Liran Tal
💚@nodejs Security WG member | Core team @meanjs, #dockly | Author: 📘Essential Node.js Security ✨ Engineering Manager @nielsen-oss | ❤️#opensource #javascript
@liran_tal
github.com/lirantal
InfoShare 2018
$ rm –rf /*
$ npm install crossenv --save
src: https://github.com/ChALkeR/notes
src: https://github.com/ChALkeR/notes
{
"id": 427,
"title": "Command Injection - Generic",
"overview": "`macaddress` concatenates unsanitized input into exec() command",
"publish_date": "2018-05-11",
"author": "Сковорода Никита Андреевич (https://github.com/ChALkeR)",
"module_name": "macaddress",
"vulnerable_versions": "<=0.2.8",
"patched_versions": null,
"cvss_score": 10
}
<?php
$ip = $_GET["ip"];
system("ping $ip");
?>
SELECT * FROM users
WHERE username = ''
OR 1=1 -- 'AND password = ''
User.find({
username: user,
password: pass
})
const express = require('express')
const bodyParser = require('body-parser')
const app = express()
app.use(bodyParser.json())
app.use(bodyParser.urlencoded())
app.post('/login', function(req, res) {
User.find({
username: req.body.username,
password: req.body.password
}, function (err, users) {
If (err) {
res.status(500).send(err)
} else {
res.status(200).send(users)
})
})
^([01]?\\d\\d?|2[0-4]\\d|25
[0-5])\\.([01]?\\d\\d?|2[0-4]
\\d|25[0-5])\\.([01]?\\d\\d?|
2[0-4]\\d|25[0-5])\\.([01]?
\\d\\d?|2[0-4]\\d|25[0-5])$
const safeRegex = require('safe-regex')
let regex = /^(([a-z])+.)+[A-Z]([a-z])+$/
let isSafe = safeRegex(regex)
$ npm profile enable-2fa
2FA successfully enabled.
Below are your recovery codes,
please print these out.
$ npm install -g npq
$ alias npm=npq-hero
By Liran Tal
With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications. We will deep-dive into practical Node.js security measures which you can easily implement in your current projects, covering OWASP Top 10 issues such as injection attacks and secure dependencies management. Finally, we will review the work and initiatives that the Node.js Security Working Group have been taking to ensure a more secure future for Node.js.
💚@nodejs Security WG member | Core team @meanjs, #dockly | Author: 📘Essential Node.js Security ✨ Engineering Manager @nielsen-oss | ❤️#opensource #javascript