"Black Clouds and Silver Linings in Node.js Security" Liran Tal
1 like906 views
The document discusses security vulnerabilities in Node.js, highlighting common risks such as malicious modules and typosquatting attacks. It emphasizes the importance of community awareness and implementing best practices to secure open-source dependencies. Additionally, it outlines various initiatives aimed at improving the overall security landscape of the Node.js ecosystem.
![Best Practice:Best Practice:
execFile('git', [...args])execFile('git', [...args])
Command InjectionCommand Injection](https://image.slidesharecdn.com/black-clouds-silver-linings-in-nodejs-security-node-ukraine-190527155619/85/Black-Clouds-and-Silver-Linings-in-Node-js-Security-Liran-Tal-67-320.jpg)
![Best Practice:Best Practice:
execFile('git', [...args])execFile('git', [...args])
Maintain a whitelist of allowed argsMaintain a whitelist of allowed args
Blacklist special shell chars like ;Blacklist special shell chars like ;
PrayPray
Command InjectionCommand Injection](https://image.slidesharecdn.com/black-clouds-silver-linings-in-nodejs-security-node-ukraine-190527155619/85/Black-Clouds-and-Silver-Linings-in-Node-js-Security-Liran-Tal-68-320.jpg)
![Regular ExpressionsRegular Expressions
^([01]?dd?|2[0-4]d|25
[0-5]).([01]?dd?|2[0-4]
d|25[0-5]).([01]?dd?|
2[0-4]d|25[0-5]).([01]?
dd?|2[0-4]d|25[0-5])$](https://image.slidesharecdn.com/black-clouds-silver-linings-in-nodejs-security-node-ukraine-190527155619/85/Black-Clouds-and-Silver-Linings-in-Node-js-Security-Liran-Tal-71-320.jpg)
![Regular ExpressionsRegular Expressions
^([01]?dd?|2[0-4]d|25
[0-5]).([01]?dd?|2[0-4]
d|25[0-5]).([01]?dd?|
2[0-4]d|25[0-5]).([01]?
dd?|2[0-4]d|25[0-5])$
IP AddressIP Address](https://image.slidesharecdn.com/black-clouds-silver-linings-in-nodejs-security-node-ukraine-190527155619/85/Black-Clouds-and-Silver-Linings-in-Node-js-Security-Liran-Tal-72-320.jpg)
![Regular ExpressionsRegular Expressions
Matching a Song TitleMatching a Song Title
^([a-zA-Z0-9])$^([a-zA-Z0-9])$](https://image.slidesharecdn.com/black-clouds-silver-linings-in-nodejs-security-node-ukraine-190527155619/85/Black-Clouds-and-Silver-Linings-in-Node-js-Security-Liran-Tal-74-320.jpg)
![Regular ExpressionsRegular Expressions
Matching a Song TitleMatching a Song Title
^([a-zA-Z0-9])$^([a-zA-Z0-9])$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)$](https://image.slidesharecdn.com/black-clouds-silver-linings-in-nodejs-security-node-ukraine-190527155619/85/Black-Clouds-and-Silver-Linings-in-Node-js-Security-Liran-Tal-75-320.jpg)
![Regular ExpressionsRegular Expressions
Matching a Song TitleMatching a Song Title
^([a-zA-Z0-9])$^([a-zA-Z0-9])$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)+$^([a-zA-Z0-9]+s?)+$](https://image.slidesharecdn.com/black-clouds-silver-linings-in-nodejs-security-node-ukraine-190527155619/85/Black-Clouds-and-Silver-Linings-in-Node-js-Security-Liran-Tal-76-320.jpg)
![Regular ExpressionsRegular Expressions
Best Practice #4Best Practice #4
Safe-RegexSafe-Regex Node.js moduleNode.js module
const safeRegex = require('safe-regex')
let regex = /^(([a-z])+.)+[A-Z]([a-z])+$/
let isSafe = safeRegex(regex)](https://image.slidesharecdn.com/black-clouds-silver-linings-in-nodejs-security-node-ukraine-190527155619/85/Black-Clouds-and-Silver-Linings-in-Node-js-Security-Liran-Tal-84-320.jpg)
"Black Clouds and Silver Linings in Node.js Security" Liran Tal
- 1. Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Security in Node.js Security Liran TalLiran Tal Developer Advocate @ SnykDeveloper Advocate @ Snyk @liran_tal github.com/lirantal May 2019May 2019
- 2. @liran_tal github.com/lirantal Liran TalLiran Tal Developer AdvocateDeveloper Advocate
- 3. 0101 Black Clouds in Node.js SecurityBlack Clouds in Node.js Security 02 02 || || 03 03 || Common Security VulnerabilitiesCommon Security Vulnerabilities Silver Linings in Node.js SecuritySilver Linings in Node.js Security Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security
- 4. Node.js is JavaScriptNode.js is JavaScript JavaScript is EverywhereJavaScript is Everywhere FrontendFrontend BackendBackend IoTIoT DatabasesDatabases ChatbotsChatbots MachineMachine LearningLearning WebAssemblyWebAssembly RoboticsRobotics
- 6. Invites big risksInvites big risks The Biggest RepositoryThe Biggest Repository
- 7. Invites big risksInvites big risks The Biggest RepositoryThe Biggest Repository Lucrative attack impactLucrative attack impact
- 8. Invites big risksInvites big risks The Biggest RepositoryThe Biggest Repository Lucrative attack impactLucrative attack impact Open and free-to-publish ecosystemOpen and free-to-publish ecosystem
- 9. Invites big risksInvites big risks The Biggest RepositoryThe Biggest Repository Lucrative attack impactLucrative attack impact Open and free-to-publish ecosystemOpen and free-to-publish ecosystem Difficult to counter-measureDifficult to counter-measure
- 10. Black Clouds inBlack Clouds in Node.js SecurityNode.js Security
- 11. Malicious ModulesMalicious Modules Black Clouds inBlack Clouds in Node.js SecurityNode.js Security
- 12. Malicious ModulesMalicious Modules Typosquatting AttacksTyposquatting Attacks Compromised AccountsCompromised Accounts Social EngineeringSocial Engineering
- 16. Malicious ModulesMalicious Modules timetime Jan 2015 rimrafallrimrafall Jan 2017 crossenvcrossenv
- 18. $ npm install crossenv --save
- 19. crossenv != cross-envcrossenv != cross-env $ npm install crossenv --save
- 20. coffescript coffescript oror coffe-script coffe-script
- 21. coffescript coffescript oror coffe-script coffe-script coffeescriptcoffeescript
- 23. post-install script ✅post-install script ✅
- 24. post-install script ✅post-install script ✅ call-home base64 payload ✅call-home base64 payload ✅
- 25. How did we find out about this maliciousHow did we find out about this malicious crossenv package?crossenv package? post-install script ✅post-install script ✅ call-home base64 payload ✅call-home base64 payload ✅
- 29. eslint-scope 3.7.2eslint-scope 3.7.2 malicious package publishedmalicious package published
- 30. eslint-scope 3.7.2eslint-scope 3.7.2 malicious package publishedmalicious package published
- 33. What's going on?What's going on?
- 36. Who depends on eslint-scope?Who depends on eslint-scope?
- 37. Who depends on eslint-scope?Who depends on eslint-scope? babel-eslintbabel-eslint
- 38. Who depends on eslint-scope?Who depends on eslint-scope? babel-eslintbabel-eslint eslinteslint
- 39. Who depends on eslint-scope?Who depends on eslint-scope? babel-eslintbabel-eslint eslinteslint webpackwebpack
- 40. npm invalidates all tokensnpm invalidates all tokens <= 2018-07-12<= 2018-07-12
- 41. npm invalidates all tokensnpm invalidates all tokens <= 2018-07-12<= 2018-07-12 estimated potential ~4,500 accounts estimated potential ~4,500 accounts were compromised were compromised
- 42. How does something likeHow does something like this happen?this happen?
- 43. Compromised Contributors ?Compromised Contributors ?CompromisedCompromised ContributorsContributors ??
- 44. Compromised Contributors ?Compromised Contributors ? 14%14% compromised npm modulescompromised npm modules CompromisedCompromised ContributorsContributors ?? src: https://github.com/ChALkeR/notes
- 45. Compromised Contributors ?Compromised Contributors ? 20%20% npm total monthly downloadsnpm total monthly downloads CompromisedCompromised ContributorsContributors ??
- 46. Compromised Contributors ?Compromised Contributors ? 20%20% npm total monthly downloadsnpm total monthly downloads expressexpress reactreact debugdebug momentmoment requestrequest CompromisedCompromised ContributorsContributors ??
- 48. Compromised Contributors ?Compromised Contributors ? 662662 usersusers 123456123456 had their password set tohad their password set to CompromisedCompromised ContributorsContributors ??
- 49. Compromised Contributors ?Compromised Contributors ? 14091409 usersusers had their password set tohad their password set to their usernametheir username CompromisedCompromised ContributorsContributors ??
- 50. Compromised Contributors ?Compromised Contributors ? 11%11% usersusers had their password set tohad their password set to previously leaked passwordpreviously leaked password CompromisedCompromised ContributorsContributors ??
- 53. Dependency ManagementDependency Management Black Clouds inBlack Clouds in Node.js SecurityNode.js Security
- 55. OWASP Top 10:OWASP Top 10: Using Components WithUsing Components With Known VulnerabilitiesKnown Vulnerabilities
- 58. who watches after all thesewho watches after all these modules ?modules ?
- 59. who watches after all thesewho watches after all these modules ?modules ?
- 60. who watches after all thesewho watches after all these modules ?modules ?
- 61. 0101 The Scary State of Node.js SecurityThe Scary State of Node.js Security 02 02 || || 03 03 || Selected Vulnerabilities in Node.jsSelected Vulnerabilities in Node.js Silver Linings in Node.js SecuritySilver Linings in Node.js Security Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security
- 62. Command InjectionCommand Injection Common SecurityCommon Security VulnerabilitiesVulnerabilities
- 67. Best Practice:Best Practice: execFile('git', [...args])execFile('git', [...args]) Command InjectionCommand Injection
- 68. Best Practice:Best Practice: execFile('git', [...args])execFile('git', [...args]) Maintain a whitelist of allowed argsMaintain a whitelist of allowed args Blacklist special shell chars like ;Blacklist special shell chars like ; PrayPray Command InjectionCommand Injection
- 72. Regular ExpressionsRegular Expressions ^([01]?dd?|2[0-4]d|25 [0-5]).([01]?dd?|2[0-4] d|25[0-5]).([01]?dd?| 2[0-4]d|25[0-5]).([01]? dd?|2[0-4]d|25[0-5])$ IP AddressIP Address
- 74. Regular ExpressionsRegular Expressions Matching a Song TitleMatching a Song Title ^([a-zA-Z0-9])$^([a-zA-Z0-9])$
- 75. Regular ExpressionsRegular Expressions Matching a Song TitleMatching a Song Title ^([a-zA-Z0-9])$^([a-zA-Z0-9])$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)$
- 76. Regular ExpressionsRegular Expressions Matching a Song TitleMatching a Song Title ^([a-zA-Z0-9])$^([a-zA-Z0-9])$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)$^([a-zA-Z0-9]+s?)+$^([a-zA-Z0-9]+s?)+$
- 77. Regular ExpressionsRegular Expressions Catastrophic BacktrackingCatastrophic Backtracking Exploits greedy quantifiersExploits greedy quantifiers Simple regexs are vulnerable tooSimple regexs are vulnerable too /^(a+)+$//^(a+)+$/
- 78. Regular ExpressionsRegular Expressions 20172017 msms|| 20162016 MomentMoment|| 20182018 || 20182018 ua-parser-jsua-parser-js|| 20M DL20M DL || 96M DL96M DL || 36M DL36M DL || sshpksshpk40M DL40M DL ||
- 79. Regular ExpressionsRegular Expressions 20172017 msms|| 20162016 MomentMoment|| 20182018 || 20182018 ua-parser-jsua-parser-js|| 20M DL20M DL || 96M DL96M DL || 36M DL36M DL || sshpksshpk40M DL40M DL || Best Practices ?Best Practices ?
- 80. Regular ExpressionsRegular Expressions Best Practices ?Best Practices ?
- 81. Regular ExpressionsRegular Expressions Best Practice #1Best Practice #1 DO NOT WRITE YOUR OWN REGEXDO NOT WRITE YOUR OWN REGEX
- 82. Regular ExpressionsRegular Expressions Best Practice #1Best Practice #1 DO NOT WRITE YOUR OWN REGEXDO NOT WRITE YOUR OWN REGEX Best Practice #2Best Practice #2 DO NOT WRITE YOUR OWN REGEXDO NOT WRITE YOUR OWN REGEX
- 83. Regular ExpressionsRegular Expressions Best Practice #3Best Practice #3 ValidatorValidator Node.js moduleNode.js module
- 84. Regular ExpressionsRegular Expressions Best Practice #4Best Practice #4 Safe-RegexSafe-Regex Node.js moduleNode.js module const safeRegex = require('safe-regex') let regex = /^(([a-z])+.)+[A-Z]([a-z])+$/ let isSafe = safeRegex(regex)
- 86. 0101 The Scary State of Node.js SecurityThe Scary State of Node.js Security 02 02 || || 03 03 || Selected Vulnerabilities in Node.jsSelected Vulnerabilities in Node.js Silver Linings in Node.js SecuritySilver Linings in Node.js Security Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security
- 87. The npmjs EcosystemThe npmjs Ecosystem Silver Linings inSilver Linings in Node.js SecurityNode.js Security
- 88. FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
- 89. FightingFighting TyposquattingTyposquatting JSONStream JSONStream !=!= jsonstream jsonstream Package Moniker RulesPackage Moniker Rules
- 90. FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
- 91. react-nativereact-native FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
- 92. react-nativereact-native reactnativereactnative FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
- 93. rea-ct.nativerea-ct.native react-nativereact-native reactnativereactnative FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
- 94. rea-ct.nativerea-ct.native react-nativereact-native reactnativereactnative react_nativereact_native FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
- 95. rea-ct.nativerea-ct.native react-nativereact-native reactnativereactnative react_nativereact_native @lirantal/rea-ct.native @lirantal/rea-ct.native FightingFighting TyposquattingTyposquatting Package Moniker RulesPackage Moniker Rules
- 96. Package PublishingPackage Publishing NotificationsNotifications
- 97. $ npm profile enable-2fa 2FA successfully enabled. Below are your recovery codes, please print these out. 2FA tokens2FA tokens for npm >= 5.5.1for npm >= 5.5.1
- 98. $ npm profile enable-2fa 2FA successfully enabled. Below are your recovery codes, please print these out. 2FA tokens2FA tokens for npm >= 5.5.1for npm >= 5.5.1
- 99. TakingTaking OwnershipOwnership ofof Your App SecurityYour App Security
- 100. TakingTaking OwnershipOwnership ofof Your App SecurityYour App Security Source: The State of Open Source Security Report 2019, Snyk https://snyk.io/opensourcesecurity-2019/
- 101. FindFind vulnerabilities in vulnerabilities in open source dependenciesopen source dependencies
- 102. $ npm install snyk $ snyk auth $ snyk test FindFind vulnerabilities in vulnerabilities in open source dependenciesopen source dependencies
- 103. $ npm install snyk $ snyk auth $ snyk test FindFind vulnerabilities in vulnerabilities in open source dependenciesopen source dependencies
- 104. SnykSnyk detects vulnerabilitiesdetects vulnerabilities inin Pull RequestsPull Requests
- 105. Snyk automates fixingSnyk automates fixing vulnerabilities vulnerabilities
- 106. Node.js Security Working GroupNode.js Security Working Group Silver Linings inSilver Linings in Node.js SecurityNode.js Security
- 107. The Security WGThe Security WG
- 108. The Security WGThe Security WG ScopeScope Improving the state of theImproving the state of the Node.js Security EcosystemNode.js Security Ecosystem
- 109. The Security WGThe Security WG ScopeScope Improving the state of theImproving the state of the Node.js Security EcosystemNode.js Security Ecosystem Incident Response for NodeIncident Response for Node and the npm ecosystemand the npm ecosystem
- 110. The Security WGThe Security WG Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
- 111. The Security WGThe Security WG Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules Discretely Investigate Security issuesDiscretely Investigate Security issues Security Disclosure Policy for Bug HuntersSecurity Disclosure Policy for Bug Hunters Public Vulnerability DatabasePublic Vulnerability Database
- 112. The Security WGThe Security WG Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 || Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
- 113. The Security WGThe Security WG Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 || XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 || Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
- 114. The Security WGThe Security WG Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 || XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 || Path TraversalPath Traversal serveserve|| 564,000564,000 || Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
- 115. The Security WGThe Security WG Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 || XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 || Path TraversalPath Traversal serveserve|| 564,000564,000 || ReDOSReDOS protobufjsprotobufjs|| 7,200,0007,200,000 || Initiative:Initiative: RDP for Ecosystem ModulesRDP for Ecosystem Modules
- 116. 0101 Malicious modules & Compromised accountsMalicious modules & Compromised accounts|| Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security ||
- 117. 0101 Malicious modules & Compromised accountsMalicious modules & Compromised accounts 02 02 || || Common Security Pitfalls in Node.jsCommon Security Pitfalls in Node.js Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security || ||
- 118. 0101 Malicious modules & Compromised accountsMalicious modules & Compromised accounts 02 02 || || 03 03 || Common Security Pitfalls in Node.jsCommon Security Pitfalls in Node.js Developer awareness,Developer awareness, Fix vulnerabilities in your open source deps,Fix vulnerabilities in your open source deps, Node.js Security WGNode.js Security WG Black Clouds & Silver LiningsBlack Clouds & Silver Linings in Node.js Securityin Node.js Security || ||
- 119. @liran_tal github.com/lirantal Liran TalLiran Tal Developer AdvocateDeveloper Advocate Use Open Source, Stay Secure.Use Open Source, Stay Secure. Thank you!Thank you!