Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk

Rate this content
Bookmark

npm and security, how much do you know about your dependencies?

Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.

Fixing the issues and an introduction to Snyk with a demo.

Open questions.

This workshop has been presented at JSNation 2022, check out the latest edition of this JavaScript Conference.

FAQ

Snyk is a platform that helps improve security by scanning for vulnerabilities in code, dependencies, and containers. It integrates with development environments and CI/CD pipelines to provide real-time feedback and guidance on fixing vulnerabilities, thus enhancing the security posture of applications.

You can use Snyk by installing its CLI tool or integrating it into your IDE. Snyk can scan your project for vulnerabilities and provide recommendations and patches. You can also integrate Snyk into your version control system to monitor branches and pull requests for security issues.

The 'snyk test' command scans your project and reports vulnerabilities for a one-time check, while 'snyk monitor' records the state of dependencies to continuously monitor and alert you about new vulnerabilities that affect your project over time.

Yes, Snyk can suggest alternatives to vulnerable packages. This is facilitated by the Snyk Advisor feature, which provides health scores for packages and recommends healthier, more secure alternatives.

Prototype pollution is a vulnerability that allows an attacker to inject properties into existing JavaScript language construct prototypes. It can be mitigated by validating input data to ensure that objects are not tampered with, using Object.freeze to prevent modifications to objects, and avoiding the use of unsafe recursive merge functions.

When no direct fixes are available, Snyk allows users to ignore non-critical vulnerabilities with justification, apply patches if available, or migrate to more secure and actively maintained alternatives. Snyk also provides detailed information and educational resources on how to manually mitigate such vulnerabilities.

Yes, Snyk supports multiple programming languages including Java, Python, Go, C-Sharp, and Ruby, among others. This makes it a versatile tool for a wide range of development environments.

Best practices for using Snyk include integrating it early in the development process, continuously monitoring dependencies for vulnerabilities, using Snyk's patch management to apply fixes, and educating the development team on secure coding practices using resources like Snyk Learn.

Matthew Salmon
Matthew Salmon
99 min
04 Jul, 2022

Comments

Sign in or register to post your comment.

Video Summary and Transcription

This Workshop on Open Source and Security covers topics such as the use of open source packages in JavaScript, the risks and vulnerabilities associated with open source, and real-world examples of vulnerabilities and exploits. It emphasizes the importance of promptly addressing vulnerabilities and provides insights into fixing vulnerabilities using tools like Snyk. The Workshop also discusses best practices for package maintenance, triaging vulnerabilities, and integrating security measures into software development pipelines.

1. Introduction to Open Source and Security

Short description:

Hey there, my name is Matt Simon. I'm a Solutions Engineer with Snyk, so I'm working with customers of Snyk in order to improve the security posture using Snyk as their tooling of choice. Today's session is focused on open source in general and using open source inside of JavaScript and NPM to improve your applications and make them more secure. We'll start by booting up an application and hacking it. After that, we'll discuss fixing the vulnerabilities and give a high-level introduction to Snick. Feel free to interact with me during the presentation. Now, let's start with a basic introduction to open source.

Is it Phylicity or Toolkit? Hey there, my name is Matt Simon. I'm a Solutions Engineer with Snyk, so I'm working with customers of Snyk in order to basically improve the security posture using Snyk as their tooling of choice. Effectively, today's session is going to be primarily focused on open source in general and using open source inside of JavaScript and NPM in order to basically improve your applications and also make them more secure at the same time. This is primarily going to be from a security perspective.

So, without further ado, I'll get on to the agenda. So the first part of the day is going to be focusing on open source, and then what we're going to do is actually get into booting up an application and actually hacking it as well. So, if you're interested, you can follow along and hack the application alongside it. So, I'll quickly boot up the repo. So it's actually, I think it's Node.js.-goof. I'll quickly find it. It should be in my recent. There we go. And I'll send this through. If anyone's interested, I'll send this through in the Zoom chat, and feel free to get it up alongside it. And you can start hacking as well in the meantime. To run it, you need either MongoDB installed, or you'll just need Docker installed. So you can do one or the other. And I'll be running through... There's some example exploits in here, and there's also some more exploits inside of this folder that you can start playing with on your own side. I'll only be focusing on a couple of those in the meantime. But feel free to have a crack at this if you're in spare time of interest. So, without further ado, I'll go into the rest of it. After hacking into these, then we'll take about a 50 minute interval just to have a comfort break. And then we'll be going into kind of what you can do about actually fixing the vulnerabilities that we've exploited. And then I'm going to do a basic introduction at high level into Snick and kind of how we help secure things in your environment. I hope that all makes sense. Please feel free to stop me as I go along this presentation. I want it to be interactive. And I want you to guys to get something out of it rather than just talk in a monologue. So, please feel free to interact with me. Hit me up in the Zoom chat, or just come off mute and say hi. Yeah. Cool. I'll get started.

So, just to start off with, this is just a basic introduction to open source. And obviously, everyone knows what open source is and like the power of it and why we actually care about it. The main idea is that it's awesome because it helps us develop things in a quick, easy way. And it also allows us to do things in a more standardized way as well, because we can iterate over each other's processes and find out communitively, what is the best practice for doing things. So, as an example of that, I was on the hunt yesterday or over the weekend to buy new computer parts. And we've got a website in the UK called scan, which is the scan.co.uk. And this is a platform for buying computer parts as such. So, what I'd like to do as a bit of an exercise is to kind of, even if you haven't seen this website before, if you could come off mute, just shout out what you think certain parts of this web application are hosted via or supported via open source, just to name a few functions or name like different ways in which you can automatically know. Let's say for example, clicking on the help ticket, what they would actually do and how that can be supported by open source. Does that make sense? Yeah, for sure. The basket. It's something which, you know, every basically commerce website has, and it's something which is standardised across them. Yeah, like a lot of it, Joe. It's like the more you look, the more you realize that, yeah, it's definitely powered by open source as far as things like your login, for example. Like you've got this little help button down here, which will open up like its own window and widget and then have like a chatbot features inside of it. And while the chatbot may not be free, it may also be powered by some other kind of service.

QnA