NodeJS provides an asynchronous, event-driven JavaScript runtime that allows JavaScript code to execute outside of a browser. While NodeJS has performance advantages over traditional platforms, it also has security risks due to JavaScript's global namespace, the ability to execute code dynamically via eval and other functions, and the fact that NodeJS processes run with elevated privileges by default. Developers must follow secure coding guidelines and use security frameworks to avoid exploits related to namespace pollution, runtime privilege escalation, cross-site scripting, and denial of service attacks. When used properly, NodeJS can provide a fast, scalable platform for building web applications and services.
9. (5 min Tech Primer)
Event-driven. Asynchronous.
Single-threaded
10. Traditional Platforms
• A sample code
data = readFromDatabase();
printData(data);
doSomethingUnrelated();
• Pitfalls
– The program blocked when reading from db
– Lots of processor cycles wasted
11. In Node
• A typical code
readFromDatabase(function(data)
{
printData(data);
});
doSomethingUnrelated();
• Gains
– not have to wait for slow file I/O or db ops. Aka non-blocking server
– everything runs in parallel. doSomethingUnrelated() doesn’t wait.
– printData(data) called when finished reading
– insanely fast
– serve millions concurrent connections at once
12. A production
Web Framework / MVC Arch.
Enter – Express, Mustache, Jade
(What is MISSING?)
A DB server.
Enter – NoSQL (MongoDB, CouchDB)
A full stack dev libraries.
Enter – NPM
14. “JavaScript has so much expressive power that they are able to do useful things in it,
anyway.”
http://javascript.crockford.com/javascript.html
"JavaScript is the world's most misunderstood programming language.”
http://www.crockford.com/javascript/private.html
(Mostly B’coz)
With Power comes
Responsibility
15. Property: Implied Globals
Abuse: Namespace Pollution
Impact: what’s the worst you can think?
(The Ugly Parts)
Property: eval (new Function,setTimeout,setInterval)
Abuse: JSON Parse, shortcuts
Impact: Host Compromise
Property: process privilege
Abuse: run as root (even Express)
Impact: Why does Apache run as nobody/nobody?
16. Global Namespace Pollution
JS is a global lang. By default – all variables, functions, objects are
implied to global scope
(In contrast, with PHP (or others), each request lives in it’s unique scope.)
17. Global Namespace Pollution
WEB USER 1 WEB USER 2
# Any request will share the same global scope.
# As seen , for two different users, each request increased gbl by 1
(Try yourself: http://46.137.9.100:1314/)
An equivalent code in PHP will always print 1 for every request.
18. Exploits: Namespace Pollution
• Overriding / Hijacking Sensitive Globals. Host Compromise
• How? imagine XSS and SOP. think your browser is now server
• Another innocent sample
– Bob sets is_valid to true for operation X but forgets to call it as “var”.
Y.mojito.controller = {
index: function(ac) {
var is_valid = true;
– Alice coding on the same project also forgets “var” and initialized is_valid to false.
Y.mojito.controller = {
index: function(ac) {
if (is_valid){
// get access to user data or some functions
• Attack Surface?
– NPM: malicious library. Insecure library
– Malicious coder
– Innocent coder
19. eval is EVIL
USE CASE # treats data as code. Very powerful. Very very popular.
EXPLOIT # CODE EXECUTION. COMMAND EXECUTION. SHELL EXECUTION. NEVER USE IT!
SIDE NOTE: exists in NPM. Audit. Audit. Audit.
eval has cousins – setTimeout, setInterval, new Function.
DON‘T USE THEM
20. eval is EVIL
Try yourself: http://46.137.9.100:1313
Exploit code: response.end(“my first ssi”)
21. Runtime Privilege Context
# By default, NodeJS runs as privileged user
# By default, Express runs as privileged user
Why? Remote Shell Exploits.
Why Apache runs as nobody/nobody?
22. Property: with Property: switch
Abuse: shorthand typos Abuse: faulty fallthru
Impact: Context dependent Impact: Context dependent
(The Bad Parts)
Property: single threaded / interpreted
Abuse: incomplete exception handling
Impact: DoS
Property: templating engines [mu, jade, ejs, haml]
Abuse: context sensitive output escaping
Impact: XSS
23. with is EVIL (exploitable on Cocktails)
Use Case# welcome message
What went wrong # typo,…
24. with is EVIL (exploitable on Cocktails)
Exploit # Depends
(Try yourself: http://46.137.9.100:1315/)
25. DoS (*doesn’t affect Express)
Generate a simple
exception
JS is interpreted, NOT compiled. Code itself shouldn’t be faulty. Else it’s a
self-DoS. Very difficult to ENSURE this.
26. switch is EVIL (an old foe)
Use Case# Valued Customer be given 10% discount only
Exploit # missing break leading to privilege escalation
27. switch is EVIL (an old foe)
Exploit # Valued Customer getting more discount
(Try Yourself: http://46.137.9.100:1317/)
28. No CSAS Output Escaper
• What is the #1 web security issue?
XSS (going to spiral further)
• All templating engines for NodeJS only provide HTML
Context Escaping
Good, but shouldn’t an excellent new technology
attempt to fix the remaining BAD things?
<a href=“$url”> my url </a>
$url = javascript:alert(1)
<body onload=“bingbang(‘$id’)”>
$id = ‘);alert(1);
<script> var a = $b </script>
$b = ; alert(0);
<div name=$c>
$c = onload=alert(1);
many more….
• We ported Google AutoEscape to NodeJS, nicknamed Joe
Will be open sourced soon…
29. <!-- Research In Progress -->
• Can you do cross-domain (SetSecurityToken,
RunInContext)?
– Exploiting hosted environments
• NPM packages
– Think external JS. Malicious? Insecure?
– Now even C libraries
• Are other JSLint bad practices exploitable?
– Is Automatic Semicolon Insertion exploitable?
– Many more…. Read “The Good Parts” once again
30. Training JSLint
(SOLUTION)
Secure Dev Frameworks
Coding Guideline
EcmaScript5
31. Bare bone web server.
Remember NetBSD?
Isn’t configured / capable more than what you want.
Unlike Apache, Tomcat, IIS?
(The Good Parts)
But why is it good?
More features, bigger attack surface.
Bigger attack surface, more chances of things going wrong.
And something that can go wrong will go wrong.
E.g. 1.3 zillion BO exploits world has seen
32. // end of a beginning
twitter: b1shan / yukinying
blog: http://bishankochher.blogspot.com/