Just came across this term, Server Side JavaScript Injection. I am surprised to hear about it. How can injection be done on the server side?
This is not related to specific language and is called Code Injection.
I would recommend this website (Open Web Application Security Project) which contains a lot of vulnerabilities and details on how to prevent them.
Sai Kishore Komanduri
Engineering an eGovernance Product | Hashnode Alumnus | I love pixel art
If you have any part of the code on server side which evaluates unvalidated user inputs, using either of:
eval,setTimeout,setInterval; your app can be vulnerable to Server Side JavaScrip Injection attacks.Imagine a situation where you have some code like the following, being evaluated on the server-side:
... eval(unvalidatedUserInput); ...In such a situation, the app is vulnerable to various forms of SSJSi attacks. Via the
unvalidatedUserInput, the attacker might:'while(1)','process.exit()'. While the first one will cause an infinite loop and disable the server to respond any further incoming requests, the latter would just kill the running process'res.end(require('fs').readdirSync('.').toString())'The above input would send the attacker the contents of the current working directory
'res.end(require('fs').readFileSync(filename))'The above input would send the attacker the contents of a particular file
A couple of pointers, to avoid SSJSi attacks:
eval, and vulnerable forms ofsetTimeout, andsetIntervalwhen you can.