Nodevember 2015
3 likes2,186 views
Node Security Experiments discusses security issues in the Node.js ecosystem. It covers topics like malicious modules hosted on NPM, insecure installation scripts, typosquatting vulnerabilities, password exposure, auditing packages for vulnerabilities, static analysis tools to detect security issues, and challenges of keeping up with the large number of packages. The document also mentions detecting and preventing specific security vulnerabilities, tools for auditing packages like NSP and Retire.js, potential bots in the ecosystem, and challenges with binary modules and exposing vulnerabilities in Node.js core.
![BOT TRACKER
1 {
2 "name": "botbait",
3 "version": "1.0.1",
4 "description": "Not for human consumption.",
5 "main": "index.js",
6 "scripts": {
7 "test": "node index.js test;exit 0",
8 "start": "node index.js start;exit 0",
9 "preinstall": "node index.js preinstall;exit 0"
10 },
11 "keywords": [
12 "botbait"
13 ],
14 "author": "",
15 "license": "MIT"
16 }
CREATED 6-17-2015](https://image.slidesharecdn.com/nodevember2015-151115223048-lva1-app6891/85/Nodevember-2015-44-320.jpg)
Nodevember 2015
- 7. MALICIOUS CODE HOSTED ON NPM
- 11. JERKS DEVS
- 12. Distribution
- 15. TYPOS
- 20. PASSWORDS
- 21. DEMO HERE?
- 22. AUDIT ALL THE THINGS
- 23. AUDIT ALL THE THINGS 12,000
- 24. AUDIT ALL THE THINGS 205,596
- 26. AUDIT ALL THE THINGS FOR ALL THE THINGS
- 27. STATIC ANALYSIS
- 30. CHALLENGES • Storage & compute requirements • node_modules & test directories • modules like 'yourmom' • /usr/bin/grep: Argument list too long • keeping up with the massive # of packages
- 31. VALIDATE
- 32. REPEAT
- 36. npm i nsp -g cd your-fantastic-app nsp check
- 37. RETIREJS npm i retire -g
- 41. github.com/evilpacket/bower-burp-static-analysis 3949 Open redirection (DOM-based) 1950 Cross-site scripting (DOM-based) 956 DOM data manipulation (DOM-based) 818 Link manipulation (DOM-based) 103 HTML5 storage manipulation (DOM-based) 64 Client-side JSON injection (DOM-based)
- 42. BOTS? Who else might be out there doing stuffs?
- 43. NOPE, NOT REALLY
- 44. BOT TRACKER 1 { 2 "name": "botbait", 3 "version": "1.0.1", 4 "description": "Not for human consumption.", 5 "main": "index.js", 6 "scripts": { 7 "test": "node index.js test;exit 0", 8 "start": "node index.js start;exit 0", 9 "preinstall": "node index.js preinstall;exit 0" 10 }, 11 "keywords": [ 12 "botbait" 13 ], 14 "author": "", 15 "license": "MIT" 16 } CREATED 6-17-2015
- 46. WHAT NOW?
- 49. BINARY MODULES & NODE CORE 1 var fs = require('fs'); 2 var msg = require('msgpack'); 3 //dddd 407d 7a 4 var data = fs.readFileSync('./crash') 5 msg.unpack(data); $ node index.js Segmentation fault