Fallout from the browser wars has given us blazingly fast JavaScript engines - engines so fast that they're now being used for much more than just browsers. Server-side JavaScript (SSJS) is integral to many NoSQL databases such as MongoDB and Neo4j, and the web server framework Node.js is also built on SSJS. These projects score high benchmarks for speed and scalability, but does this speed come at the cost of security?
If you thought client-side JavaScript injection (better known as XSS) was dangerous, wait until you see what an attacker can do with server-side JavaScript injection (SSJI). In this talk, we'll demonstrate SSJI exploits against NoSQL and Node.js applications that allow attackers to read, write, upload and execute arbitrary files anywhere on the server. We'll also demonstrate that the programming errors that lead to these vulnerabilities are just as simple as the ones that lead to XSS. Finally, we'll conclude the presentation with techniques you can use to find and fix SSJI vulnerabilities in your own applications.
Bryan Sullivan is a Senior Security Researcher with Adobe Systems, where he focuses on cloud security issues. Prior to Adobe, he was a program manager on Microsoft's Security Development Lifecycle team, and a development manager at HP, where he helped to design HP's vulnerability scanning tools WebInspect and DevInspect. Bryan has spoken at security industry conferences such as Black Hat, RSA Conference, BlueHat and TechEd on topics such as RIA architecture, REST, cryptography, denial-of-service defense, URL rewriting, and applying secure development processes to Agile projects. He was the author of the MSDN Magazine column Security Briefs, and is the coauthor of the books Ajax Security (Addison-Wesley, 2007) and the upcoming Secure Web Applications, A Beginner's Guide (McGraw-Hill, 2011).