New technologies are a good thing as they drive innovation. Especially in the web world, innovation is what lead to todays popularity of Sites like Google, Twitter and Facebook. Regarding security, new technologies also come with the possibility to avoid known security issues already in the design of a technology or for example a new programming language. Unfortunately most of the time, security is not a main focus and therefor also known faults are done over and over again. In addition to this, new technologies also tend to invent new vulnerability classes or at least open new ways to exploit known security issues. In this talk I’ll take as a practical example the Node (Node.js) project which allows server side non-blocking JavaScript development. It’s great to have the same language for the frontend as for the backend as it makes things much easier to connect and also the frontend and backend developers can better understand each others work. Many people still think about JavaScript as static *.js files somewhere in a web accessible directory which is not security relevant as it’s static. This is simply not the case. In the past there where already a lot of reported security problems in JavaScript so the question is: Will those problems also affect Node? I will answer this and more questions during the talk but be assured, we’ll end up with a reverse shell
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 21
Server Side JavaScript Injection § “With JSON, you use JavaScript's array and object
literals syntax to define data inside a text file in a way that can be returned as a JavaScript object using eval().” var jsondata = eval("("+mygetrequest.responseText+")")
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 29
An unhandled exception crashes your server.
Funfact
Simple Crash Demo var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/html'}); var queryData = url.parse(req.url, true).query; var number_of_decimals = 1; if (queryData.nod) {number_of_decimals = queryData.nod;} res.end( Math.PI.toFixed(number_of_decimals).toString() ); }).listen(1337, '127.0.0.1');
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 31
Simple Crash Demo var http = require('http'); var url = require('url'); http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/html'}); var queryData = url.parse(req.url, true).query; var number_of_decimals = 1; if (queryData.nod) {number_of_decimals = queryData.nod;} res.end( Math.PI.toFixed(number_of_decimals).toString() ); }).listen(1337, '127.0.0.1');
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 32
Simple Crash Demo number.toFixed( [digits] ) § digits The number of digits to appear after the decimal point; this may be a value between 0 and 20, inclusive, and implementations may optionally support a larger range of values. If this argument is omitted, it is treated as 0.
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 33
Simple Crash Demo http://example.com/?nod=-1
... or ...
http://example.com/?nod=21
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 34
Does Node.js support… Sessions NO
Permanent Data Storage NO
Caching NO
Database Access NO
Logging NO
Default Error Handling NO
… Most likely NO
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 35
npm - Node Packaged Modules
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 36
§ npm is a Node.js package manager § https://npmjs.org/
§ De-facto standard § Open – everyone can publish packages
npm - Node Packaged Modules
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 37
§ npm init
§ Edit package.json like we’ll see in a second § npm pack
§ npm install evilModule-1.2.3.tgz
§ Publish J
npm - Node Packaged Modules
8 November 2012 OWASP Foundation | Sven Vetsch | [email protected] 38