5 Ways You Could Have Hacked Node.js

Rate this content
Bookmark

All languages are or were vulnerable to some kind of threat. I’m part of the Node.js Security team and during the year 2022, we've performed many Security Releases and some of them were really hard to think about.


Did you know you can make money by finding critical vulnerabilities in Node.js? In this talk, I’ll show you 5 ways you can have hacked Node.js and how the Node.js team deals with vulnerabilities.

This talk has been presented at JSNation 2023, check out the latest edition of this JavaScript Conference.

FAQ

DLL injection is a technique used by hackers to inject malicious dynamic link library files into a running process, modifying its behavior or gaining unauthorized access. In Node.js, this can happen when malicious packages initialize OpenSSL and load harmful DLL files.

DNS rebinding is an attack where an attacker tricks a user into visiting a malicious website, which then redirects to an invalid IP address. This can expose the user's local machine to the attacker. In Node.js, this vulnerability was related to the improper validation of IP addresses.

The experimental permission model in Node.js allows developers to specify permissions for file read, write, child processes, and more. This helps prevent unauthorized access to sensitive files and directories, enhancing overall security.

To avoid vulnerabilities related to HTTP proxy tunneling, use a secure HTTP client library like Undici, which now supports safe proxy connections. Ensure that your proxy connections are encrypted using SSL/TLS to prevent data sniffing.

The Node.js security team consists of two groups: the Node.js triage team and the security working group. They work on addressing security vulnerabilities, preparing security fixes, and releasing updates to ensure the safety of the Node.js ecosystem.

NearForm is a professional service company that offers core contributions to Node.js, including security, performance, and scalability solutions. They have team members who are part of the Node.js Technical Steering Committee and core team, providing expertise to help businesses scale their Node.js infrastructure.

Rafael Gonzaga is a staff engineer at Neo4m from Brazil. He is a member of several open-source organizations, a Node.js DSC member, and a security working group lead. He is also a Node.js releaser.

You can check if your Node.js version is vulnerable by using the package called IsMyNodeVulnerable. Simply run the command 'npx is my node vulnerable' to see if you are using a vulnerable version of Node.js.

If you find a potential security vulnerability in Node.js, do not open a public issue. Instead, go to the security.md file in Node.js or the HackerOne platform to submit the vulnerability report. The Node.js triage team will assess it and prepare a security fix and release if accepted.

HTTP request smuggling is an attack where a malicious user sends a specially crafted HTTP request that gets interpreted as two separate requests by the server. This can expose internal server endpoints and lead to unauthorized access.

Rafael Gonzaga
Rafael Gonzaga
22 min
05 Jun, 2023

Comments

Sign in or register to post your comment.

Video Summary and Transcription

The Node.js security team is responsible for addressing vulnerabilities and receives reports through HackerOne. The Talk discusses various hacking techniques, including DLL injections and DNS rebinding attacks. It also highlights Node.js security vulnerabilities such as HTTP request smuggling and certification validation. The importance of using HTTP proxy tunneling and the experimental permission model in Node.js 20 is emphasized. NearForm, a company specializing in Node.js, offers services for scaling and improving security.

1. Introduction to Node.js Security Team

Short description:

Hello, everybody. My name is Rafael Gonzaga. I'm a staff engineer at Neo4m. I'm a member of a few organizations in the open source, and I'm a Node.js DSC member, a security working group lead. Recently, I started live coding on Twitch. So first of all, all the CVs mentioned here were addressed. Make sure you are using a safe version of Node.js. The Node.js security team consists of the Node.js triage team and the security working group. Did you find a potential security vulnerability? Please do not open a public issue. The process of submitting Node.js vulnerabilities is fairly straightforward. You find a potential vulnerability and you go to the hacker one. The Node.js three-edge team receives your report and assesses it against our threat model.

Hello, everybody. My name is Rafael Gonzaga. I'm a staff engineer at Neo4m. I'm from Brazil. I'm a member of a few organizations in the open source, and I'm a Node.js DSC member, a security working group lead. I'm a Node.js releaser, so if any of Node.js builds break you, probably it was on me, OK?

So recently, I started live coding on Twitch. So if you like this kind of content, follow me there as well. I'm mostly available in all the social medias.

So, OK, first of all, before showing the bad parts of Node.js, I would like to give a disclaimer telling that all languages have it and introduced a concept of security in programming language. So for instance, first of all, all the CVs mentioned here were addressed, OK? Make sure you are using a safe version of Node.js. For instance, I wrote a package called IsMyNodeVulnerable. If you would just call npx is my node vulnerable, you'll be able to see if you are using a vulnerable version of Node.js. If you are, please update, OK?

So first of all, I will present the Node.js security team. Basically, the Node.js security team consists in two groups. The first one is the Node.js triage team. It consists of the Node.js Technical Steering Committee, specific contributors of Node.js with security expertise, the Node.js release team, and the build team, OK? And the second group is the security working group. It's a community working group. We work on several security initiatives, and the experimental permission or the permission model is just one of them. So you can be part of it. Just ping me, send me a message, you can go to the repository, and you'll be able to see it, OK?

So let's go to what matters. Did you find the potential security vulnerability? Please do not open a public issue. You will be disclosing the vulnerability, and that's crucial. That's very bad for maintainers, because we need to hurry. We need to do a lot of things in a short period of time, and it's eventually very bad, actually. So usually, see the security.md in the Node.js file, you'll be able to see it. If you go to the hacker one, you'll be able to see it, as well. So the process of submitting Node.js vulnerabilities is fairly straightforward, okay? You find a potential vulnerability and you go to the hacker one. Hacker one is a platform where you can submit any potential vulnerability and you assess it. And then you fill the form, and the Node.js three-edge team receives your report. And we assess it against our threat model.

2. Hacking Node.js: DLL Injections

Short description:

And if that gets accepted, we will prepare a security fix and a security release. You can make money from it through bug abating programs. I will be presenting five ways you could have hacked Node.js. The first one is DLL injections, a technique used by hackers to inject malicious dynamic link library files into a running process. Let's take this example: you are on Windows, you install a game, and a malicious package containing a providers.dll is installed. This package requires crypto, and when it is initialized, it will search for providers.dll in the current working directory.

And if that gets accepted, we will prepare a security fix and a security release. Okay? So, well, you can make money from it through bug abating programs. Okay?

So, in this talk, I will be presenting five ways you could have hacked Node.js. However, it's important to mention that all the vulnerabilities were a threat. So don't worry.

The first one is DLL injections, okay? Hello, Windows users. DLL injection is a technique used by hackers to inject malicious dynamic link library files into a running process, thereby modifying its behavior or gaining unauthorized access to its resources.

So let's take this example, okay? You are on Windows. Again, sorry, Windows users. Then let's say that you install any kind of game. You install most of the games nowadays need to open SSL. So you have opened SSL in your machine. And then you are following a blog post, but you mistyped Fastify. And then you install Fastify, okay? And then this package, this is a malicious package that contains a providers.dll. And the content of this dll is basically the most dangerous thing you can do on Windows, that is, to open the calculator, okay? And then, okay, this package requires crypto, actually, in the beginning. Whenever you require crypto, HTTPS or TLS module on Node.js, we'll initialize open SSL. And when it is initialized, it will search for providers.dll in the current working directory. And for instance, if the package, malicious package, contains just a post-install script that calls NPM versions that, under the hood, require crypto, it will initialize open SSL and will load the providers.dll and then the attack happens. Now it thinks that it doesn't load providers.dll in the current working directory anymore.