Your SlideShare is downloading. ×
0
NodeJS Security:The Good, Bad & Ugly
A look at Server Side JS History.   How old do you think it is?
1996 (LiveWire). Rhino (1997).    50+ more since then
something went wrong…JS not interesting   Slow JS Engines    to many           JS is               Lack of a       misunde...
Lead to blazing fast engines                  Google V8 (NodeJS uses this),The Browser War                   FF SpiderMonk...
Why is it so HOT?Speed. Performance. JS to do it all.
Adoption: 11/11
Adoption: 02/12
(5 min Tech Primer)Event-driven. Asynchronous.      Single-threaded
Traditional Platforms• A sample code data = readFromDatabase(); printData(data); doSomethingUnrelated();• Pitfalls   – The...
In Node• A typical code    readFromDatabase(function(data)    {    printData(data);    });    doSomethingUnrelated();• Gai...
A production     Web Framework / MVC Arch.Enter – Express, Mustache, Jade     (What is MISSING?)             A DB server. ...
(In)Security
“JavaScript has so much expressive power that they are able to do useful things in it,                                    ...
Property: Implied Globals              Abuse: Namespace Pollution          Impact: what’s the worst you can think?        ...
Global Namespace Pollution   JS is a global lang. By default – all variables, functions, objects are                      ...
Global Namespace Pollution WEB USER 1                                                       WEB USER 2               # Any...
Exploits: Namespace Pollution• Overriding / Hijacking Sensitive Globals. Host Compromise• How? imagine XSS and SOP. think ...
eval is EVIL            USE CASE # treats data as code. Very powerful. Very very popular.EXPLOIT # CODE EXECUTION. COMMAND...
eval is EVIL        Try yourself: http://46.137.9.100:1313Exploit code: response.end(“my first ssi”)
Runtime Privilege Context  # By default, NodeJS runs as privileged user  # By default, Express runs as privileged user    ...
Property: with                Property: switch  Abuse: shorthand typos         Abuse: faulty fallthruImpact: Context depen...
with is EVIL (exploitable on Cocktails)              Use Case# welcome message              What went wrong # typo,…
with is EVIL (exploitable on Cocktails)                      Exploit # Depends        (Try yourself: http://46.137.9.100:1...
DoS (*doesn’t affect Express)                                                          Generate a simple                  ...
switch is EVIL (an old foe)     Use Case# Valued Customer be given 10% discount only      Exploit # missing break leading ...
switch is EVIL (an old foe)     Exploit # Valued Customer getting more discount (Try Yourself: http://46.137.9.100:1317/)
No CSAS Output Escaper• What is the #1 web security issue?    XSS (going to spiral further)• All templating engines for N...
<!-- Research In Progress -->• Can you do cross-domain (SetSecurityToken,  RunInContext)?  – Exploiting hosted environment...
Training                JSLint            (SOLUTION)Secure Dev Frameworks                         Coding Guideline        ...
Bare bone web server.                Remember NetBSD?Isn’t configured / capable more than what you want.            Unlike...
// end of a beginning       twitter: b1shan / yukinyingblog: http://bishankochher.blogspot.com/
Upcoming SlideShare
Loading in...5
×

Node Security: The Good, Bad & Ugly

8,161

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,161
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Node Security: The Good, Bad & Ugly"

  1. 1. NodeJS Security:The Good, Bad & Ugly
  2. 2. A look at Server Side JS History. How old do you think it is?
  3. 3. 1996 (LiveWire). Rhino (1997). 50+ more since then
  4. 4. something went wrong…JS not interesting Slow JS Engines to many JS is Lack of a misunderstood. compelling Under-rated browser war
  5. 5. Lead to blazing fast engines Google V8 (NodeJS uses this),The Browser War FF SpiderMonkey, MS Chakra So why now?
  6. 6. Why is it so HOT?Speed. Performance. JS to do it all.
  7. 7. Adoption: 11/11
  8. 8. Adoption: 02/12
  9. 9. (5 min Tech Primer)Event-driven. Asynchronous. Single-threaded
  10. 10. Traditional Platforms• A sample code data = readFromDatabase(); printData(data); doSomethingUnrelated();• Pitfalls – The program blocked when reading from db – Lots of processor cycles wasted
  11. 11. In Node• A typical code readFromDatabase(function(data) { printData(data); }); doSomethingUnrelated();• Gains – not have to wait for slow file I/O or db ops. Aka non-blocking server – everything runs in parallel. doSomethingUnrelated() doesn’t wait. – printData(data) called when finished reading – insanely fast – serve millions concurrent connections at once
  12. 12. A production Web Framework / MVC Arch.Enter – Express, Mustache, Jade (What is MISSING?) A DB server. Enter – NoSQL (MongoDB, CouchDB) A full stack dev libraries. Enter – NPM
  13. 13. (In)Security
  14. 14. “JavaScript has so much expressive power that they are able to do useful things in it, anyway.” http://javascript.crockford.com/javascript.html "JavaScript is the worlds most misunderstood programming language.” http://www.crockford.com/javascript/private.html (Mostly B’coz) With Power comes Responsibility
  15. 15. Property: Implied Globals Abuse: Namespace Pollution Impact: what’s the worst you can think? (The Ugly Parts)Property: eval (new Function,setTimeout,setInterval) Abuse: JSON Parse, shortcuts Impact: Host Compromise Property: process privilege Abuse: run as root (even Express) Impact: Why does Apache run as nobody/nobody?
  16. 16. Global Namespace Pollution JS is a global lang. By default – all variables, functions, objects are implied to global scope(In contrast, with PHP (or others), each request lives in it’s unique scope.)
  17. 17. Global Namespace Pollution WEB USER 1 WEB USER 2 # Any request will share the same global scope. # As seen , for two different users, each request increased gbl by 1 (Try yourself: http://46.137.9.100:1314/) An equivalent code in PHP will always print 1 for every request.
  18. 18. Exploits: Namespace Pollution• Overriding / Hijacking Sensitive Globals. Host Compromise• How? imagine XSS and SOP. think your browser is now server• Another innocent sample – Bob sets is_valid to true for operation X but forgets to call it as “var”. Y.mojito.controller = { index: function(ac) { var is_valid = true; – Alice coding on the same project also forgets “var” and initialized is_valid to false. Y.mojito.controller = { index: function(ac) { if (is_valid){ // get access to user data or some functions• Attack Surface? – NPM: malicious library. Insecure library – Malicious coder – Innocent coder
  19. 19. eval is EVIL USE CASE # treats data as code. Very powerful. Very very popular.EXPLOIT # CODE EXECUTION. COMMAND EXECUTION. SHELL EXECUTION. NEVER USE IT! SIDE NOTE: exists in NPM. Audit. Audit. Audit.eval has cousins – setTimeout, setInterval, new Function. DON‘T USE THEM
  20. 20. eval is EVIL Try yourself: http://46.137.9.100:1313Exploit code: response.end(“my first ssi”)
  21. 21. Runtime Privilege Context # By default, NodeJS runs as privileged user # By default, Express runs as privileged user Why? Remote Shell Exploits. Why Apache runs as nobody/nobody?
  22. 22. Property: with Property: switch Abuse: shorthand typos Abuse: faulty fallthruImpact: Context dependent Impact: Context dependent (The Bad Parts) Property: single threaded / interpreted Abuse: incomplete exception handling Impact: DoS Property: templating engines [mu, jade, ejs, haml] Abuse: context sensitive output escaping Impact: XSS
  23. 23. with is EVIL (exploitable on Cocktails) Use Case# welcome message What went wrong # typo,…
  24. 24. with is EVIL (exploitable on Cocktails) Exploit # Depends (Try yourself: http://46.137.9.100:1315/)
  25. 25. DoS (*doesn’t affect Express) Generate a simple exceptionJS is interpreted, NOT compiled. Code itself shouldn’t be faulty. Else it’s a self-DoS. Very difficult to ENSURE this.
  26. 26. switch is EVIL (an old foe) Use Case# Valued Customer be given 10% discount only Exploit # missing break leading to privilege escalation
  27. 27. switch is EVIL (an old foe) Exploit # Valued Customer getting more discount (Try Yourself: http://46.137.9.100:1317/)
  28. 28. No CSAS Output Escaper• What is the #1 web security issue? XSS (going to spiral further)• All templating engines for NodeJS only provide HTMLContext Escaping  Good, but shouldn’t an excellent new technology attempt to fix the remaining BAD things?  <a href=“$url”> my url </a> $url = javascript:alert(1)  <body onload=“bingbang(‘$id’)”> $id = ‘);alert(1);  <script> var a = $b </script> $b = ; alert(0);  <div name=$c> $c = onload=alert(1);  many more….• We ported Google AutoEscape to NodeJS, nicknamed Joe  Will be open sourced soon…
  29. 29. <!-- Research In Progress -->• Can you do cross-domain (SetSecurityToken, RunInContext)? – Exploiting hosted environments• NPM packages – Think external JS. Malicious? Insecure? – Now even C libraries• Are other JSLint bad practices exploitable? – Is Automatic Semicolon Insertion exploitable? – Many more…. Read “The Good Parts” once again
  30. 30. Training JSLint (SOLUTION)Secure Dev Frameworks Coding Guideline EcmaScript5
  31. 31. Bare bone web server. Remember NetBSD?Isn’t configured / capable more than what you want. Unlike Apache, Tomcat, IIS? (The Good Parts) But why is it good? More features, bigger attack surface. Bigger attack surface, more chances of things going wrong. And something that can go wrong will go wrong. E.g. 1.3 zillion BO exploits world has seen
  32. 32. // end of a beginning twitter: b1shan / yukinyingblog: http://bishankochher.blogspot.com/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×