Is JavaScript Trustworthy in Cloud Computing?

JavaScript applications are extensively utilized and deeply integrated within cloud computing environments, showcasing their core functionalities and adaptability across a variety of use cases. Despite their advantages, JavaScript as Input (JAI) applications also expose a range of security vulnerabilities. We will provide an in-depth analysis of four critical deployment scenarios of JavaScript in these environments, highlighting operational methodologies and their strategic importance. In the subsequent section, we will dissect the characteristics of JAI applications within the cloud, concentrating on issues such as lagging version updates, uniformity in software and configuration profiles, and their opaque, black-box nature. Our analysis aims to underscore the potential security threats these issues present. We will then devise targeted vulnerability assessment protocols to address these weaknesses. Notably, the black-box nature of these applications complicates the process of software version identification, but leveraging Large Language Models (LLM) presents new methodologies for mitigating these challenges. Finally, we will showcase practical exploitation techniques using zero-day vulnerabilities discovered in AWS, Azure, and headless browser services, leading to Remote Code Execution (RCE). This section will delve into detailed exploitation tactics and subsequent post-exploitation strategies. To conclude, we will propose a comprehensive series of defensive mechanisms to mitigate the risks associated with JavaScript vulnerabilities in cloud computing environments By: Zong Cao | Security Researcher, Imperial Qian Zhu | Security Researcher, N/A Hongkun Chen | Security Engineer, EagleCloud Yang Liu | Professor, Nanyang Technological University Xiu Zhang | Security Engineer, Institute of Information Engineering, Chinese Academy of Sciences Full Abstract Available: https://www.blackhat.com/eu-24/briefings/schedule/#is-javascript-trustworthy-in-cloud-computing-42675