How to hack a node app? @ GDG DevFest Ukraine 2017

•

0 likes•458 views

Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! We’ll investigate a series of hacking stories and break them down step-by-step to see exactly how they did it. By the end you’ll walk away a little bit more scared and a lot more prepared with some great practices you can apply immediately to your own applications.

Technology

Asim Hussain
@jawache
codecraft.tv
microsoft.com

#1
@jawachePhoto by Kristina Flour on Unsplash

@jawachePhoto by Veri Ivanova on Unsplash

@jawachePhoto by Nolan Issac on Unsplash

On Premise
Hardware
OS
App
IaaS
Hardware
OS
App
PaaS
Hardware
OS
App
@jawache

Google App Engine
Heroku
Amazon Beanstalk
Azure App Services

@jawacheIt's Always Sunny In Philadelphia

'SELECT * FROM COMPANIES WHERE name =' + name;
@jawache

SELECT * FROM COMPANIES WHERE name =;
DROP TABLE "COMPANIES";
--LTD
@jawache

@jawachePhoto by Braydon Anderson on Unsplash

git push
http://0:9200/_shutdown
@jawache

def send_email(request):
try:
recipients = request.GET['to'].split(',')
url = request.GET['url']
proto, server, path, query, frag = urlsplit(url)
if query: path += '?' + query
conn = HTTPConnection(server)
conn.request('GET',path)
resp = conn.getresponse()
...
@jawache

http://0:8000/composer/send_email?
to=orange@nogg&
url=http://127.0.0.1:12345/foo
@jawache

http://127.0.0.1:12345/%0D%0Ahello%0D%0AFoo:
@jawache

GET /%0D%0Ahello%0D%0AFoo:
HTTP/1.1
Host: 127.0.0.1:12345
Accept-Encoding: identity
@jawache

GET /
hello
Foo: HTTP/1.1
Host: 127.0.0.1:12345
Accept-Encoding: identity
@jawache

...:11211/%0D%0Aset%20key%200%20900%204%20data%0D%0A
@jawache

GET /
set key 0 900 4 data
HTTP/1.1
Host: 127.0.0.1:11211
Accept-Encoding: identity
@jawache

DeprecatedInstanceVariableProxy
@jawache

@jawachePhoto by Kelly Sikkema on Unsplash

@jawachePhoto by Jairo Alzate on Unsplash

Stop pretending
Don't assume
Small vulnerability
Don't trust anyone
PaaS
Sanitise
Fix
@jawache

https://www.pluralsight.com/courses/nodejs-security-
express-angular-get-started/
@jawache

Azure App Services
https://aka.ms/azure-app-service-docs
Google App Engine
https://cloud.google.com/appengine/
Heroku
https://heroku.com
Amazon Beanstack
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html
PaaS Platforms

Metasploit
https://www.metasploit.com/
DropTables Company
https://beta.companieshouse.gov.uk/company/10542519
SQLMap
http://sqlmap.org/
How I Chained 4 vulnerabilities on GitHub Enterprise - Orange Tsai
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
Malicious packages in npm. Here’s what to do - Ivan Akulov
https://iamakulov.com/notes/npm-malicious-packages/
Oscar Bolmsten on Twitter
https://twitter.com/o_cee/status/892306836199800836

npm module sqlstring
https://www.npmjs.com/package/sqlstring
Exploit DB
https://www.exploit-db.com/
Brian Clarke Security Course on Pluralsight
https://www.pluralsight.com/courses/nodejs-security-express-angular-get-started/

What's hot

Telco Cloud How operators are using the Cloud to unlock the core network and ...

Alan Quayle

Automated infrastructure allows us to move fast, but moving fast is scary without proper testing. Where to start though? The state of the art in Chef cookbook testing has changed rapidly in the last few years with the introduction of new and improved tools and much of what you’ll find in web searches is often outdated. In this presentation I’ll give an overview of the available tools for testing and techniques to avoid busy work in your testing. We’ll cover cookbook linting, unit testing, and integration testing using Cookstyle, ChefSpec, and Test Kitchen / InSpec. We’ll also cover wiring up your testing in Travis CI to perform full integration tests on every PR.

Testing Like a Pro - Chef Infrastructure Testing

Tim Smith

Integrated security testing public

Morgan Roman

Spring Security 5.1 by Example - Josh Cummings

VMware Tanzu

Hacking title

10connollyc

James jara portafolio

James Jara

Intro to IronWASP

n|u - The Open Security Community

http://fr.droidcon.com/2014/agenda/detail?title=Parse+Worskshop Learn how to focus on creating a great user experience and forget complex infrastructure. Instantly add a powerful core, push notifications, and analytics to your app with Parse. We will take a deep dive at Parse's native SDKs for Android and see how to build an app that scales to millions of users. Speaker: Ali Parr, Parse Head of Mobile Platform Partnerships Engineering, EMEA, Facebook and Parse, based in London. He currently heads up the Parse partnerships program for Facebook in EMEA, as well focusing on new developer acquisition. Ali is focused on building partnerships between Parse and developers across EMEA, through direct contact, public speaking opportunities, and mentoring events. Ali is also a mentor at Techstars in London, and The Family in Paris, providing advice and experience to high-potential startups. Prior to Facebook, Ali was the founder of Infinite Degree, a gaming startup that reached top 10 in Apple App Store across many regions including the US and the UK. Ali holds a Masters degree in Computer Science.

Workshop: building your mobile backend with Parse - Droidcon Paris2014

Paris Android User Group

Owasp API Security top 10 - The need of enterprise solutions for managing API...

Tharindu Edirisinghe

A quantidade frequente de ataques bem sucedidos, fraudes e vazamentos de dados mostram que as empresas estão falhando em manter a segurança de seus sites, aplicações e bases de dados. Embora o "pentest" seja uma técnica muito comum de testar a segurança de um site, hoje temos a disposição um conjunto de ações que podem ser adotadas de forma complementar para testar e corrigir aplicações desde a sua concepção até a produção. amo conversar um pouco sobre as diferenças e vantagens de adotar práticas de testes de segurança, scan, pentest, vulnerability disclosure e bug bounty. Palestra realizada o Meetup OWASP São Paulo, 30/11/2018

Só o Pentest não resolve!

Anchises Moraes

"Indo além do Pentest" / Palestra apresentada na CPBR12 (Fev/2019) Muito se fala hoje em dia do Pentest, que já se tornou uma prática comum quando as empresas precisam testar a segurança de um site ou aplicação. A quantidade frequente de ataques bem sucedidos, resultando em fraudes e vazamentos de dados, mostram entretando que as empresas estão falhando em manter a segurança de seus sites, aplicações e bases de dados. Embora o "pentest" seja uma técnica muito comum de testar a segurança de um site, hoje temos a disposição um conjunto de ações que podem e devem ser adotadas de forma complementar para testar e corrigir aplicações desde a sua concepção até a produção. Vamos conversar um pouco sobre as diferenças e vantagens de adotar práticas de testes de segurança, scan de vulnerabilidades, pentest, políticas de vulnerability disclosure e programas de bug bounty.

Segurança além do Pentest

Anchises Moraes

Alfresco sdk 2.0

Yoshi Aochi

What's hot (12)

Telco Cloud How operators are using the Cloud to unlock the core network and ...

Testing Like a Pro - Chef Infrastructure Testing

Integrated security testing public

Spring Security 5.1 by Example - Josh Cummings

Hacking title

James jara portafolio

Intro to IronWASP

Workshop: building your mobile backend with Parse - Droidcon Paris2014

Owasp API Security top 10 - The need of enterprise solutions for managing API...

Só o Pentest não resolve!

Segurança além do Pentest

Alfresco sdk 2.0

Recently uploaded

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Real Time Object Detection Using Open CV

Khem

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Recently uploaded (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Apidays New York 2024 - The value of a flexible API Management solution for O...

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Real Time Object Detection Using Open CV

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

🐬 The future of MySQL is Postgres 🐘

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Data Cloud, More than a CDP by Matt Robison

Partners Life - Insurer Innovation Award 2024

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

AWS Community Day CPH - Three problems of Terraform

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

2024: Domino Containers - The Next Step. News from the Domino Container commu...

HTML Injection Attacks: Impact and Mitigation Strategies

GenAI Risks & Security Meetup 01052024.pdf

Top 10 Most Downloaded Games on Play Store in 2024

A Domino Admins Adventures (Engage 2024)

How to hack a node app? @ GDG DevFest Ukraine 2017

1. Asim Hussain @jawache codecraft.tv microsoft.com

3. it can happen to you @jawache

4. #1 @jawachePhoto by Kristina Flour on Unsplash

5. @jawachePhoto by Veri Ivanova on Unsplash

7. @jawacheMr Robot

9. @jawache

10. @jawachePhoto by Nolan Issac on Unsplash

11. On Premise Hardware OS App IaaS Hardware OS App PaaS Hardware OS App @jawache

12. Google App Engine Heroku Amazon Beanstalk Azure App Services

13.

14. @jawache

15. @jawacheIt's Always Sunny In Philadelphia

16. #2 @jawache

17. 'SELECT * FROM COMPANIES WHERE name =' + name; @jawache

18. SELECT * FROM COMPANIES WHERE name =; DROP TABLE "COMPANIES"; --LTD @jawache

19. @jawache

20. @jawache

21. @jawachePhoto by Braydon Anderson on Unsplash

22. @jawache

23. @jawache

24. #3 @orange_8361

25. git push http://example.com @jawache

26. git push http://localhost @jawache

27. git push http://0 @jawache

28. git push http://0:9200/_shutdown @jawache

29. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto, server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache

30. http://0:8000/composer/send_email? to=orange@nogg& url=http://127.0.0.1:12345/foo @jawache

31. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto, server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache

32. rn @jawache

33. %0D%0A @jawache

34. http://127.0.0.1:12345/%0D%0Ahello%0D%0AFoo: @jawache

35. GET /%0D%0Ahello%0D%0AFoo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache

36. GET / hello Foo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache

37. ...:11211/%0D%0Aset%20key%200%20900%204%20data%0D%0A @jawache

38. GET / set key 0 900 4 data HTTP/1.1 Host: 127.0.0.1:11211 Accept-Encoding: identity @jawache

39. GET / set key 0 900 4 data HTTP/1.1 Host: 127.0.0.1:11211 Accept-Encoding: identity @jawache

40. code code @jawache

41. code code @jawache

42. DeprecatedInstanceVariableProxy @jawache

43. @jawache

44.

45. @jawachePhoto by Kelly Sikkema on Unsplash

46. #4 @jawache

47. @jawache

48. @jawache

49.

50. @jawache

51. cross-env vs. crossenv @jawache

52. @jawachePhoto by Jairo Alzate on Unsplash

53. @scope/package-name @jawache

54. Stop pretending Don't assume Small vulnerability Don't trust anyone PaaS Sanitise Fix @jawache

55. https://www.pluralsight.com/courses/nodejs-security- express-angular-get-started/ @jawache

56. Asim Hussain @jawache codecraft.tv microsoft.com

57. Azure App Services https://aka.ms/azure-app-service-docs Google App Engine https://cloud.google.com/appengine/ Heroku https://heroku.com Amazon Beanstack http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html PaaS Platforms

58. Metasploit https://www.metasploit.com/ DropTables Company https://beta.companieshouse.gov.uk/company/10542519 SQLMap http://sqlmap.org/ How I Chained 4 vulnerabilities on GitHub Enterprise - Orange Tsai http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html Malicious packages in npm. Here’s what to do - Ivan Akulov https://iamakulov.com/notes/npm-malicious-packages/ Oscar Bolmsten on Twitter https://twitter.com/o_cee/status/892306836199800836

59. npm module sqlstring https://www.npmjs.com/package/sqlstring Exploit DB https://www.exploit-db.com/ Brian Clarke Security Course on Pluralsight https://www.pluralsight.com/courses/nodejs-security-express-angular-get-started/

How to hack a node app? @ GDG DevFest Ukraine 2017

Recommended

Recommended

More Related Content

What's hot

What's hot (12)

Recently uploaded

Recently uploaded (20)

How to hack a node app? @ GDG DevFest Ukraine 2017