Remember eslint-scope and event-stream incidents? As an energetic member of the Node.js Foundation's Security Working Group, Liran will provide a 360 perspective of some black clouds of security horror stories in the JavaScript & Node.js ecosystem and educate on mitigating and building secure applications. We will deep-dive into practical Node.js vulnerabilities and how to protect against them, and cover some of OWASP Top 10. Liran will also introduce initiatives the Node.js Security WG have been undertaking to secure the ecosystem and recent security updates in npm.
3. 0101 Black Clouds in Node.js SecurityBlack Clouds in Node.js Security
02 02 ||
||
03 03 ||
Common Security VulnerabilitiesCommon Security Vulnerabilities
Silver Linings in Node.js SecuritySilver Linings in Node.js Security
Black Clouds & Silver LiningsBlack Clouds & Silver Linings
in Node.js Securityin Node.js Security
4. Node.js is JavaScriptNode.js is JavaScript
JavaScript is EverywhereJavaScript is Everywhere
FrontendFrontend
BackendBackend
IoTIoT
DatabasesDatabases
ChatbotsChatbots
MachineMachine
LearningLearning
WebAssemblyWebAssembly
RoboticsRobotics
7. Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository
Lucrative attack impactLucrative attack impact
8. Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository
Lucrative attack impactLucrative attack impact
Open and free-to-publish ecosystemOpen and free-to-publish ecosystem
9. Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository
Lucrative attack impactLucrative attack impact
Open and free-to-publish ecosystemOpen and free-to-publish ecosystem
Difficult to counter-measureDifficult to counter-measure
25. How did we find out about this maliciousHow did we find out about this malicious
crossenv package?crossenv package?
post-install script ✅post-install script ✅
call-home base64 payload ✅call-home base64 payload ✅
48. Compromised Contributors ?Compromised Contributors ?
662662 usersusers
123456123456
had their password set tohad their password set to
CompromisedCompromised ContributorsContributors ??
49. Compromised Contributors ?Compromised Contributors ?
14091409 usersusers
had their password set tohad their password set to
their usernametheir username
CompromisedCompromised ContributorsContributors ??
50. Compromised Contributors ?Compromised Contributors ?
11%11% usersusers
had their password set tohad their password set to
previously leaked passwordpreviously leaked password
CompromisedCompromised ContributorsContributors ??
55. OWASP Top 10:OWASP Top 10:
Using Components WithUsing Components With
Known VulnerabilitiesKnown Vulnerabilities
56.
57.
58. who watches after all thesewho watches after all these
modules ?modules ?
59. who watches after all thesewho watches after all these
modules ?modules ?
60. who watches after all thesewho watches after all these
modules ?modules ?
61. 0101 The Scary State of Node.js SecurityThe Scary State of Node.js Security
02 02 ||
||
03 03 ||
Selected Vulnerabilities in Node.jsSelected Vulnerabilities in Node.js
Silver Linings in Node.js SecuritySilver Linings in Node.js Security
Black Clouds & Silver LiningsBlack Clouds & Silver Linings
in Node.js Securityin Node.js Security
68. Best Practice:Best Practice:
execFile('git', [...args])execFile('git', [...args])
Maintain a whitelist of allowed argsMaintain a whitelist of allowed args
Blacklist special shell chars like ;Blacklist special shell chars like ;
PrayPray
Command InjectionCommand Injection
82. Regular ExpressionsRegular Expressions
Best Practice #1Best Practice #1
DO NOT WRITE YOUR OWN REGEXDO NOT WRITE YOUR OWN REGEX
Best Practice #2Best Practice #2
DO NOT WRITE YOUR OWN REGEXDO NOT WRITE YOUR OWN REGEX
84. Regular ExpressionsRegular Expressions
Best Practice #4Best Practice #4
Safe-RegexSafe-Regex Node.js moduleNode.js module
const safeRegex = require('safe-regex')
let regex = /^(([a-z])+.)+[A-Z]([a-z])+$/
let isSafe = safeRegex(regex)
85.
86. 0101 The Scary State of Node.js SecurityThe Scary State of Node.js Security
02 02 ||
||
03 03 ||
Selected Vulnerabilities in Node.jsSelected Vulnerabilities in Node.js
Silver Linings in Node.js SecuritySilver Linings in Node.js Security
Black Clouds & Silver LiningsBlack Clouds & Silver Linings
in Node.js Securityin Node.js Security
87. The npmjs EcosystemThe npmjs Ecosystem
Silver Linings inSilver Linings in
Node.js SecurityNode.js Security
100. TakingTaking OwnershipOwnership ofof
Your App SecurityYour App Security
Source: The State of Open Source Security Report 2019, Snyk
https://snyk.io/opensourcesecurity-2019/
108. The Security WGThe Security WG
ScopeScope
Improving the state of theImproving the state of the
Node.js Security EcosystemNode.js Security Ecosystem
109. The Security WGThe Security WG
ScopeScope
Improving the state of theImproving the state of the
Node.js Security EcosystemNode.js Security Ecosystem
Incident Response for NodeIncident Response for Node
and the npm ecosystemand the npm ecosystem
110. The Security WGThe Security WG
Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
111. The Security WGThe Security WG
Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
Discretely Investigate Security issuesDiscretely Investigate Security issues
Security Disclosure Policy for Bug HuntersSecurity Disclosure Policy for Bug Hunters
Public Vulnerability DatabasePublic Vulnerability Database
112. The Security WGThe Security WG
Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 ||
Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
113. The Security WGThe Security WG
Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 ||
XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 ||
Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
114. The Security WGThe Security WG
Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 ||
XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 ||
Path TraversalPath Traversal serveserve|| 564,000564,000 ||
Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
115. The Security WGThe Security WG
Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 ||
XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 ||
Path TraversalPath Traversal serveserve|| 564,000564,000 ||
ReDOSReDOS protobufjsprotobufjs|| 7,200,0007,200,000 ||
Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules