| dc.description.abstractEN | In the grand ecosystem of modern Web Application technologies, various different Web Application Runtime Environments compete for a place at the core of every new Web Project. The truth, however, is that while the strengths and uses of each Web Application Framework vary and are different, with each excelling at certain use cases, few excel at what they do, as Node.js does. Nevertheless, not unlike other Web Technologies, Node.js, is not by definition free from vulnerabilities that can be exploited by malicious users. This thesis aims to study scenarios through which a Node.js application can be exposed to Server Side JavaScript Injection (SSJI) attacks, showcase the impact of these vulnerabilities and provide ways to counter them. Node.js is an Open Source JavaScript Runtime environment that has allowed Web Developers to create Server-Side logic JavaScript code for a few years now. Some of its greatest strengths are its versatility in handling asynchronous requests and being able to serve thousands times more clients than other traditional Frameworks due to being based on an Event-Driven Architecture. Furthermore, Node.js has excelled in creating applications that require vast amounts of I/O (Input/Output) requests and little subsequent processing for each of them. This has led to the successful application of Node.js to Real-Time applications, Streaming Applications, Games, Chat applications as well as lightweight but scalable REST APIs among other successful use cases. Finally, Node.js has also unified the Development Stack allowing Software Engineers to work both at the User Interface side of an application (using JavaScript) as well as at the Server-Side. However, Node.js, as any other Web Runtime Environment, while constructed with Security principles in mind is not automatically safe from the notorious combination of malicious user intent and insecurely written code. This notorious combination has given birth to a serious vulnerability that is often met in Node.js applications - the Server Side JavaScript Injection vulnerability. The mitigation of Server-Side JavaScript Injection attacks is not a simple task and cannot be achieved merely by blindly following certain techniques during development. The only way to prevent such vulnerabilities is for both application architects and developers to obtain an Information Security mindset when designing and building the application. This thesis, utilizing the aid of two specialized tools: Commix and NodeXP, aims to showcase and study SSJI vulnerability scenarios, showcase the degree of damage these two exploiting tools can perform through the vulnerability and present ways through which these attacks can be mitigated. | el |
