How to Exploit Real World Vulnerabilities
From Author:
This workshop will lead you through installing and exploiting a number of intentionally vulnerable applications. The applications will use real-world packages with know vulnerabilities, including:
- Directory traversal
- Regular expression denial of service (ReDoS)
- Cross site scripting (XSS)
- Remote code execution (RCE)
- Arbitrary file overwrite (Zip Slip)
- These exploits exist in a number of applications, most of which you will need to install either locally or on a cloud instance.
You can do this workshop in 2 different flavours:
- Using the prepared Docker images OR
- Install everything on your local machine.
This workshop has been presented at TestJS Summit 2021, check out the latest edition of this JavaScript Conference.
FAQ
The purpose of the workshop is to provide an overview of open source software, discuss its benefits, and explore the security issues associated with it. Participants will also engage in a hands-on session to hack and secure an application.
Participants can access the hands-on session materials by going to the GitHub repository at github.com/Snyk/exploit-workshop and forking the Node.js booth app.
The workshop discusses the prevalence of vulnerabilities in transitive dependencies of open source software, emphasizing that a significant percentage of these vulnerabilities are found in dependencies not directly managed by developers.
The workshop recommends using Snyk, a tool that helps developers find vulnerabilities in their projects and provides options to fix them, often by upgrading to a safer version of the dependency.
A common security issue identified during the session is the lack of input sanitization, which can lead to security vulnerabilities such as code injection or cross-site scripting attacks.
The workshop suggests being vigilant about the dependencies and transitive dependencies included in projects by using tools like Snyk to scan and monitor for vulnerabilities, and by always being aware of what is being brought into the codebase.
The workshop uses the example of the 'event-stream' package, which had a vulnerability introduced in a new version through a transitive dependency, highlighting the risks associated with upgrading dependencies without thorough checks.
Video Transcription
1. Introduction to Open Source and Software Security
We'll go over an overview of open source, its benefits, and how it saves time. Then we'll hack an application. My name is Noa, a solution engineer at Snyk. Feel free to ask questions in the Q&A messaging system or chat. Fork our Node.js booth app on github.com/Snyk/exploit workshop. What is the future of open source software security? Let's discuss. The majority of code is open source, and vulnerabilities are often found in transitive dependencies.
Hey, guys, thank you for joining my session. We're going to just an overview of what we're going to do. We're going to go over some slides just to understand open source, why it's awesome, how it saves us time and everything, and then we'll actually jump and actually hack an application. So let's get started.
My name is Noa. I'm a solution engineer at Snyk. And obviously, if you have any questions throughout the workshop, you have the question, the Q&A messaging system if you want to be kind of anonymous or you can ask me in the chat. I'll be looking there as well. And if you haven't already done so, please go to github.com slash Snyk slash exploit workshop, that's where the actual hands-on session is going to be and fork our Node.js booth app, which is going to be connected with the first repo.
Cool, so starting off, isn't open source awesome, saves us a lot of time, it gives us, you know, makes us less frustrated, we don't have to actually write the code ourselves sometimes, we can just bring it from outside. And just kind of a question to ponder upon, what is the future of open source software security? Is it going to be, are we going to have more open source, less open source, you know, because sometimes it can bring vulnerabilities, and we're going to touch that very soon.
So as developers, you know, we write code, we debug code, we get over the code, and obviously, we, we get excited over the code when we fix issues. However, the code we actually face every day is very small compared to applications. So it's just the tip of the iceberg. And for those who actually looked at the code, were you able to find any security issues. And this I'll give it a second, if anyone wants to try out. I'll send the workshop links over here in the chat. There we go. So exactly. Yeah, the inputs are not sanitized. And we kind of just send them straight without checking what it is first. So that's the security issue. Good job. Great.
So when we think of code, as we said, we just looked at the tip of the iceberg. But actually 80 to 90% of the code base is open source. And 80% of vulnerabilities are actually found in transitive dependencies. So it's even the dependencies we're not aware that are in our code. So let's say I bring a dependency. But I don't know what dependencies they're bringing in.
2. Vulnerabilities in Transitive Dependencies
80% of vulnerabilities are in transitive dependencies. We need to be aware of what we bring into our code. Tools like Snyk help us find and fix vulnerabilities. Our application is built on more than just custom code. Open source saves time but can introduce new vulnerabilities. Awareness is key. Do you know what's inside your dependencies? Supply chain security issues have occurred in the past.
So 80% of vulnerabilities are in the transitive dependencies. So here I have for an example of an open source package, Dust.js LinkedIn. And I see that it has a vulnerability. So I may not know where the vulnerability is. But at least I should be aware of it. And that's where we need to, you know, we need to be aware of what we're bringing into our code.
So we can use tools like Snyk, which later on, during the workshop itself, once we get to the hands on, we're actually going to create a login, like a user at Snyk. So we can actually find vulnerabilities. And later on after we exploit it, we can actually fix them and prevent them from happening. So again, I don't know where the issue is, but I know there's an issue. And I know the version that I'm at in this, in this dependency and I know what I want to fix it to, to get rid of the issue.
So let's visualize this, I guess, in our, in our head, this is our application, right? You're working on an application, you write the code. So this may be what you guys are thinking of, you know, some lines of code. However, as we said, the picture is a lot larger. So our application is built on a lot more than just our custom code. And that is why. Sorry, no questions. And that is why we need to be aware of it.
So we can also see that open source is heavily used. There is new packages created by ecosystem per year. It just keeps growing and it doesn't stop. Because again, it saves us so much time. It saves us a lot of frustration and it is super useful for us. So so the fact that we're using open source is great and fantastic and it helps us. But we shouldn't be surprised, you know, when new vulnerabilities are being added to our projects. So open source is great, bringing in new vulnerabilities as well. So there's kind of this like, is it amazing? Or is it not amazing? So again, awareness is key here. So how well do you actually know what's inside your dependencies? How well do you know them? And there's actually a supply chain security issue in 2018. I know it happened again in 2019. And again, I think pretty much we hear of like one big deal every year.
Comments