Patterns in Node Package Vulnerabilities

Transcript

1. Patterns in Node Package Vulnerabilities Chetan Karande

2. About Me ▪ Principal Engineer, DTCC ▪ Project Leader, OWASP

   NodeGoat Project ▪ Author

3. 532 packages/day

4. ~ 700,000 packages

5. 88 Disclosures

6. 603 Vulnerabilities

7. 1,098 Advisories

8. None
9. None
10. None
11. None
12. None

13. npm audit Snyk CLI

14. “By seeking and blundering we learn.” - Johann Wolfgang von

    Goethe
15. None

16. 1,084 + 528 1,023 Unique Advisories

17. None

18. Insecure Access to File System

19. Insecure Access to File System Pattern #1 Directory Traversal

20. None

21. Root Cause: An insecure dependency vulnerable to Directory Traversal

22. Root Cause behind Directory Traversal Missing or insufficient user input

    validation for path traversal characters before using it in a path to serve contents on the server.

23. Root Cause for Directory Traversal Missing or insufficient user input

    validation for path traversal characters before using it in a URL to serve contents on the server. Examples: • / • ../ • %2f • %2e%2e/ • %2e%2e%2f,
24. None

25. Preventing Directory Traversal ✓ If the path needs to be

    supplied from the user input, sanitize the input to remove path traversal characters (./ and ../ as well as encoded variations)

26. Insecure Access to File System Pattern #2 Symlink Attack

27. Symlink attack is like staying in a hotel and getting

    a really noisy neighbor... Symlink Attack

28. Symlink Attack A malicious user sharing the host, could exploit

    this vulnerability to corrupt or destroy vital system or application files to which only the target application has the access.

29. Root Cause for Symlink Attack • An application sharing the

    host server with other external users. • Using predictable file or folder names when writing to shared directories

30. Example: The package writing logs to the shared /tmp directory

    with a predictable file name

31. ln –s <source file> <target file>

32. Preventing Symlink Attack ✓ Avoid using shared system folders.

33. Example: The package using /tmp to buffer command results before

    returning values

34. Preventing Symlink Attack ✓ Avoid using shared system folders. ✓

    If you have to use a shared folder for writing non-sensitive data, use crypto module’s randomBytes method to generate random filenames.

35. Sensitive Data Exposure

36. “The more you leave out, the more you highlight what

    you leave in.” - Henry Green

37. Sensitive Data Exposure Pattern #1 Leaking Application Secrets

38. Root Causes for Leaking Application Secrets Application-specific secrets appearing at

    insecure places such as as: - code repositories, - log files, - client-side storage, - URLs, - application global namespace

39. Example: Leaking the SSL private key in the code repository

40. Example: URLs with authentication tokens appearing in the logs

41. Example: OAuth Bearer Token appearing in the browser local-storage

42. Preventing Application Secrets Leakage ✓ Securely store applications secrets in

    Hardware Security Module (HSM) or Key Management Services.

43. Preventing Application Secrets Leakage ✓ Securely store applications secrets in

    Hardware Security Module (HSM) or Key Management Services. ✓ Mask any sensitive data before it appears in the log files.

44. Preventing Application Secrets Leakage ✓ Securely store applications secrets in

    Hardware Security Module (HSM) or Key Management Services ✓ Mask any sensitive data before it appears in the log files ✓ To reduce impact of a leak, use short-lived tokens.

45. Sensitive Data Exposure Pattern #2 Predictable Secrets (Insecure Randomness)

46. Root causes for Insecure Randomness • Using Math.random() method is

    to generate random values in security- sensitive context (random tokens, resource IDs, or UUIDs). • Math.random() is cryptographically insecure. It can produce predictable values.

47. Example: Using Math.random to generate UUID

48. Example: Using Math.random() to generate Socket IDs

49. Preventing Insecure Randomness ✓ Use crypto module to generate random

    numbers instead of Math.random()

50. Preventing Insecure Randomness ✓ Use crypto module to generate random

    numbers instead of Math.random()

51. Sensitive Data Exposure Pattern #3 Predictable Secrets (Non-constant Time Comparison)

52. Root causes for Non-constant Time Comparison • Using fail-fast comparison

    logic to match user inputs against sensitive values. • JavaScript native string comparison operators (=== and ==) perform the non-constant time fail-first string comparison .

53. Example: Using Fail Fast operators to compare csrf tokens

54. Example: Using a Fail Fast iterator to compare byte arrays

55. None

56. Preventing Timing Attacks ✓ Use a constant-time comparison logic that

    takes the same amount of time regardless of the input values.

57. Preventing Timing Attacks ✓ Use a constant-time comparison logic that

    takes the same amount of time regardless of the input values.

58. Sensitive Data Exposure Pattern #4 Remote Memory Exposure

59. Root Cause for Remote Memory Exposure ▪ Prior to Node.js

    8, the Buffer constructor that takes a number as an argument, generates a Buffer instance with uninitialized underlying memory.

60. ▪ Prior to Node.js 8, the Buffer constructor that takes

    a number as an argument, generates a Buffer instance with uninitialized underlying memory. ▪ The contents of a newly created Buffer remain unknown and might contain sensitive data. Root Cause for Remote Memory Exposure

61. Examples of Uninitialized Memory Exposure Example: Using unsafe Buffer constructor

62. Example: Using unsafe Buffer constructor

63. Example: Using unsafe Buffer constructor

64. Preventing Remote Memory Exposure ✓ Use a safe method Buffer.alloc(size)

    to create a buffer that is initialized with zeroes:

65. Sensitive Data Exposure Pattern #5 Insecure Network Usage

66. Root Cause for Insecure Network Usage ▪ Using insecure HTTP

    protocol to download resources as part of install scripts or at runtime.

67. Root Cause for Insecure Network Usage ▪ Using insecure HTTP

    protocol to download resources as part of install scripts or at runtime.

68. Preventing Insecure Network Usage ✓ Download resources over secure HTTPS

    connection. ✓ Provide an option for users to download dependencies in advance and specify the location path.

69. Denial of Service

70. Denial of Service Pattern #1 Exhausting System Resources

71. Root Cause behind DoS by Exhausting System Resources • Allocating

    unrestricted amount of system resources based on the size of a user input.

72. Example: Exceeding V8’s maximum string size limit

73. Example: Exceeding V8’s maximum buffer size limit

74. Example: Unrestricted file uploads exhausting file-system space

75. Example: Instantiating large number of Objects based on a user

    input (very large array index: foo[0][1000000000]=bar)

76. Preventing DoS by Exhausting System Resources ✓ Validate size of

    a user input before processing it

77. Denial of Service Pattern #2: Keeping Event Loop Busy

78. Node is fast when the work associated with each client

    at any given time is "small". - Node.js Docs

79. Examples of DoS By Keeping Event Loop Busy • Running

    an execution loop whose iterations depend on the length of a user input.

80. • Running an execution loop whose iterations depend on the

    length of a user input. • Using unsafe Regular Expressions Examples of DoS By Keeping Event Loop Busy

81. Regular Expression Denial of Service (ReDoS) ▪ By default, regular

    expressions get executed in the main event loop thread ▪ Evil regex can take exponential execution time when applied to certain non- matching inputs.
82. None

83. ^(.*,)+(.+)?$/

84. Input format: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n Input Length Execution Time 25 2 sec

    26 4 sec 27 9 sec 28 15 sec 30 1 minute 35 34 minutes

85. Denial of Service Pattern #3 Crashing Event Loop By Unhandled

    Exceptions
86. None

87. Common Causes of Unhandled Exceptions #1 Failing to Handle Invalid

    User Inputs

88. • Caused by failing to validate user inputs for unexpected

    value, type, or shape before processing them

89. Unexpected Character Example: Trailing \ in URL localhost:3000/index.html\

90. Unexpected Object Value Example: Unexpected HTTP Header Value { 'accept-encoding':

    'a;b' }

91. Unexpected Object Shape Example: Type coercion via HTTP Request Parameters

92. ▪ User input coercion via HTTP Request Parameters in qs,

    Express, Koa // GET /search?conference=fluent request.query.conference //=> "fluent”

93. ▪ User input coercion via HTTP Request Parameters in qs,

    Express, Koa // GET /search?conference=fluent&conference=velocity request.query.conference //=> ["fluent”, “velocity”]

94. ▪ User input coercion via HTTP Request Parameters in qs,

    Express, Koa // GET /search?conference[]=fluent request.query.conference //=> ["fluent”]

95. ▪ User input coercion via HTTP Request Parameters in qs,

    Express, Koa // GET /search?conference[fluent][year]=2018 request.query.conference //=>

96. ▪ User input coercion via HTTP Request Parameters in qs,

    Express, Koa // GET /search?conference[fluent][year]=2018 request.query.conference //=> {fluent: { year: '2018' }}

97. ✓ Validate user inputs for expected values, type or shape

    before processing it. (using joi package, for example) Preventing Unhanded Exception Caused by Invalid User Input

98. Common Causes of Unhandled Exceptions #2 Missing or Incorrect Operational

    Error Handling

99. Four mechanisms to communicate operational errors in Node.js: 1. throw

    new Error('something bad happened!');

100. Four mechanisms to communicate operational errors in Node.js: 1. throw

     new Error('something bad happened!'); 1. callback(new Error('something bad happened!'));

101. Four mechanisms to communicate operational errors in Node.js: 1. throw

     new Error('something bad happened!'); 1. callback(new Error('something bad happened!')); 1. return Promise.reject(new Error('something bad happened!'));

102. Four mechanisms to communicate operational errors in Node.js: 1. throw

     new Error('something bad happened!'); 1. callback(new Error('something bad happened!')); 1. return Promise.reject(new Error('something bad happened!')); 1. myEmitter.emit('error', new Error(something bad happened!'));

103. Example: Failure to handle error object passed in the callback

104. Preventing Unhanded Exception due to Operational Errors ✓ Be aware

     of the error delivery mechanism used by the invoked function and handle errors accordingly.

105. Recap ▪ Insecure Access to File System - Pattern #1

     Directory Traversal - Pattern #2 Symlink Attack

106. Recap ▪ Sensitive Data Exposure - Pattern #1 Leaking Application

     Secrets - Pattern #2 Predictable Secrets (Insecure Randomness) - Pattern #3 Predictable Secrets (Non-constant Time Comparison) - Pattern #4 Remote Memory Exposure - Pattern #5 Insecure Network Usage

107. Recap ▪ Denial of Service - Pattern #1 Exhausting System

     Resources - Pattern #2 Keeping Event Loop Busy - Pattern #3 Crashing Event Loop By Unhandled Exceptions

108. Learning Resources

109. Patterns in Node Package Vulnerabilities

110. node.advisories.io

111. node.advisories.io

112. @karande_c

113. None