Black Clouds & Silver Linings
in Node.js Security 

Liran Tal

@liran_tal
github.com/lirantal

March 2020 | NodeTLV

@liran_tal
github.com/lirantal

Liran Tal

Developer Advocate

01

Black Clouds in Node.js Security

02 

|

|

03 

|

Common Security Vulnerabilities

Silver Linings in Node.js Security

Black Clouds & Silver Linings
in Node.js Security

src: https://snyk.io/opensourcesecurity-2019

The Biggest Repository

Invites big risks

Lucrative attack playground

Open and free-to-publish ecosystem

Difficult to counter-measure

Malicious Modules

Black Clouds in
Node.js Security

Typosquatting Attacks

Compromised Accounts

Social Engineering

Malicious Modules

Malicious Modules

time

Jan 2015

rimrafall

rimrafall

Malicious Modules

time

Jan 2015

rimrafall

Jan 2017

crossenv

$ npm install crossenv --save

crossenv    !=   cross-env

crossenv/package.json

crossenv/package-setup.js

coffescript      or      coffe-script 

coffeescript

src: https://snyk.io/vuln

How did we find out about this malicious crossenv package?

post-install script ✅

call-home base64 payload ✅

Malicious Modules

time

Jan 2015

rimrafall

Jan 2017

crossenv

May 2018

getcookies

getcookies

parse http headers for cookie data

or does it... ?

getcookies

http-fetch-cookies
                └── express-cookies
                                        └── getcookies

 

getcookies

mailparser                               

    └── http-fetch-cookies
                └── express-cookies
                                        └──getcookies

 

Reset the buffer

Load JavaScript code

Execute code

Observation 1

security by code review has to be on-point ALL THE TIME, where-as attackers only have to get lucky ONCE

Malicious Modules

time

Jan 2015

rimrafall

Jan 2017

crossenv

May 2018

getcookies

Jul 2018

eslint-scope

eslint-scope 3.7.2

malicious package published

What's going on?

Who depends on eslint-scope?

babel-eslint

eslint

webpack

npm invalidates all tokens

<= 2018-07-12

 

estimated potential ~4,500 accounts  were compromised 

Observation 2

eslint-scope published an npm package, but actors had no github repository access so the source code varied between github and the published npm package

How does something like this happen?

Compromised Contributors ?

14%

compromised npm modules

Compromised Contributors ?

src: https://github.com/ChALkeR/notes

Compromised Contributors ?

20%

npm total monthly downloads

express

react

debug

moment

request

Compromised Contributors ?

Compromised Contributors ?

662

users

123456

had their password set to

Compromised Contributors ?

Compromised Contributors ?

1409

users

had their password set to

their username

Compromised Contributors ?

Compromised Contributors ?

11%

users

had their password set to

previously leaked password

Compromised Contributors ?

Malicious Modules

time

Jan 2015

rimrafall

Jan 2017

crossenv

May 2018

getcookies

Jul 2018

eslint-scope

event-stream

Nov 2018

src: https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor

Observation 3

due to the increased use of transpilers, reviewing and comparing source code between actual source to distributed is a real problem

Dependency Management

(CC BY-NC-SA 2.0)

Common Security
Vulnerabilities

Command Injection

The npmjs Ecosystem

Silver Linings in
Node.js Security

react-native

reactnative

rea-ct.native

react_native

   @lirantal/rea-ct.native

Fighting Typosquatting

Package Moniker Rules

Fighting Typosquatting

JSONStream    !=    jsonstream

Package Moniker Rules

Package Publishing Notifications

Enable 2FA
since npm >= 5.5.1

$ npm profile enable-2fa

2FA successfully enabled. 
Below are your recovery codes,
please print these out. 

- auto release ?

- tokens are global for all packages

- npm recommends creating a 2nd user

Enable 2FA
caveats 😞

Devs Take Ownership

for App Security

Source: The State of Open Source Security Report 2019, Snyk

https://snyk.io/opensourcesecurity-2019/

Find vulnerabilities in
open source dependencies

What if security was easier?

What if security was actionable?

Node.js Security Working Group

Silver Linings in
Node.js Security

The Security WG

The Security WG

Improving the state of Node.js Security

Incident response for Node.js core and the npm ecosystem

Security disclosure policies for bug hunters

Maintain a public vulnerability database

The Security WG

Uninitialized Buffer

base64url

|

2,000,000

|

XSS Injection

react-svg

|

130,000

|

Path Traversal

serve

|

564,000

|

ReDOS

protobufjs

|

7,200,000

|

monthly downloads

01

Malicious modules & compromised accounts

02 

|

|

03 

|

Common Security Pitfalls in Node.js

Developer awareness,
Fix vulnerabilities in your open source libs,
Node.js Security WG

Black Clouds & Silver Linings
in Node.js Security

|

|

@liran_tal
github.com/lirantal

Liran Tal

Developer Advocate

Use Open Source, Stay Secure.
Thank you!

Black Clouds & Silver Linings in Node.js Security - NodeTLV 2020

By Liran Tal

Black Clouds & Silver Linings in Node.js Security - NodeTLV 2020

With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how malicious npm packages work, how to avoid them and apply npm and Node.js security best practices every developer should know with hands-on live hacking.

  • 1,013