Some of the very things that make JavaScript awesome can also leave it exposed. Guy Podjarny and Danny Grander walk through some sample security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop—and show how these could occur in your own code or in npm dependencies.
2. snyk.io
Guy
• Guy Podjarny, @guypod on Twitter
• CEO & Co-founder at Snyk
• History:
• Cyber Security part of Israel Defense Forces
• First Web App Firewall (AppShield), Dynamic/Static Tester (AppScan)
• Security: Worked in Sanctum -> Watchfire -> IBM
• Performance: Founded Blaze -> CTO @Akamai
• O’Reilly author, speaker
3. snyk.io
Danny
• Danny Grander, @grander on Twitter
• Chief Research Officer & Co-founder at Snyk
• History:
• Cyber Security part of Israel Defense Forces
• Startup work on embedded security and crypto
• CTO at Gita, security consultancy (acquired by Verint)
• Speaker, blogger
88. snyk.io
ImageTragick
• ImageMagick:
popular image manipulation binary/library
• May 2016: Multiple RCE vulns disclosed
• Trivial to exploit, highly severe, took >1 week to fix
• Primary vulnerability:
• Images are declared as one format, but auto-detected as SVG
• SVG processing holds multiple remote command execution
131. snyk.io
Spot the Problem
function isAdminToken(token)
{
var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a-e6d0ddb8bbba";
if (token == ADMIN_UUID) {
return true;
}
return false;
}
132. snyk.io
Spot the Problem
function isAdminToken(token)
{
var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a-e6d0ddb8bbba";
if (token == ADMIN_UUID) {
return true;
}
return false;
}
Fails faster if first
chars mismatch
134. snyk.io
Constant Time Comparison
function isAdminToken(token)
{
var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a-e6d0ddb8bbba";
var mismatch = 0;
for (var i = 0; i < token.length; ++i) {
mismatch |= (token.charCodeAt(i) ^
ADMIN_UUID.charCodeAt(i));
}
return mismatch;
}
135. snyk.io
Constant Time Comparison
var scmp = require('scmp');
function isAdminToken(token)
{
var ADMIN_UUID = "28ec1f1c-a87a-43ac-8d9a-e6d0ddb8bbba";
return scmp(token, admin);
}
155. snyk.io
Securing OSS Packages
• Find vulnerabilities
• Be sure to test ALL your applications
• Fix vulnerabilities
• Upgrade when possible, patch when needed
• Prevent adding vulnerable module
• Break the build, test in pull requests
• Respond quickly to new vulns
• Track vuln DBs, or use Snyk! </shameless plug>
158. snyk.io
There’s A LOT we didn’t cover
• HTTPS
• Security Headers
• Common misconfigurations
• Node.js runtime security
• Continous Security in CI/CD
• Happy to take questions on those…
159. snyk.io
Summary
• Node.js is awesome, and here to stay
• Security dialogue too low, needs your attention
• Educate & beware insecure code
• Both Node.js specific and general app sec issues
• Setup tools to handle insecure dependencies
• Continuously, and across all projects