Presentation for the BSides Iowa 2017 talk, "Wanna break JavaScript and APIs in web apps?"

1. WANNA BREAK
JAVASCRIPT AND
ANDY FREEBORN

2. ME
▸Penetration Tester at Union Pacific
▸Previous jobs also tested security in all the things
▸Explorer of CPU architectures
▸Loves dank memes
2

3. AGENDA
▸Why
▸Tools to identify and break things
▸Thing to break
▸Demo of thing to break
3

4. WHY
▸There’s too many versions of JavaScript:
http://www.zdnet.com/article/an-insecure-mess-how-flawed-javascript-is-turning-web-into-a-hackers-playground/
4

5. WHAT DOES ALL OF THAT MEAN?
▸JavaScript is evil
5

6. WHAT DOES IT REALLY MEAN?
▸Many JavaScripts versions out there work, why update it?
▸Because security
▸Is it really a problem if so many other people use the same thing?
▸Just ask WordPress administrators
▸Unrelated low risk vulnerabilities can be exploited and chained to
provide an easy way into your organization
▸ http://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-
auditor-turns-into-eight-vulnerabilities/
6

7. NO REST FOR THE API’S
▸Rest APIs are becoming more available and used
▸Companies are querying data from APIs of various
products to make their own aggregated view of data
▸APIs also have a myriad of challenges and can be insecure
▸http://www.zdnet.com/article/apis-examined/
▸OWASP Top 10 for 2017 (RC1)
▸A10 - Under protected APIs
7

8. TOOLS TO BREAK THINGS
▸Chrome and Firefox developer tools
▸Retire.js
▸Node Security Platform and Snyk
▸Postman
▸Burp Suite
8

9. CHROME AND FIREFOX DEV TOOLS
▸Both are free, powerful, and easy to use
▸Many free resources available to help you use it
▸https://developers.google.com/web/tools/chrome-devtools/
▸http://discover-devtools.codeschool.com/
▸Why use it?
▸Easy to test for a variety of potential security issues
9

10. CHROME DEV TOOLS: SHOW ME YOUR
SECRETS… OR SOURCE▸URL/route to the administrative page (dirbuster works too)
▸Commented out link to the score-board
10

11. CHROME DEV TOOLS: ALWAYS PRETTY-
PRINT LUKE, ALWAYS
▸Click the {} symbol
11

12. RETIRE.JS
▸Retire.js detects vulnerable JavaScript libraries and/or
Node.JS modules
▸Free
▸https://github.com/RetireJS/retire.js
▸Regularly updated as JavaScript and NPM packages age
▸Provides the exact vulnerability associated with a specific
version and includes helpful URLs
12

13. RETIRE.JS
▸Retire.js can be used in a variety of situations:
▸Chrome extension
▸Firefox extension
▸Standalone to scan a website or file directory
▸Add-on for OWASP Zap (free)
▸Add-on for Burp Suite (requires Pro) in the BApp Store
13

14. RETIRE.JS: VULNERABILITIES FOUND
WITH THE EXTENSION
14

15. RETIRE.JS: VULNERABILITIES FOUND
WITH THE CLI
▸sequelize has known vulnerabilities such as SQLi
15

16. NODE SECURITY PLATFORM AND SNYK
▸Node Security Platform (project from ^Lift)
▸Free: https://github.com/nodesecurity/nsp
▸Scan a directory to identify issues with Node.JS packages
▸Snyk
▸Free tier available: https://snyk.io/
▸Checks JavaScript, Ruby, and Java GitHub repositories,
public NPM packages, and can scan directories as well
16

17. POSTMAN
▸Quickly probe/poke/destroy APIs
▸Free
▸https://www.getpostman.com/
▸Why not SoapUI? curl? Python requests library?
▸SoapUI works great! Postman is just another option
▸Really why though: History, easily import/export tests to
other formats, share tests among team members
17

18. POSTMAN DEMO
▸Bypass those silly restrictions in the UI. This could have
been done in ZAP, Burp, etc. as well.
18

19. BURP SUITE
▸A great tool to proxy network traffic, change it to an unexpected
value, and assess platforms like web, mobile, etc.
▸https://portswigger.net/burp/
▸Does active and passive scanning and has great plugins
▸Specialized plugins require the paid version of Burp
▸$399, but worth it!
▸An excellent alternative is OWASP Zap
19

20. BURP SUITE DEMO
▸Get paid!
20

21. THING TO BREAK: OWASP JUICE SHOP
▸“OWASP Juice Shop is an intentionally insecure webapp for security
trainings written entirely in Javascript which encompasses the entire
OWASP Top Ten and other severe security flaws.”
▸https://github.com/bkimminich/juice-shop
▸Has a CTF version based on CTFd!!!11!
▸https://github.com/bkimminich/juice-shop-ctf
▸Continually updated with new vulnerabilities, content, languages
▸Author recommends not cheating, but bad guys do!
21

22. OWASP JUICE SHOP: WHERE CAN IT
RUN?
▸Heroku dyno (Run small web apps online for free)
▸Docker container
▸Someone else’s computer (Amazon Web Services)
▸Your VM or machine
▸Online right now!
▸ https://juice-shop.herokuapp.com/
22

23. OWASP JUICE SHOP: DEMO MACHINE
▸1 VM running Ubuntu 16.04 LTS
▸Download the ISO, boot up, do all the regular updates
▸Install Docker with quick and clear Ubuntu instructions:
▸https://docs.docker.com/engine/installation/linux/ubuntu/
#install-using-the-repository
▸docker pull bkimminich/juice-shop
▸docker run -d -p 3000:3000 bkimminich/juice-shop
23

24. OWASP JUICE SHOP: VULNERABILITIES
▸Includes a book to introduce, tackle, and solve the challenges
▸https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-
shop/details
▸Examples of vulnerabilities
▸“Log in with the administrator's user credentials without previously
changing them or applying SQL Injection.”
▸“XSS Tier 3: Perform a persisted XSS attack with
<script>alert("XSS3")</script> without using the frontend
application at all.”
24

25. OWASP JUICE SHOP: DEMO
▸Walkthrough of the application and see how it works
▸Vulnerabilities to tackle
▸Start with the score board
▸SQLi exploitation flaw in a JavaScript library
▸Insert a XSS payload with the API
▸Manipulate an order request
25

26. WHERE ELSE CAN YOU USE THESE
SKILLS?▸Automated tools won’t help you here:
https://www.offensive-security.com/information-security-training/cracking-the-perimeter/
26

27. THANKS!
▸http://vivirytech.blogspot.com/
▸@vivirytech
▸OWASP Juice Shop
▸https://github.com/bkimminich/juice-shop
27