Code injection can occur when untrusted input is injected into dynamically constructed code. One obvious source of potential vulnerabilities is the use of JavaScript from Java code. The javax.script package provides an API consists of interfaces and classes that define Java scripting engines and also defines a framework for the use of those interfaces and classes in Java code. Misuse of the javax.script API permits an attacker to execute arbitrary code on the target system. Such errors are dangerous because violations of secure coding practices in dynamically generated code cannot be detected in advance through automated static analysis.
...
An attacker can enter a specially crafted argument in an attempt to inject malicious JavaScript. This example shows a malicious string that contains JavaScript code that can create or overwrite an existing file on a Windows vulnerable system running the vulnerable Java code.
| Code Block | ||||
|---|---|---|---|---|
| ||||
dummy\');
var bw = new JavaImporter(java.io.BufferedWriter);
var fw = new JavaImporter(java.io.FileWriter);
with(fw) with(bw) {
bwr = new BufferedWriter(new FileWriter(\"c://somepath//somefile.txt\config.cfg"));
bwr.write(\"some text\"); bwr.close();
}
// ;
|
The script in this example prints "dummy" and then writes "some text" to somefile.txt behind the scenes to a configuration file called config.cfg. An actual exploit can execute arbitrary code.
Compliant Solution (Whitelisting)
...