Black Clouds & Silver Linings
in Node.js Security

Liran Tal

Developer Advocate at Snyk

@liran_tal
github.com/lirantal

InfoShare 2018

Israel

@liran_tal

github.com/lirantal

Liran Tal

NodeGoat Core Team

Node.js Security WG

x100 growth over 4 years

Node.js is JavaScript

JavaScript is Everywhere

Frontend

Backend

IoT

Databases

Chatbots

Machine Learning

WebAssembly

Robotics

01

The Scary State of Node.js Security

02 

|

|

03 

|

Popular Vulnerabilities in Node.js

Silver Linings in Node.js Security

Black Clouds & Silver Linings
in Node.js Security

Malicious Modules

The Scary State of
Node.js Security

January 2015

rimrafall

package published to npm 

rimrafall

npm pre-install script

$ rm –rf /*

rimrafall

cross-env

helps manage config through env variables

cross-env

helps manage config through env variables

$ npm install crossenv --save

crossenv != cross-env

cross-env

ffmepg

babelcli

mongose

nodesass

Dependency Management

The Scary State of
Node.js Security

Use-Case:

Check if a number is even or odd

3,336,101 Downloads

Who watches after all these modules ?

Malicious Contributors ?

Compromised Contributors ?

src: https://github.com/ChALkeR/notes

14%

compromised npm modules

Compromised Contributors ?

Compromised Contributors ?

src: https://github.com/ChALkeR/notes

20%

npm total monthly downloads

express

react

debug

moment

request

Compromised Contributors ?

Compromised Contributors ?

662

users

123456

had their password set to

Compromised Contributors ?

Compromised Contributors ?

124

users

password

had their password set to

Compromised Contributors ?

Compromised Contributors ?

1409

users

had their password set to

their username

Compromised Contributors ?

Compromised Contributors ?

11%

users

had their password set to

previously leaked password

Compromised Contributors ?

Failing Education

The Scary State of
Node.js Security

Never pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution.

Am I Over Reacting ?

{
  "id": 427,
  "title": "Command Injection - Generic",
  "overview": "`macaddress` concatenates unsanitized input into exec() command",
  "publish_date": "2018-05-11",
  "author": "Сковорода Никита Андреевич (https://github.com/ChALkeR)",
  "module_name": "macaddress",
  "vulnerable_versions": "<=0.2.8",
  "patched_versions": null,
  "cvss_score": 10
}

01

The Scary State of Node.js Security

02 

|

|

03 

|

Selected Vulnerabilities in Node.js

Silver Linings in Node.js Security

Black Clouds & Silver Linings
in Node.js Security

Command Injection

Selected Vulnerabilities
in Node.js

Command Injection

Command Injection

Remote Command Execution

<?php

  $ip = $_GET["ip"];
  system("ping $ip");

?>

Command Injection

Command Injection

Demo

Best Practice:

execFile('git', [...args])

Maintain a whitelist of allowed args

Blacklist special shell chars like ;

Pray 🙏

Command Injection

noSQL Injections

Selected Vulnerabilities
in Node.js

noSQL Injections

SELECT * FROM users
WHERE username = '' 
OR 1=1 -- 'AND password = ''
User.find({
  username: user,
  password: pass
})

noSQL Injections

No HTTP Body access in ExpressJS

it relies on bodyParser lib 

noSQL Injections

const express = require('express')
const bodyParser = require('body-parser')

const app = express()

app.use(bodyParser.json())
app.use(bodyParser.urlencoded())

noSQL Injections

app.post('/login', function(req, res) {
  User.find({
      username: req.body.username,
      password: req.body.password
  }, function (err, users) {
        If (err) {
           res.status(500).send(err)
        } else {
           res.status(200).send(users)
  })
})

noSQL Injections

Best Practice: Validate Input

Validate Length & Type

Parameters Binding

Security In-depth

ReDOS

Selected Vulnerabilities
in Node.js

Regular Expressions
Denial of Service

Regular Expressions

Regular Expressions

^([01]?\\d\\d?|2[0-4]\\d|25
[0-5])\\.([01]?\\d\\d?|2[0-4]
\\d|25[0-5])\\.([01]?\\d\\d?|
2[0-4]\\d|25[0-5])\\.([01]?
\\d\\d?|2[0-4]\\d|25[0-5])$

IP Address

Regular Expressions

Regular Expressions

Matching a Song Title

^([a-zA-Z0-9])$

^([a-zA-Z0-9]+\s?)$

^([a-zA-Z0-9]+\s?)+$

Regular Expressions

Catastrophic Backtracking

Exploits greedy quantifiers

Simple regexs are vulnerable too /^(a+)+$/

Regular Expressions

2017

ms

|

2016

Moment

|

2018

|

2018

ua-parser-js

|

2.5M DL

|

13M DL

|

4.5M DL

|

sshpk

6M DL

|

Best Practices ?

Regular Expressions

Best Practices ?

Regular Expressions

Best Practice #1

DO NOT WRITE YOUR OWN REGEX

Regular Expressions

Best Practice #2

DO NOT WRITE YOUR OWN REGEX

Regular Expressions

Best Practice #3

Validator Node.js module

Regular Expressions

Best Practice #4

Safe-Regex Node.js module

const safeRegex = require('safe-regex')

let regex = /^(([a-z])+.)+[A-Z]([a-z])+$/
let isSafe = safeRegex(regex)

Regular Expressions

Best Practice #5

Jamie Davis's vuln-regex-detector

01

The Scary State of Node.js Security

02 

|

|

03 

|

Selected Vulnerabilities in Node.js

Silver Linings in Node.js Security

Black Clouds & Silver Linings
in Node.js Security

The npmjs Ecosystem

Silver Linings in
Node.js Security

Fighting Typosquatting

JSONStream    !=    jsonstream

npmjs ecosystem

New Package Moniker Rules

New Package Moniker Rules

Fighting Typosquatting

react-native

reactnative

rea-ct.native

react_native

   @lirantal/rea-ct.native

npmjs ecosystem

New Package Publishing Notifications

npmjs ecosystem

2FA Tokens for npm >= 5.5.1

$ npm profile enable-2fa

2FA successfully enabled. 
Below are your recovery codes,
please print these out. 

npmjs ecosystem

Auditing npm packages ?

npmjs ecosystem

npmjs ecosystem

Auditing with npq

npm audit, what about yarn ?

what about unknown vulns ?

$ npm install -g npq
$ alias npm=npq-hero

Node.js Security Working Group

Silver Linings in
Node.js Security

The Security WG

The Security WG

Responsibilities

Improving the state of the
Node.js Security Ecosystem

Govern Responsible Disclosure Programs
for Node and the npm ecosystem

The Security WG

Initiative: RDP for Ecosystem Modules

Discretely Investigate Security issues

Security Disclosure Policy for Bug Hunters

Public Vulnerability Database

The Security WG

Initiative: RDP for Ecosystem Modules

Uninitialized Buffer

base64url

|

1,000,000

|

XSS Injection

react-svg

|

12,000

|

Path Traversal

serve

|

90,000

|

ReDOS

protobufjs

|

550,000

|

The Security WG

Initiative: Bug Bounty for Node.js

Engages Security Researchers for the core Node.js project

IBB sponsored activity

The Security WG

Initiative: SECURITY.md

Communicate Security Guidelines

Opt-in to the Node ecosystem program

01

The Scary State of Node.js Security

02 

|

|

03 

|

Selected Vulnerabilities in Node.js

Silver Linings in Node.js Security

Black Clouds & Silver Linings
in Node.js Security

Thank you

bit.ly/nodesec

@liran_tal

github.com/lirantal

Liran Tal

Node.js Security WG

2018 Black Clouds & Silver Linings in Node.js Security

By Liran Tal

2018 Black Clouds & Silver Linings in Node.js Security

With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications. We will deep-dive into practical Node.js security measures which you can easily implement in your current projects, covering OWASP Top 10 issues such as injection attacks and secure dependencies management. Finally, we will review the work and initiatives that the Node.js Security Working Group have been taking to ensure a more secure future for Node.js.

  • 1,382