Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

"Black Clouds and Silver Linings in Node.js Security" Liran Tal

257 views

Published on

Remember eslint-scope and event-stream incidents? As an energetic member of the Node.js Foundation's Security Working Group, Liran will provide a 360 perspective of some black clouds of security horror stories in the JavaScript & Node.js ecosystem and educate on mitigating and building secure applications. We will deep-dive into practical Node.js vulnerabilities and how to protect against them, and cover some of OWASP Top 10. Liran will also introduce initiatives the Node.js Security WG have been undertaking to secure the ecosystem and recent security updates in npm.

Published in: Software
  • Be the first to comment

  • Be the first to like this

"Black Clouds and Silver Linings in Node.js Security" Liran Tal

  1. 1. Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Security in Node.js Security  Liran TalLiran Tal Developer Advocate @ SnykDeveloper Advocate @ Snyk @liran_tal github.com/lirantal May 2019May 2019
  2. 2. @liran_tal github.com/lirantal Liran TalLiran Tal Developer AdvocateDeveloper Advocate
  3. 3. 0101 Black Clouds in Node.js SecurityBlack Clouds in Node.js Security 02 02 || || 03 03 || Common Security VulnerabilitiesCommon Security Vulnerabilities Silver Linings in Node.js SecuritySilver Linings in Node.js Security Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security
  4. 4. Node.js is JavaScriptNode.js is JavaScript JavaScript is EverywhereJavaScript is Everywhere FrontendFrontend BackendBackend IoTIoT DatabasesDatabases ChatbotsChatbots MachineMachine LearningLearning WebAssemblyWebAssembly RoboticsRobotics
  5. 5. src: https://snyk.io/opensourcesecurity-2019
  6. 6. Invites big risksInvites big risks The Biggest RepositoryThe Biggest Repository
  7. 7. Invites big risksInvites big risks The Biggest RepositoryThe Biggest Repository Lucrative attack impactLucrative attack impact
  8. 8. Invites big risksInvites big risks The Biggest RepositoryThe Biggest Repository Lucrative attack impactLucrative attack impact Open and free-to-publish ecosystemOpen and free-to-publish ecosystem
  9. 9. Invites big risksInvites big risks The Biggest RepositoryThe Biggest Repository Lucrative attack impactLucrative attack impact Open and free-to-publish ecosystemOpen and free-to-publish ecosystem Difficult to counter-measureDifficult to counter-measure
  10. 10. Black Clouds inBlack Clouds in Node.js SecurityNode.js Security
  11. 11. Malicious ModulesMalicious Modules Black Clouds inBlack Clouds in Node.js SecurityNode.js Security
  12. 12. Malicious ModulesMalicious Modules Typosquatting AttacksTyposquatting Attacks Compromised AccountsCompromised Accounts Social EngineeringSocial Engineering
  13. 13. Malicious ModulesMalicious Modules timetime Jan 2015 rimrafallrimrafall
  14. 14. rimrafallrimrafall
  15. 15. rimrafallrimrafall
  16. 16. Malicious ModulesMalicious Modules timetime Jan 2015 rimrafallrimrafall Jan 2017 crossenvcrossenv
  17. 17. cross-envcross-env
  18. 18. $ npm install crossenv --save
  19. 19. crossenv    !=   cross-envcrossenv    !=   cross-env $ npm install crossenv --save
  20. 20. coffescript     coffescript      oror      coffe-script      coffe-script 
  21. 21. coffescript     coffescript      oror      coffe-script      coffe-script  coffeescriptcoffeescript
  22. 22. src: https://snyk.io/vuln
  23. 23. post-install script ✅post-install script ✅
  24. 24. post-install script ✅post-install script ✅ call-home base64 payload ✅call-home base64 payload ✅
  25. 25. How did we find out about this maliciousHow did we find out about this malicious crossenv package?crossenv package? post-install script ✅post-install script ✅ call-home base64 payload ✅call-home base64 payload ✅
  26. 26. Malicious ModulesMalicious Modules timetime Jan 2015 rimrafallrimrafall Jan 2017 crossenvcrossenv May 2018 getcookiesgetcookies
  27. 27. Malicious ModulesMalicious Modules timetime Jan 2015 rimrafallrimrafall Jan 2017 crossenvcrossenv May 2018 getcookiesgetcookies Jul 2018 eslint-eslint- scopescope
  28. 28. eslint-scope 3.7.2eslint-scope 3.7.2 malicious package publishedmalicious package published
  29. 29. eslint-scope 3.7.2eslint-scope 3.7.2 malicious package publishedmalicious package published
  30. 30. What's going on?What's going on?
  31. 31. Who depends on eslint-scope?Who depends on eslint-scope?
  32. 32. Who depends on eslint-scope?Who depends on eslint-scope? babel-eslintbabel-eslint
  33. 33. Who depends on eslint-scope?Who depends on eslint-scope? babel-eslintbabel-eslint eslinteslint
  34. 34. Who depends on eslint-scope?Who depends on eslint-scope? babel-eslintbabel-eslint eslinteslint webpackwebpack
  35. 35. npm invalidates all tokensnpm invalidates all tokens <= 2018-07-12<= 2018-07-12  
  36. 36. npm invalidates all tokensnpm invalidates all tokens <= 2018-07-12<= 2018-07-12   estimated potential ~4,500 accounts estimated potential ~4,500 accounts  were compromised were compromised 
  37. 37. How does something likeHow does something like this happen?this happen?
  38. 38. Compromised Contributors ?Compromised Contributors ?CompromisedCompromised ContributorsContributors ??
  39. 39. Compromised Contributors ?Compromised Contributors ? 14%14% compromised npm modulescompromised npm modules CompromisedCompromised ContributorsContributors ?? src: https://github.com/ChALkeR/notes
  40. 40. Compromised Contributors ?Compromised Contributors ? 20%20% npm total monthly downloadsnpm total monthly downloads CompromisedCompromised ContributorsContributors ??
  41. 41. Compromised Contributors ?Compromised Contributors ? 20%20% npm total monthly downloadsnpm total monthly downloads expressexpress reactreact debugdebug momentmoment requestrequest CompromisedCompromised ContributorsContributors ??
  42. 42. https://giphy.com/embed/aWPGuTlDqq2yc
  43. 43. Compromised Contributors ?Compromised Contributors ? 662662 usersusers 123456123456 had their password set tohad their password set to CompromisedCompromised ContributorsContributors ??
  44. 44. Compromised Contributors ?Compromised Contributors ? 14091409 usersusers had their password set tohad their password set to their usernametheir username CompromisedCompromised ContributorsContributors ??
  45. 45. Compromised Contributors ?Compromised Contributors ? 11%11% usersusers had their password set tohad their password set to previously leaked passwordpreviously leaked password CompromisedCompromised ContributorsContributors ??
  46. 46. Malicious ModulesMalicious Modules timetime Jan 2015 rimrafallrimrafall Jan 2017 crossenvcrossenv May 2018 getcookiesgetcookies Jul 2018 eslint-eslint- scopescope event-streamevent-stream Nov 2019
  47. 47. src: https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor
  48. 48. Dependency ManagementDependency Management Black Clouds inBlack Clouds in Node.js SecurityNode.js Security
  49. 49. (CC BY-NC-SA 2.0)
  50. 50. OWASP Top 10:OWASP Top 10: Using Components WithUsing Components With Known VulnerabilitiesKnown Vulnerabilities
  51. 51. who watches after all thesewho watches after all these modules ?modules ?
  52. 52. who watches after all thesewho watches after all these modules ?modules ?
  53. 53. who watches after all thesewho watches after all these modules ?modules ?
  54. 54. 0101 The Scary State of Node.js SecurityThe Scary State of Node.js Security 02 02 || || 03 03 || Selected Vulnerabilities in Node.jsSelected Vulnerabilities in Node.js Silver Linings in Node.js SecuritySilver Linings in Node.js Security Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security
  55. 55. Command InjectionCommand Injection Common SecurityCommon Security VulnerabilitiesVulnerabilities
  56. 56. Command InjectionCommand Injection
  57. 57. Command InjectionCommand Injection
  58. 58. Command InjectionCommand Injection DemoDemo
  59. 59. Best Practice:Best Practice: execFile('git', [...args])execFile('git', [...args]) Command InjectionCommand Injection
  60. 60. Best Practice:Best Practice: execFile('git', [...args])execFile('git', [...args]) Maintain a whitelist of allowed argsMaintain a whitelist of allowed args Blacklist special shell chars like ;Blacklist special shell chars like ; PrayPray Command InjectionCommand Injection
  61. 61. Regular ExpressionsRegular Expressions
  62. 62. Regular ExpressionsRegular Expressions
  63. 63. Regular ExpressionsRegular Expressions ^([01]?dd?|2[0-4]d|25 [0-5]).([01]?dd?|2[0-4] d|25[0-5]).([01]?dd?| 2[0-4]d|25[0-5]).([01]? dd?|2[0-4]d|25[0-5])$
  64. 64. Regular ExpressionsRegular Expressions ^([01]?dd?|2[0-4]d|25 [0-5]).([01]?dd?|2[0-4] d|25[0-5]).([01]?dd?| 2[0-4]d|25[0-5]).([01]? dd?|2[0-4]d|25[0-5])$ IP AddressIP Address
  65. 65. Regular ExpressionsRegular Expressions https://giphy.com/embed/xNBcChLQt7s9a
  66. 66. Regular ExpressionsRegular Expressions Matching a Song TitleMatching a Song Title ^([a-zA-Z0-9])$^([a-zA-Z0-9])$
  67. 67. Regular ExpressionsRegular Expressions Matching a Song TitleMatching a Song Title ^([a-zA-Z0-9])$^([a-zA-Z0-9])$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)$
  68. 68. Regular ExpressionsRegular Expressions Matching a Song TitleMatching a Song Title ^([a-zA-Z0-9])$^([a-zA-Z0-9])$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)+$^([a-zA-Z0-9]+s?)+$
  69. 69. Regular ExpressionsRegular Expressions Catastrophic BacktrackingCatastrophic Backtracking Exploits greedy quantifiersExploits greedy quantifiers Simple regexs are vulnerable tooSimple regexs are vulnerable too /^(a+)+$//^(a+)+$/
  70. 70. Regular ExpressionsRegular Expressions 20172017 msms|| 20162016 MomentMoment|| 20182018 || 20182018 ua-parser-jsua-parser-js|| 20M DL20M DL || 96M DL96M DL || 36M DL36M DL || sshpksshpk40M DL40M DL ||
  71. 71. Regular ExpressionsRegular Expressions 20172017 msms|| 20162016 MomentMoment|| 20182018 || 20182018 ua-parser-jsua-parser-js|| 20M DL20M DL || 96M DL96M DL || 36M DL36M DL || sshpksshpk40M DL40M DL || Best Practices ?Best Practices ?
  72. 72. Regular ExpressionsRegular Expressions Best Practices ?Best Practices ?
  73. 73. Regular ExpressionsRegular Expressions Best Practice #1Best Practice #1 DO NOT WRITE YOUR OWN REGEXDO NOT WRITE YOUR OWN REGEX
  74. 74. Regular ExpressionsRegular Expressions Best Practice #1Best Practice #1 DO NOT WRITE YOUR OWN REGEXDO NOT WRITE YOUR OWN REGEX Best Practice #2Best Practice #2 DO NOT WRITE YOUR OWN REGEXDO NOT WRITE YOUR OWN REGEX
  75. 75. Regular ExpressionsRegular Expressions Best Practice #3Best Practice #3 ValidatorValidator Node.js moduleNode.js module
  76. 76. Regular ExpressionsRegular Expressions Best Practice #4Best Practice #4 Safe-RegexSafe-Regex Node.js moduleNode.js module const safeRegex = require('safe-regex') let regex = /^(([a-z])+.)+[A-Z]([a-z])+$/ let isSafe = safeRegex(regex)
  77. 77. 0101 The Scary State of Node.js SecurityThe Scary State of Node.js Security 02 02 || || 03 03 || Selected Vulnerabilities in Node.jsSelected Vulnerabilities in Node.js Silver Linings in Node.js SecuritySilver Linings in Node.js Security Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security
  78. 78. The npmjs EcosystemThe npmjs Ecosystem Silver Linings inSilver Linings in Node.js SecurityNode.js Security
  79. 79. FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
  80. 80. FightingFighting TyposquattingTyposquatting JSONStream   JSONStream    !=!=    jsonstream    jsonstream Package Moniker RulesPackage Moniker Rules
  81. 81. FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
  82. 82. react-nativereact-native FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
  83. 83. react-nativereact-native reactnativereactnative FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
  84. 84. rea-ct.nativerea-ct.native react-nativereact-native reactnativereactnative FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
  85. 85. rea-ct.nativerea-ct.native react-nativereact-native reactnativereactnative react_nativereact_native FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
  86. 86. rea-ct.nativerea-ct.native react-nativereact-native reactnativereactnative react_nativereact_native    @lirantal/rea-ct.native   @lirantal/rea-ct.native FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
  87. 87. Package PublishingPackage Publishing NotificationsNotifications
  88. 88. $ npm profile enable-2fa 2FA successfully enabled. Below are your recovery codes, please print these out. 2FA tokens2FA tokens for npm >= 5.5.1for npm >= 5.5.1
  89. 89. $ npm profile enable-2fa 2FA successfully enabled. Below are your recovery codes, please print these out. 2FA tokens2FA tokens for npm >= 5.5.1for npm >= 5.5.1
  90. 90. TakingTaking OwnershipOwnership ofof Your App SecurityYour App Security
  91. 91. TakingTaking OwnershipOwnership ofof Your App SecurityYour App Security Source: The State of Open Source Security Report 2019, Snyk https://snyk.io/opensourcesecurity-2019/
  92. 92. FindFind vulnerabilities in vulnerabilities in open source dependenciesopen source dependencies
  93. 93. $ npm install snyk  $ snyk auth  $ snyk test  FindFind vulnerabilities in vulnerabilities in open source dependenciesopen source dependencies
  94. 94. $ npm install snyk  $ snyk auth  $ snyk test  FindFind vulnerabilities in vulnerabilities in open source dependenciesopen source dependencies
  95. 95. SnykSnyk detects vulnerabilitiesdetects vulnerabilities inin Pull RequestsPull Requests
  96. 96. Snyk automates fixingSnyk automates fixing vulnerabilities vulnerabilities
  97. 97. Node.js Security Working GroupNode.js Security Working Group Silver Linings inSilver Linings in Node.js SecurityNode.js Security
  98. 98. The Security WGThe Security WG
  99. 99. The Security WGThe Security WG ScopeScope Improving the state of theImproving the state of the Node.js Security EcosystemNode.js Security Ecosystem
  100. 100. The Security WGThe Security WG ScopeScope Improving the state of theImproving the state of the Node.js Security EcosystemNode.js Security Ecosystem Incident Response for NodeIncident Response for Node and the npm ecosystemand the npm ecosystem
  101. 101. The Security WGThe Security WG Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
  102. 102. The Security WGThe Security WG Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules Discretely Investigate Security issuesDiscretely Investigate Security issues Security Disclosure Policy for Bug HuntersSecurity Disclosure Policy for Bug Hunters Public Vulnerability DatabasePublic Vulnerability Database
  103. 103. The Security WGThe Security WG Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 || Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
  104. 104. The Security WGThe Security WG Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 || XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 || Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
  105. 105. The Security WGThe Security WG Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 || XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 || Path TraversalPath Traversal serveserve|| 564,000564,000 || Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
  106. 106. The Security WGThe Security WG Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 || XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 || Path TraversalPath Traversal serveserve|| 564,000564,000 || ReDOSReDOS protobufjsprotobufjs|| 7,200,0007,200,000 || Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
  107. 107. 0101 Malicious modules & Compromised accountsMalicious modules & Compromised accounts|| Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security ||
  108. 108. 0101 Malicious modules & Compromised accountsMalicious modules & Compromised accounts 02 02 || || Common Security Pitfalls in Node.jsCommon Security Pitfalls in Node.js Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security || ||
  109. 109. 0101 Malicious modules & Compromised accountsMalicious modules & Compromised accounts 02 02 || || 03 03 || Common Security Pitfalls in Node.jsCommon Security Pitfalls in Node.js Developer awareness,Developer awareness, Fix vulnerabilities in your open source deps,Fix vulnerabilities in your open source deps, Node.js Security WGNode.js Security WG Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security || ||
  110. 110. @liran_tal github.com/lirantal Liran TalLiran Tal Developer AdvocateDeveloper Advocate Use Open Source, Stay Secure.Use Open Source, Stay Secure. Thank you!Thank you!

×