Categories of Tainted Data Expressions in ECMAScript
ECMAScript Insecurities and Prevention – Part 2
ECMAScript 6
Foreword: In this part of the series I talk about the categories of expressions, which an attacker (hacker) can use to send in wrong data or wrong code into an ECMAScript program.
By: Chrysanthus Date Published: 16 Jul 2016
Introduction
Prevention of hacking can be summarized as follows: Wrong data or wrong code, should not enter the program. While wrong data or wrong code is in the program, it should not disrupt the program flow or result in wrong values. Wrong data should not leave the program for other destinations, because of wrong data inputted or wrong code inputted.
Tainted
The verb, taint, means to damage or spoil the quality of something. Tainted, is the adjective. In ECMAScript, I describe any expression that a hacker can use to cause damage as tainted. However, do not worry; in this series, you will learn tainted data expressions and also how to block them from being abused by hackers. A tainted expression is legitimate coding; you need to learn how to prevent them from being exploited by hackers. Untainting, means preventing the expression from being exploited by the hacker.
Tainted Data Expressions
Taintedness is associated with a scalar value. What is a value? A scalar variable can have a value, which is undefined, null, a number, a string or a reference. If a function is identified by a reference variable, then the whole function code is a kind of value; actually, the reference is a value to the scalar variable.
In this section I give you the categories of tainted expressions in ECMAScript:
- Scalar Value
- Array, Set and Map
- Function Expressions
Function expressions are of the forms:
fn = function (args) {}
fn = (args)=>{}
These are function definitions with arguments, (args), where the function name is a dereference of the function reference.
- Prototype
Assigning prototype to a function constructor or assigning properties to the prototype.
- eval Function
When you code an ECMAScript program and you execute it, there are two phases to the execution, which are compilation and running. When any ECMAScript program is executed, there is a minimal compilation of the whole program before the running of the whole program. Compile time is when syntax errors are checked. Runtime is when the program receives input and sends output.
Brief Explanation of Tainted Data Expression
In this section, I give brief explanations of the tainted data expressions in ECMAScript, (and I also indicate prevention).
Scalar Value
A scalar valued coded (assigned to a variable) in the program, is not much of a problem. Problem comes with scalar values received as input from a user, input as command line arguments, input from environment variables, input as feedback result from system (operating system) calls such as readdir(), input as operating system password. Problem can also result from a variable that is not constant.
The way to prevent such input value from having wrong data or wrong code, is to validate the input. I talk about the details in a different part of the series.
Array, Set and Map
An element can be deleted, changed or the number of elements can be increased. I will say more about this and prevention, in a later part of the series.
Function Expressions
Examples of function expressions are:
foo = function (args) {}
foo = (args)=>{}
In these two examples, foo() is a dereference operation. In either of them foo is holding the reference to the function. Either of the functions is called by using the reference to the function. This means, in each case, the function is a kind of value to the reference variable; actually, the reference is a value to the scalar variable. For these two examples, both calls are for the same function foo.
A hacker can figure out (determine) the variable, foo, and replace the reference with a reference to a different function. This other function can be a function in your code; it can be a function in a module (library) that you are using; or it can be a function code sent into your code as ordinary input for an eval function.
As you can see, this is clearly dangerous. I will say more about symbolic sub references and prevention, in a later part of the series. Also note that the hacker can just replace the code for the variable with, undefined (or null).
An example of prototype coding is:
function ConstfFn()
{
}
proto = new Object();
proto.num1 = 3;
proto.num2 = 4;
proto.add = function ()
{
sum = this.num1 + this.num2;
return sum;
}
ConstfFn.prototype = proto;
obj = new ConstfFn();
answer = obj.add();
alert(answer);
Now, obj is a kind of copy of the prototype object. A different prototype can be assigned to the constructor function to cause trouble. Try the following code:
function ConstfFn()
{
}
proto = new Object();
proto.num1 = 3;
proto.num2 = 4;
proto.add = function ()
{
sum = this.num1 + this.num2;
return sum;
}
protoTrouble = new Object();
protoTrouble.num1 = "trouble ";
protoTrouble.num2 = " trouble";
protoTrouble.add = function ()
{
sum = this.num1 + this.num2;
return sum;
}
ConstfFn.prototype = protoTrouble;
obj = new ConstfFn();
answer = obj.add();
alert(answer);
The output is “trouble trouble” instead of 7.
I will say more about this and prevention, in a later part of the series.
eval Function
The syntax for the eval() function is:
eval(x)
where x is a non-string literal or a string (quotes) consisting of one or more statements separated by semicolons.
If x has input at runtime, then any unsafe code can be injected.
I will say more about the eval function, and prevention, in a later part of the series.
A Hacker
The word, hacker, actually has two meanings: a good meaning and a bad meaning. In this series, it is the bad meaning we use for the word, hacker. A hacker can be somebody who has no permission for the ECMAScript program. In this case his work is most difficult and he has to rely on operating system input to the program, network input to the program, environment variable input to the program, and input as feedback result from system calls.
If he has at least the read permission, his work becomes less difficult. If he has the read and execute permissions, his work becomes even less difficult.
So, with ECMAScript, a hacker may be a non-user of the program, or he may be a user who has some permissions to the program.
Never give the write permission to any user you do not trust. Because, if the person is a hacker, you open all the doors to him.
That is it for this part of the series. Let us stop here and continue in the next part.
Chrys
Related Links
ECMAScript BasicsECMAScript Operators
Expressions in ECMAScript
Statements in ECMAScript
Custom Objects in ECMAScript
Functions in ECMAScript
ECMAScript Date Object
The ECMAScript String Object
ECMAScript String Regular Expressions
ECMAScript Template Literal
The ECMAScript Array
ECMAScript Sets and Maps
ECMAScript Number
Scopes in ECMAScript
Mastering the ECMAScript (JavaScript) eval Function
Sending Email with ECMAScript
ECMAScript Insecurities and Prevention
Advanced Course
Advanced ECMAScript Regular Expressions
Promise in ECMAScript 2015
Generator in ECMAScript 2015
ECMAScript Module
More Related Links
Node Mailsend
EMySQL API
Node.js Web Development Course
Major in Website Design
Low Level Programming - Writing ECMAScript Module
ECMAScript Course
BACK NEXT