Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to hack a node app? @ RollingScopes 2018 in...

Asim Hussain
February 10, 2018

How to hack a node app? @ RollingScopes 2018 in Minsk Belarus

Asim Hussain

February 10, 2018
Tweet

More Decks by Asim Hussain

Other Decks in Technology

Transcript

  1. #1

  2. "77% of 433,000 Sites Use Vulnerable JavaScript Libraries" - snyk.io

    https://snyk.io/blog/77-percent-of-sites-still-vulnerable/ @jawache
  3. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto,

    server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache
  4. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto,

    server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache
  5. GET / set key 0 900 4 data HTTP/1.1 Host:

    127.0.0.1:11211 Accept-Encoding: identity @jawache
  6. GET / set key 0 900 4 data HTTP/1.1 Host:

    127.0.0.1:11211 Accept-Encoding: identity @jawache
  7. How I Chained 4 vulnerabilities on GitHub Enterprise - Orange

    Tsai http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html CRLF injection vulnerability in the HTTPConnection https://www.cvedetails.com/cve/CVE-2016-5699/ Exploit DB https://www.exploit-db.com/ Metasploit https://www.metasploit.com/ The Equifax hack and how to protect your family — all explained in 5 minutes https://medium.freecodecamp.org/the-equifax-hack-and-how-to-protect-your-family-all-explained-in-5-minutes-a2b5187cb6c0 Oscar Bolmsten on Twitter https://twitter.com/o_cee/status/892306836199800836 Malicious packages in npm. Here’s what to do - Ivan Akulov https://iamakulov.com/notes/npm-malicious-packages/