0

I have an application that manages APIs. As a part of creation of an API we allow users to enter some JavaScript that will be executed every time the API is hit.

This JavaScript is executed on the server side so the flow is -

  1. End user hits API link generated by me
  2. I run the JavaScript entered at API creation time
  3. I forward the request to wherever
  4. I return the result to the front end

The intended use case is to set some request headers and the like.

Now, we recently had a security audit and this of course opens the door to an XXE vulnerability -

var x='<?xml version="1.0"?><!DOCTYPE foo [  <!ELEMENT foo ANY ><!ENTITY lol SYSTEM "file:///etc/xxxx" >]><foo>&lol;</foo>';


var xee = new javascript.ScriptableDocument(x);


context.setVariable("request.queryparam.foo",xee.toString())

I will have this entire content body in Java but how do I block against XEE vulnerabilities? I can imagine I'd have to run through the incoming JavaScript look for any XML and use one of Java's well known XEE stripping methods (described here excellently).

But the persistent hacker can simply just befuddle any attempts to identify JavaScript XML identification on my part. Example -

var a='<', b="?" c="x";

new javascript.ScriptableDocument(a+b+c+...);

Is this an unwinnable fight? Or is there something super obvious I can do to mitigate this?

Thanks! Zulfi

JIST
  • 1,139
  • 2
  • 8
  • 30
Zulfi Tapia
  • 516
  • 1
  • 4
  • 14
  • Can they enter any JavaScript they want? What prevents something else malicious from being entered (e.g. infinite loop to create a DOS attack)? – SilverlightFox Nov 26 '15 at 10:03
  • That's handled, the script is killed if it runs more than a certain time. There's some fighting against other possible attacks but for this I'm stumped. – Zulfi Tapia Nov 27 '15 at 11:28

0 Answers0