Black Clouds & Silver Linings in Node.js Security

Black Clouds & Silver LiningsBlack Clouds & Silver Linings
in Node.js Security in Node.js Security
Liran TalLiran Tal
Developer Advocate @ SnykDeveloper Advocate @ Snyk
@liran_tal github.com/lirantal
May 2019May 2019

@liran_tal
github.com/lirantal
Liran TalLiran Tal
Developer AdvocateDeveloper Advocate

0101 Black Clouds in Node.js SecurityBlack Clouds in Node.js Security
02 02 ||
||
03 03 ||
Common Security VulnerabilitiesCommon Security Vulnerabilities
Silver Linings in Node.js SecuritySilver Linings in Node.js Security
in Node.js Securityin Node.js Security

Node.js is JavaScriptNode.js is JavaScript
JavaScript is EverywhereJavaScript is Everywhere
FrontendFrontend
BackendBackend
IoTIoT
DatabasesDatabases
ChatbotsChatbots
MachineMachine
LearningLearning
WebAssemblyWebAssembly
RoboticsRobotics

src: https://snyk.io/opensourcesecurity-2019

Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository

Lucrative attack impactLucrative attack impact

Open and free-to-publish ecosystemOpen and free-to-publish ecosystem

Open and free-to-publish ecosystemOpen and free-to-publish ecosystem
Difficult to counter-measureDifficult to counter-measure

Black Clouds inBlack Clouds in
Node.js SecurityNode.js Security

Malicious ModulesMalicious Modules

Typosquatting AttacksTyposquatting Attacks
Compromised AccountsCompromised Accounts
Social EngineeringSocial Engineering

timetime
Jan 2015
rimrafallrimrafall

timetime
Jan 2015
rimrafallrimrafall
Jan 2017
crossenvcrossenv

crossenv != cross-envcrossenv != cross-env
$ npm install crossenv --save

coffescript coffescript oror coffe-script coffe-script

coffescript coffescript oror coffe-script coffe-script
coffeescriptcoffeescript

post-install script ✅post-install script ✅

call-home base64 payload ✅call-home base64 payload ✅

How did we find out about this maliciousHow did we find out about this malicious
crossenv package?crossenv package?
call-home base64 payload ✅call-home base64 payload ✅

timetime
Jan 2015
rimrafallrimrafall
Jan 2017
crossenvcrossenv
May 2018
getcookiesgetcookies

timetime
Jan 2015
rimrafallrimrafall
Jan 2017
crossenvcrossenv
May 2018
Jul 2018
eslint-eslint-
scopescope

eslint-scope 3.7.2eslint-scope 3.7.2
malicious package publishedmalicious package published

What's going on?What's going on?

Who depends on eslint-scope?Who depends on eslint-scope?

babel-eslintbabel-eslint

eslinteslint

eslinteslint
webpackwebpack

npm invalidates all tokensnpm invalidates all tokens
<= 2018-07-12<= 2018-07-12

npm invalidates all tokensnpm invalidates all tokens
<= 2018-07-12<= 2018-07-12

estimated potential ~4,500 accounts estimated potential ~4,500 accounts
were compromised were compromised

How does something likeHow does something like
this happen?this happen?

Compromised Contributors ?Compromised Contributors ?CompromisedCompromised ContributorsContributors ??

Compromised Contributors ?Compromised Contributors ?
14%14%
compromised npm modulescompromised npm modules
CompromisedCompromised ContributorsContributors ??
src: https://github.com/ChALkeR/notes

20%20%
npm total monthly downloadsnpm total monthly downloads

20%20%
npm total monthly downloadsnpm total monthly downloads
expressexpress reactreact
debugdebug
momentmoment
requestrequest

https://giphy.com/embed/aWPGuTlDqq2yc

662662 usersusers
123456123456
had their password set tohad their password set to

14091409 usersusers
their usernametheir username

11%11% usersusers
previously leaked passwordpreviously leaked password

timetime
Jan 2015
rimrafallrimrafall
Jan 2017
crossenvcrossenv
May 2018
Jul 2018
eslint-eslint-
scopescope
event-streamevent-stream
Nov 2019

src: https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor

Dependency ManagementDependency Management

OWASP Top 10:OWASP Top 10:
Using Components WithUsing Components With
Known VulnerabilitiesKnown Vulnerabilities

who watches after all thesewho watches after all these
modules ?modules ?

0101 The Scary State of Node.js SecurityThe Scary State of Node.js Security
02 02 ||
||
03 03 ||
Selected Vulnerabilities in Node.jsSelected Vulnerabilities in Node.js
Silver Linings in Node.js SecuritySilver Linings in Node.js Security

Command InjectionCommand Injection
Common SecurityCommon Security
VulnerabilitiesVulnerabilities

DemoDemo

Best Practice:Best Practice:
execFile('git', [...args])execFile('git', [...args])

Best Practice:Best Practice:
execFile('git', [...args])execFile('git', [...args])
Maintain a whitelist of allowed argsMaintain a whitelist of allowed args
Blacklist special shell chars like ;Blacklist special shell chars like ;
PrayPray

Regular ExpressionsRegular Expressions

^([01]?dd?|2[0-4]d|25
[0-5]).([01]?dd?|2[0-4]
d|25[0-5]).([01]?dd?|
2[0-4]d|25[0-5]).([01]?
dd?|2[0-4]d|25[0-5])$

^([01]?dd?|2[0-4]d|25
[0-5]).([01]?dd?|2[0-4]
d|25[0-5]).([01]?dd?|
2[0-4]d|25[0-5]).([01]?
dd?|2[0-4]d|25[0-5])$
IP AddressIP Address

https://giphy.com/embed/xNBcChLQt7s9a

Matching a Song TitleMatching a Song Title
^([a-zA-Z0-9])$^([a-zA-Z0-9])$

^([a-zA-Z0-9])$^([a-zA-Z0-9])$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)$

^([a-zA-Z0-9])$^([a-zA-Z0-9])$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)+$^([a-zA-Z0-9]+s?)+$

Catastrophic BacktrackingCatastrophic Backtracking
Exploits greedy quantifiersExploits greedy quantifiers
Simple regexs are vulnerable tooSimple regexs are vulnerable too
/^(a+)+$//^(a+)+$/

20172017 msms||
20162016 MomentMoment||
20182018 ||
20182018 ua-parser-jsua-parser-js|| 20M DL20M DL ||
96M DL96M DL ||
36M DL36M DL ||
sshpksshpk40M DL40M DL ||

20172017 msms||
20162016 MomentMoment||
20182018 ||
20182018 ua-parser-jsua-parser-js|| 20M DL20M DL ||
96M DL96M DL ||
36M DL36M DL ||
sshpksshpk40M DL40M DL ||
Best Practices ?Best Practices ?

Best Practices ?Best Practices ?

Best Practice #1Best Practice #1
DO NOT WRITE YOUR OWN REGEXDO NOT WRITE YOUR OWN REGEX

ValidatorValidator Node.js moduleNode.js module

Safe-RegexSafe-Regex Node.js moduleNode.js module
const safeRegex = require('safe-regex')
let regex = /^(([a-z])+.)+[A-Z]([a-z])+$/
let isSafe = safeRegex(regex)

The npmjs EcosystemThe npmjs Ecosystem
Silver Linings inSilver Linings in

FightingFighting TyposquattingTyposquatting
Package Moniker RulesPackage Moniker Rules

JSONStream JSONStream !=!= jsonstream jsonstream

react-nativereact-native

reactnativereactnative

rea-ct.nativerea-ct.native

react_nativereact_native

react_nativereact_native
@lirantal/rea-ct.native @lirantal/rea-ct.native

Package PublishingPackage Publishing NotificationsNotifications

$ npm profile enable-2fa
2FA successfully enabled.
Below are your recovery codes,
please print these out.
2FA tokens2FA tokens for npm >= 5.5.1for npm >= 5.5.1

TakingTaking OwnershipOwnership ofof
Your App SecurityYour App Security

TakingTaking OwnershipOwnership ofof
Your App SecurityYour App Security
Source: The State of Open Source Security Report 2019, Snyk
https://snyk.io/opensourcesecurity-2019/

FindFind vulnerabilities in vulnerabilities in
open source dependenciesopen source dependencies

$ npm install snyk
$ snyk auth
$ snyk test
FindFind vulnerabilities in vulnerabilities in
open source dependenciesopen source dependencies

SnykSnyk detects vulnerabilitiesdetects vulnerabilities inin
Pull RequestsPull Requests

Snyk automates fixingSnyk automates fixing vulnerabilities vulnerabilities

Node.js Security Working GroupNode.js Security Working Group
Silver Linings inSilver Linings in

The Security WGThe Security WG

ScopeScope
Improving the state of theImproving the state of the
Node.js Security EcosystemNode.js Security Ecosystem

ScopeScope
Improving the state of theImproving the state of the
Node.js Security EcosystemNode.js Security Ecosystem
Incident Response for NodeIncident Response for Node
and the npm ecosystemand the npm ecosystem

Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules

Discretely Investigate Security issuesDiscretely Investigate Security issues
Security Disclosure Policy for Bug HuntersSecurity Disclosure Policy for Bug Hunters
Public Vulnerability DatabasePublic Vulnerability Database

Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 ||

XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 ||

Path TraversalPath Traversal serveserve|| 564,000564,000 ||

Path TraversalPath Traversal serveserve|| 564,000564,000 ||
ReDOSReDOS protobufjsprotobufjs|| 7,200,0007,200,000 ||

0101 Malicious modules & Compromised accountsMalicious modules & Compromised accounts||
||

0101 Malicious modules & Compromised accountsMalicious modules & Compromised accounts
02 02 ||
||
Common Security Pitfalls in Node.jsCommon Security Pitfalls in Node.js
||
||

0101 Malicious modules & Compromised accountsMalicious modules & Compromised accounts
02 02 ||
||
03 03 ||
Common Security Pitfalls in Node.jsCommon Security Pitfalls in Node.js
Developer awareness,Developer awareness,
Fix vulnerabilities in your open source deps,Fix vulnerabilities in your open source deps,
Node.js Security WGNode.js Security WG
||
||

@liran_tal
github.com/lirantal
Liran TalLiran Tal
Developer AdvocateDeveloper Advocate
Use Open Source, Stay Secure.Use Open Source, Stay Secure.
Thank you!Thank you!

Black Clouds & Silver Linings in Node.js Security

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (15)

Semelhante a Black Clouds & Silver Linings in Node.js Security

Semelhante a Black Clouds & Silver Linings in Node.js Security (20)

Mais de Julia Cherniak

Mais de Julia Cherniak (11)

Último

Último (20)

Black Clouds & Silver Linings in Node.js Security