιουργού - Μη Εμπορική Χρήση - Παρόμοια Διανομή 4.0 Διεθνές
Except where otherwise noted, this item's license is described as
Αναφορά Δημιουργού - Μη Εμπορική Χρήση - Παρόμοια Διανομή 4.0 Διεθνές

Βιβλιοθήκη Πανεπιστημίου Πειραιώς
Contact Us
Send Feedback
Created by ELiDOC
Η δημιουργία κι ο εμπλουτισμός του Ιδρυματικού Αποθετηρίου "Διώνη", έγιναν στο πλαίσιο του Έργου «Υπηρεσία Ιδρυματικού Αποθετηρίου και Ψηφιακής Βιβλιοθήκης» της πράξης «Ψηφιακές υπηρεσίες ανοιχτής πρόσβασης της βιβλιοθήκης του Πανεπιστημίου Πειραιώς»