Liran Tal
💚@nodejs Security WG member | Core team @meanjs, #dockly | Author: 📘Essential Node.js Security ✨ Engineering Manager @nielsen-oss | ❤️#opensource #javascript
Black Clouds & Silver Linings
in Node.js Security
Liran Tal
Developer Advocate at Snyk
@liran_tal
github.com/lirantal
InfoShare 2018
Israel
@liran_tal
github.com/lirantal
Liran Tal
NodeGoat Core Team
Node.js Security WG
x100 growth over 4 years
Node.js is JavaScript
JavaScript is Everywhere
Frontend
Backend
IoT
Databases
Chatbots
Machine Learning
WebAssembly
Robotics
01
The Scary State of Node.js Security
02
|
|
03
|
Popular Vulnerabilities in Node.js
Silver Linings in Node.js Security
Black Clouds & Silver Linings
in Node.js Security
Malicious Modules
The Scary State of
Node.js Security
January 2015
rimrafall
package published to npm
rimrafall
npm pre-install script
$ rm –rf /*
rimrafall
cross-env
helps manage config through env variables
cross-env
helps manage config through env variables
$ npm install crossenv --savecrossenv != cross-env
cross-env
ffmepg
babelcli
mongose
nodesass
Dependency Management
The Scary State of
Node.js Security
Use-Case:
Check if a number is even or odd
3,336,101 Downloads
Who watches after all these modules ?
Malicious Contributors ?
Compromised Contributors ?
src: https://github.com/ChALkeR/notes
14%
compromised npm modules
Compromised Contributors ?
Compromised Contributors ?
src: https://github.com/ChALkeR/notes
20%
npm total monthly downloads
express
react
debug
moment
request
Compromised Contributors ?
Compromised Contributors ?
662
users
123456
had their password set to
Compromised Contributors ?
Compromised Contributors ?
124
users
password
had their password set to
Compromised Contributors ?
Compromised Contributors ?
1409
users
had their password set to
their username
Compromised Contributors ?
Compromised Contributors ?
11%
users
had their password set to
previously leaked password
Compromised Contributors ?
Failing Education
The Scary State of
Node.js Security
Never pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution.
Am I Over Reacting ?
{
"id": 427,
"title": "Command Injection - Generic",
"overview": "`macaddress` concatenates unsanitized input into exec() command",
"publish_date": "2018-05-11",
"author": "Сковорода Никита Андреевич (https://github.com/ChALkeR)",
"module_name": "macaddress",
"vulnerable_versions": "<=0.2.8",
"patched_versions": null,
"cvss_score": 10
}
01
The Scary State of Node.js Security
02
|
|
03
|
Selected Vulnerabilities in Node.js
Silver Linings in Node.js Security
Black Clouds & Silver Linings
in Node.js Security
Command Injection
Selected Vulnerabilities
in Node.js
Command Injection
Command Injection
Remote Command Execution
<?php
$ip = $_GET["ip"];
system("ping $ip");
?>Command Injection
Command Injection
Demo
Best Practice:
execFile('git', [...args])
Maintain a whitelist of allowed args
Blacklist special shell chars like ;
Pray 🙏
Command Injection
noSQL Injections
Selected Vulnerabilities
in Node.js
noSQL Injections
SELECT * FROM users
WHERE username = ''
OR 1=1 -- 'AND password = ''User.find({
username: user,
password: pass
})noSQL Injections
No HTTP Body access in ExpressJS
it relies on bodyParser lib
noSQL Injections
const express = require('express')
const bodyParser = require('body-parser')
const app = express()
app.use(bodyParser.json())
app.use(bodyParser.urlencoded())
noSQL Injections
app.post('/login', function(req, res) {
User.find({
username: req.body.username,
password: req.body.password
}, function (err, users) {
If (err) {
res.status(500).send(err)
} else {
res.status(200).send(users)
})
})noSQL Injections
Best Practice: Validate Input
Validate Length & Type
Parameters Binding
Security In-depth
ReDOS
Selected Vulnerabilities
in Node.js
Regular Expressions
Denial of Service
Regular Expressions
Regular Expressions
^([01]?\\d\\d?|2[0-4]\\d|25
[0-5])\\.([01]?\\d\\d?|2[0-4]
\\d|25[0-5])\\.([01]?\\d\\d?|
2[0-4]\\d|25[0-5])\\.([01]?
\\d\\d?|2[0-4]\\d|25[0-5])$IP Address
Regular Expressions
Regular Expressions
Matching a Song Title
^([a-zA-Z0-9])$
^([a-zA-Z0-9]+\s?)$
^([a-zA-Z0-9]+\s?)+$
Regular Expressions
Catastrophic Backtracking
Exploits greedy quantifiers
Simple regexs are vulnerable too /^(a+)+$/
Regular Expressions
2017
ms
|
2016
Moment
|
2018
|
2018
ua-parser-js
|
2.5M DL
|
13M DL
|
4.5M DL
|
sshpk
6M DL
|
Best Practices ?
Regular Expressions
Best Practices ?
Regular Expressions
Best Practice #1
DO NOT WRITE YOUR OWN REGEX
Regular Expressions
Best Practice #2
DO NOT WRITE YOUR OWN REGEX
Regular Expressions
Best Practice #3
Validator Node.js module
Regular Expressions
Best Practice #4
Safe-Regex Node.js module
const safeRegex = require('safe-regex')
let regex = /^(([a-z])+.)+[A-Z]([a-z])+$/
let isSafe = safeRegex(regex)Regular Expressions
Best Practice #5
Jamie Davis's vuln-regex-detector
01
The Scary State of Node.js Security
02
|
|
03
|
Selected Vulnerabilities in Node.js
Silver Linings in Node.js Security
Black Clouds & Silver Linings
in Node.js Security
The npmjs Ecosystem
Silver Linings in
Node.js Security
Fighting Typosquatting
JSONStream != jsonstream
npmjs ecosystem
New Package Moniker Rules
New Package Moniker Rules
Fighting Typosquatting
react-native
reactnative
rea-ct.native
react_native
@lirantal/rea-ct.native
npmjs ecosystem
New Package Publishing Notifications
npmjs ecosystem
2FA Tokens for npm >= 5.5.1
$ npm profile enable-2fa
2FA successfully enabled.
Below are your recovery codes,
please print these out.
npmjs ecosystem
Auditing npm packages ?
npmjs ecosystem
npmjs ecosystem
Auditing with npq
npm audit, what about yarn ?
what about unknown vulns ?
$ npm install -g npq
$ alias npm=npq-heroNode.js Security Working Group
Silver Linings in
Node.js Security
The Security WG
The Security WG
Responsibilities
Improving the state of the
Node.js Security Ecosystem
Govern Responsible Disclosure Programs
for Node and the npm ecosystem
The Security WG
Initiative: RDP for Ecosystem Modules
Discretely Investigate Security issues
Security Disclosure Policy for Bug Hunters
Public Vulnerability Database
The Security WG
Initiative: RDP for Ecosystem Modules
Uninitialized Buffer
base64url
|
1,000,000
|
XSS Injection
react-svg
|
12,000
|
Path Traversal
serve
|
90,000
|
ReDOS
protobufjs
|
550,000
|
The Security WG
Initiative: Bug Bounty for Node.js
Engages Security Researchers for the core Node.js project
IBB sponsored activity
The Security WG
Initiative: SECURITY.md
Communicate Security Guidelines
Opt-in to the Node ecosystem program
01
The Scary State of Node.js Security
02
|
|
03
|
Selected Vulnerabilities in Node.js
Silver Linings in Node.js Security
Black Clouds & Silver Linings
in Node.js Security
Thank you
bit.ly/nodesec
@liran_tal
github.com/lirantal
Liran Tal
Node.js Security WG
2018 Black Clouds & Silver Linings in Node.js Security
By Liran Tal
2018 Black Clouds & Silver Linings in Node.js Security
With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications. We will deep-dive into practical Node.js security measures which you can easily implement in your current projects, covering OWASP Top 10 issues such as injection attacks and secure dependencies management. Finally, we will review the work and initiatives that the Node.js Security Working Group have been taking to ensure a more secure future for Node.js.
