It could happen to anyone - FrontEnd Connect 2017
Report
Asim HussainFollow
Sep. 23, 2017•0 likes•815 views
It could happen to anyone - FrontEnd Connect 2017
Sep. 23, 2017•0 likes•815 views
Download to read offline
Report
Technology
Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! Most sites are far more vulnerable to attack than they think. In this talk we’ll go through a series of hacking stories and breakdown the hack together to see exactly how they did it. By the end you’ll walk away perhaps a little bit more scared, but definitely armed with some great practices you can apply immediately to your own applications.
Asim HussainFollow
Recommended
How to hack a node app? @ GDG DevFest Ukraine 2017Asim Hussain
Maven SetupHolasz Kati
Infrastructure Automation How to Use Chef For DevOps SuccessDynatrace
Red team, Blue Team or White CellFrank Breedijk
Advanced Topics in Continuous DeploymentMike Brittain
The Four Principles of Atlassian Performance TuningAtlassian
More Related Content
What's hot
Hacking title10connollyc
DevCon Summit 2014: Trends in Android Development by Evan Dale ArominDEVCON
Mobile web-debugFINN.no
Slam Dunk with Splunk and Stash Data CenterAtlassian
Python-Powered Savage Garden HotlineMariatta Wijaya
Durga soft SCJP part-1Satya Johnny
Similar to It could happen to anyone - FrontEnd Connect 2017
How to hack a node app? - LvivJS 2017Asim Hussain
AppForum 2014 Boost Hybrid App Performancerobgalvinjr
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013Amazon Web Services
2009 Barcamp Nashville Web Security 101brian_dailey
Summit2011 satellites-robinf-20110605Robin Fernandes
Satellite Apps around the Cloud: Integrating your infrastructure with JIRA St...Atlassian
Recently uploaded
Improve Employee Experiences on Cisco RoomOS Devices, Webex, and Microsoft Te...ThousandEyes
TEKART CON 2023AdedoyinSamuel1
How to Manage Your Offshore Software Development Team EfficientlyCapital Numbers
TaketoFujikawa_KES2023Matsushita Laboratory
Regulating Generative AI - LLMOps pipelines with TransparencyDebmalya Biswas
Easy Salesforce CI/CD with Open Source Only - Dreamforce 23NicolasVuillamy1
It could happen to anyone - FrontEnd Connect 2017
- 1. Asim Hussain @jawache codecraft.tv microsoft.com
- 3. @jawache
- 4. @jawachePhoto by Kristina Flour on Unsplash
- 5. @jawachePhoto by Veri Ivanova on Unsplash
- 7. @jawacheMr Robot
- 9. @jawache
- 10. @jawachePhoto by Nolan Issac on Unsplash
- 11. On Premise Hardware OS App IaaS Hardware OS App PaaS Hardware OS App @jawache
- 12. Google App Engine Heroku Amazon Beanstalk Azure App Services
- 14. @jawache
- 15. @jawacheIt's Always Sunny In Philadelphia
- 16. @jawache
- 17. 'SELECT * FROM COMPANIES WHERE name =' + name; @jawache
- 18. SELECT * FROM COMPANIES WHERE name =; DROP TABLE "COMPANIES"; --LTD @jawache
- 19. @jawache
- 20. @jawache
- 21. @jawachePhoto by Braydon Anderson on Unsplash
- 22. @jawache
- 23. @jawache
- 24. @orange_8361
- 25. git push http://example.com @jawache
- 26. git push http://localhost @jawache
- 27. git push http://0 @jawache
- 28. git push http://0:9200/_shutdown @jawache
- 29. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto, server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache
- 30. http://0:8000/composer/send_email? to=orange@nogg& url=http://127.0.0.1:12345/foo @jawache
- 31. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto, server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache
- 32. rn @jawache
- 33. %0D%0A @jawache
- 34. http://127.0.0.1:12345/%0D%0Ahello%0D%0AFoo: @jawache
- 35. GET /%0D%0Ahello%0D%0AFoo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache
- 36. GET / hello Foo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache
- 37. ...:11211/%0D%0Aset%20key%200%20900%204%20data%0D%0A @jawache
- 38. GET / set key 0 900 4 data HTTP/1.1 Host: 127.0.0.1:11211 Accept-Encoding: identity @jawache
- 39. GET / set key 0 900 4 data HTTP/1.1 Host: 127.0.0.1:11211 Accept-Encoding: identity @jawache
- 40. code code @jawache
- 41. code code @jawache
- 42. DeprecatedInstanceVariableProxy @jawache
- 43. @jawache
- 45. @jawachePhoto by Kelly Sikkema on Unsplash
- 46. @jawache
- 47. @jawache
- 48. @jawache
- 50. @jawache
- 51. cross-env vs. crossenv @jawache
- 52. @jawachePhoto by Jairo Alzate on Unsplash
- 53. Stop pretending Don't assume Small vulnerability Don't trust anyone PaaS Sanitise Fix @jawache
- 54. https://www.pluralsight.com/courses/nodejs-security- express-angular-get-started/ @jawache
- 55. Asim Hussain @jawache codecraft.tv microsoft.com
- 56. Azure App Services https://aka.ms/azure-app-service-docs Google App Engine https://cloud.google.com/appengine/ Heroku https://heroku.com Amazon Beanstack http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html PaaS Platforms
- 57. Metasploit https://www.metasploit.com/ DropTables Company https://beta.companieshouse.gov.uk/company/10542519 SQLMap http://sqlmap.org/ How I Chained 4 vulnerabilities on GitHub Enterprise - Orange Tsai http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html Malicious packages in npm. Here’s what to do - Ivan Akulov https://iamakulov.com/notes/npm-malicious-packages/ Oscar Bolmsten on Twitter https://twitter.com/o_cee/status/892306836199800836
- 58. npm module sqlstring https://www.npmjs.com/package/sqlstring Exploit DB https://www.exploit-db.com/ Brian Clarke Security Course on Pluralsight https://www.pluralsight.com/courses/nodejs-security-express-angular-get-started/
Editor's Notes
- before I begin I'd like to ask a quick question... pee question hopefully, by the end of the talk, that %age will have increased. because today we are going to talk about security and hacking. and Introduce To begin I'd like to tell you a story...
- working in investment banking, career going well, good money side project events site slightly successful. quit to work on this full time arrogant money started running out, had 3 months left. found one investor still interested demo 7 days 48 hours linode investigate, confirmed, tmp folder what was the source? found php running, weird since I don't use php remembered resolution
- No fool. Took security this very seriously. Followed all the instructions. Forgot one small thing. Lesson Take Away = Happen to you. I love stories. Today I'm going to talk about hacking. But through 3 different hacking stories. Some specific to node Some general. Moral at the end Lesson to learn Steps to protect yourself Lets start off with breaking down exactly how I think I was hacked at eventsushi.
- Lets first explain a few terms A vulnerability is a hole in security a weakness - e.g. not using a firewall is a vulnerability. An exploit is a tool, piece of code, or just a sequence of commands which takes advantage of a vulnerability to do bad things. Q) Who here has heard of the term 0 day exploit? A 0 day exploit is one that no one knows about, yet. It's a secret Photo by Kristina Flour on Unsplash https://unsplash.com/search/photos/whisper?photo=BcjdbyKWquw
- Once a 0 day exploit is found It's not called a 0 day exploit anymore. 1D, 30D, 6MONTH etc.. Then the clock starts ticking. How hard do you think it would be to get a hold of a 0 day exploit? How hard do you think it would be to get a hold of an exploit that's been in the public domain for 6 months? https://unsplash.com/photos/p3Pj7jOYvnM Photo by Veri Ivanova on Unsplash
- In fact it's very easy. you can find them on the internet. There are lots of sites. This one for instance https://www.exploit-db.com/ [SHOW VIDEO]
- We like to believe all hackers are like this? black hat mysterious geniuses I think we like to believe that because it makes us feel better when we do get hacked. "I mean it's MrRobot, How am I a supposed to defend against that"?
- But MrRobot didn't hack me. They didn't use a 0 day exploit. I was running a really old version of PHP. My attacker GOOGLED how to hack me and followed instructions. Not hard!
- Or like this... ooooh mysterious....
- http://www.istockphoto.com/gb/photo/hard-at-work-gm518069822-89813857 But it probably looked like this... But I was running an old version of PHP. My attacker GOOGLED how to hack me and followed instructions.
- In fact it's even easier than that.. you don't even need to do this manually. tools automate this whole process metasploit is one from rapid7. scans a site. identifies potential vulnerabilities. then lets you automate exploits from its database of plugins. [NO....] So you just need to find an idiot like me on the internet With an old version of PHP running Scan me with metasploit and then try a few known exploits.
- So what can we do? We are still vulnerable to 0 day exploits. Can't defend from unknown. Can defend from known exploits simply by keeping our software updated. That's easy right, we just need to update... OS Apache Nginx Database Software Underlying Libraries Bulletins Actually that sounds like a lot of hard work Any my job is to write apps, not maintain servers. So after this attack i started exclusively using PAASs Photo by Nolan Issac on Unsplash https://unsplash.com/photos/K5sjajgbTFw
- Describe. Patching Companies SUMMARY: Leaving an OLD version of PHP running was a vulnerability. Don't think they came in through a 0 day. They came in using a known exploit, one that was probably already fixed in the latest version of PHP. So if i had at least updated PHP to the latest version I would be safe. But keeping everything updated is hard. So use a PAAS. On Premise You look after hardware, OS and application code IaaS You look after OS and App code and they look after the Hardware PaaS They look after harware, OS (and software like web servers) and you just release app code In the past i've used Heroku, Google App Engine, Amazon has something called Beanstalk but i've never used it and Azure has something called AppService Doesn't matter which one you use to be honest, they all auto update the infrastructure versions on a pretty regular level just make sure to use one.
- Still not convinced? Q) Who's heard of the recent equifax hack? The largest hack in history, affects about 200 million people. Billion dollar company. 10,000 employees. Did the hackers get in through a 0 day exploit? NO. They got in through a KNOWN exploit of Apache Struts. The patch to fix the exploit had been released for 2 months BEFORE the hack. They just hadn't applied the patch.
- Azure Security Centre Coolest things about Azure No one else has got this. Signals Alerts create noise So to solve this we trained in AI to detect hacking attempts from the signals. The AI can chain together signals and figure out if you are being attacked with a pretty high degree of certainty. It's not perfect but i'm lazy and it doesn't require any effort to use so I like to switch it on.
- Who watches this show? So my closing arguments. Thinking you can create a secure platform to host your app when you are not an expert in security is like thinking you can represent yourself in court if you are not a lawyer. Did I manage to scare any of you? Probably not... maybe this next story will scare you more.
- http://www.istockphoto.com/gb/photo/little-boy-stealing-cookies-gm164114602-23379436 http://www.istockphoto.com/gb/photo/close-up-of-a-little-girl-taking-one-cookie-gm160146392-17820916 This story is about a company I used to work at. They were a financial startup. Brought to help them move from an old Java framework to Angular. Framework decommissioned in 2003, first line of code was written in 2005. Can laugh but It's financial services so lots of it regulation including security. Hired a pen testing firm to try to hack us. It wasn't hard. This is the story of one of the vulnerabilities they found. It's called XSS or CrossSiteScripting and it's a type of Injection Attack. They basically found a way to steal a users cookies then login and make trades and financial transactions as that user.
- The way they did this was simple. The form that we used to submit a comment allowed some simple formatting, bold etc.. It used HTML to define the text format.
- It then converted the HTML to Base64 and this was posted to the server and stored in the database. Later on when it comes to display it converts from base64 on the server side and returns HTML from the server. NOTE: This is NOT an SPA, serverside rendered!
- So instead of the HTML you saw before, these hackers crafted their own HTML comment. This one had a script tag. Do you see what it's doing? It's sending your cookie to some other server, assuming you login with cookies this is giving someone else complete access to your account.
- Remember it gets converted to base64 first and they just used postman to post it to our APIs. Then when we rendered the page later on. We rendwered it WITH their script tag!
- So just VIEWING a forum page with one of these special comments in will send your cookie to someone else server.
- http://www.istockphoto.com/gb/photo/deception-concept-disguise-between-shark-and-goldfish-gm534192884-94746997 http://www.istockphoto.com/gb/photo/in-the-wrong-place-gm92469124-700142 https://www.pexels.com/photo/close-up-of-human-hand-257279/ Moral of the story: Don't assume your inputs will arrive in the format you expect. What's the solution? Sanitise on backend - on the serverside should strip tags it doesnt' recognise: https://www.npmjs.com/package/xss [ADD] Sanitise on frontend: With frameworks like Angular it by default assumes that all content is unstrusted and runs it through a sanitiser removing all script tags: https://angular.io/guide/security CSP script-src https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src [CSP]
- http://www.istockphoto.com/gb/photo/child-upset-before-getting-a-shot-at-the-doctor-gm97506563-12206370
- https://beta.companieshouse.gov.uk/company/10542519 companies house. This is an actual limited company registered in the UK. It's an example of an attempt at an injection attack a sql injection attack. Run untrusted code in a trusted environment. The goal is to trick an application to run some raw SQL.
- So if someone wasn't careful and had a script that ran something like this 'select * from companies where name ='+ name;
- they would end up running something like this But name might be something a user entered into a form. or came from an API request. You are susceptible to this whenever you use "untrusted" input in an SQL statement. Backup database, so what DROPTABLES isn't the only command Don't even have to try all these commands manually.
- http://sqlmap.org/ It's such a common vulnerability that there are automated tools to help you attack, such as this one.
- python script pass in the URL which has the vulnerability scans to begin with, finding out things like database software and version. Figured out it's myself so tries to guess the admin password from a database of common passwords. dump users table run shell commands In about a min, we can get access to the database, dump the users table and even run commands on the OS shell.
- Moral of the story: Don't assume your inputs will arrive in the format you expect. Photo by Braydon Anderson on Unsplash https://unsplash.com/collections/480109/animals-in-disguise?photo=wOHH-NUTvVc
- What's the solution? Sanitise untrusted input. sqlstring Strips out anything that looks unsafe from a sql statement. Others, front end, XSS etc... Anytime you have untrusted input from a user sanitise.
- [SLOW] If you use something like azure sql database it automatically ❤️ detects sql injection attacks doesn't stop them but does send you an alert. How are you feeling now? I showed you an automated script which took over a database in under a minute. More scared?
- Who's heard of this company? So github has a bug bounty. They pay you if you find a security hole in their software. There was a great exploit found in github enterprse by someone called orange tsai twitter handle. gave a hacker the ability to run any command on the github server as if they have a bash shell open on your server. chaining a number of smaller exploits together into one large exploit. heist movie figuring out how they did it is so facinating. I've tried to break down for you and would love to tell. http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
- You know webhooks right? You can setup a webhook so that when someone pushes to git it will POST to a HTTP endpoint.
- What if you set the webhook URL to localhost? Aha... then it will post to a local process instead post to any port behind the firewall! But the github people knew this They USED a sanitiser that blacklisted localhost.
- But they didn't blacklist 0 which can resolve to localhost as well!
- About the only thing he could do with that is shutdown elastic search. Spent a few more days looking.
- graphite charting open source so checked the source code found this function
- POST -> GET
- But that second GET request is using HttpConnection lib
- Which is know to have a vulnerability called called CR-LF Injection
- A HTTP Request is just a series of lines sent over a TCP connection. So it opens a port to 12345 Sends GET, \r\n HTTP\r\n etc...
- But HTTPConnection converts those special chars to \r\n So now we send GET / then hello Something that is expecting HTTP would probably error at this, the message is not formed correctly.
- But HTTPConnection converts those special chars to \r\n So now we send GET / then hello Something that is expecting HTTP would probably error at this, the message is not formed correctly.
- This activity opens up the door to something called protocol smuggling. So if we send a HTTP request to the redis instance on the box (6379) with the command SLAVEOF example.com 6379 then this redis instance becomes a slave of our external redis instance. So it opens the door to being attacked through other protocols than HTTP. What other things can we do?
- But what if we did something like this. 11211 is memcached. what would HTTPConnection try to send then.
- The full HTTP message when generated by HttpConnection library then looks like this. But remember we are not sending this to a server expecting HTTP. We are sending this to memcached which is just expecting the memcached protocol.
- Memcached is not expecting HTTP, doesn't know how to parse it, just executes commands if it sees a newline. GET ignored, error. next time, this is a real memecahced command, sets some data in memcached. Lets us smuggle protocols
- Developers, we like to store things in memcached, But we are lazy so we like to use libs that do it for is. We might use one which takes an instance of a class and serialises the whole thing. So you take some code that exists in memory. Convert it to a string or binary format. Send that to memcached. Sometime later load the data again, convert it into a class and call a function.
- But now we have access to memcached We can set data in memcached. we can CHANGE what code is returned. So when you execturte that code later on, you are running my code, not the code you stored.
- Serialised instances contain the name of the class Found this one Instance had a known vulnerability so was depreciated You can change a serialised instance of this class so that when it is called it executes a command in the shell instead. BUT they still used it, so it was easy to hack.
- Moral of the story: Big exploits are made from smaller exploits. Attacks don't come in through one big exploit. Multiple smaller exploits chained together. So if you found a vuln and are thinking of ignoring it, think again. How are you feeling now? Anyone need to go to the toilet? No? Maybe after the next story... Photo by Kelly Sikkema on Unsplash https://unsplash.com/search/photos/lego?photo=JRVxgAkzIsM
- What does the above code do? It gets all your environment variables and converts them to a base64 encoded string.
- What does the above code do? Take a look at the host name. It takes your environment variables and posts them to my server. How many of you keep secret keys, passwords etc... in environment variables. What if I told you I could make you run this code on your server?
- Does this make it any clearer, the file is called package-setup.js
- How about now? I can see the realisation coming to some of you. This is an npm module, when you install it you send me your environment variables. But you are probably thinking, why would you ever install an npm package you have never heard of?
- Take a look at this, was posted a few weeks ago. cross-env is a very popular npm module created by kent dodds, over a million downloads every month.
- What they had done was release a module called codeenv without the hyphen. That's it. It's called typosquatting. npm install from memory, tried with and without hyphens? When you run npm install you are basically giving other developers the right to run their code on your server behind all your firewalls as if you wrote the code.
- Moral of the story: We are too trusting! maybe because open source. developer is a good person. they have released code to the community for free. multiple eyes on it. the npm modules were up for 2 weeks before they were discovered. not using the environment key vault. but even that would not be safe the code is running as if it was you who wrote it. so it will have access to even read from keyvault npm have taken down crossenv maybe already installed? Links at the end. ecosystem is HUGE static analysis of npm packages double triple sure you typed he module name correctly https://unsplash.com/photos/sssxyuZape8 Photo by Jairo Alzate on Unsplash
- What's the takeaway? Stop pretending that because you've spent a few mins thinking about security that you are safe. There are people who spend all day everyday thinking of clever ways to get access to your site. Use a PaaS. Don't assume people will use your site as you expect them to use it, every input can be abused, so sanitise. No such thing as a small exploit, small ones can be chained together to create a big one. Fix your vulnerabilities no matter how small you think they are. Did the npm one scare you? It should... we are too trusting, we trust objects we store in a memcache are not going to be tampered with, we trust that everything we install from npm is trustworthy. Don't trust anyone!
- If you want a good follow on course my colleage Brian Clarke has one on Pluralsight, it's a good one for going a bit deeper into some of these issues.
- look like from behind