Node.js Vulnerabilities

Size: px

Start display at page:

Download "Node.js Vulnerabilities"

Dortha Paul
6 years ago
Views:

1 Node.js Vulnerabilities Amadou Crookes December 13th, 2013 Abstract Node.js is a fresh take on building fast, scalable network applications in the form of a server side framework. There are two main differences to Node.js from the other well known frameworks. Node.js is written entirely in JavaScript and through JavaScript s straightforward anonymous functions the use of handling events asynchronously. With Node.js being a new technology, the community has uncovered several vulnerabilities. This paper will talk about the importance of web frameworks in regards to the world and developers. It will then survey the vulnerabilities that are most prevalent to Node.js and explore the techniques used to exploit those vulnerabilities. As we look at the vulnerabilities we will also see if Node.js lends itself to these vulnerabilities. We will take about best practices to avoid creating vulnerabilities at the code level. Lastly we will look at how to exploit vulnerabilities. 1

2 Introduction It is undeniable that the world is progressing at an increasing pace to one dominated by technology. This means that the number of programs, programmers, and available technology will increase. As this happens it is necessary to protect those using technology by building secure software on all levels. There are always going to be bugs and vulnerabilities in software, but pointing out and fixing these vulnerabilities will create a better culture among those who create software. This will create a community of people trying to fix these vulnerabilities. Once these are fixed, showing people the vulnerability and how to avoid it will create a platform for other programmers to learn from others mistakes. At a higher level, so much software is reused in order to speed up the process of coding. Whether it be open source, an executable with an interface, or a public API, so much code available today can be reused. This is great for programming but means that we, as programmers, must be aware of all known vulnerabilities in the software we use. This gives us more knowledge, helping us make the most informed decision about which software to use, helping us build a more secure technological environment. In today s technological landscape the internet is the major player. The internet gives the ability for software to reach a very broad audience, making it an incredible platform to build on top of. To deal with all of these incoming requests, and handle all the data many people have started using pre built web frameworks. These frameworks are built to use popular languages and supply code for many simple functions necessary to make a functional backend. These frameworks have gained incredible traction. Some popular ones are Django (Python) and Ruby on Rails (Ruby). These have been used by companies 2

3 such as Instagram, Pinterest, Rdio, Mozilla, Github, and many more. Among these frameworks there is a newcomer to the game, Node.js (Node). Node is a framework written on top of Google s V8 JavaScript Engine. This means that it is a web framework that uses JavaScript. This gives developers the ability to write all backend and client side code in the same language, if they are creating a web application. In addition to webapps Node.js is perfect for backend mobile development as it uses an event driven, non blocking I/O model that makes it lightweight and efficient, perfect for data intensive real time applications that run across distributed devices (Node.js). To the Community Although Node is only four years old, released May 27th, 2009, it is already very popular among developers and is still growing. Node is already being used by many well known companies such as Uber, LinkedIn, ebay, PayPal, Voxer, and Yahoo!. Joyent, the company behind Node, has just expanded Node so that it will work on more operating systems (ReadWrite). This means that more companies will be presented with the opportunity to make the jump from their current framework to Node. One company has already made this transition. Walmart, a behemoth of a company who employs 1% of Americans (ReadWrite), recently switched to Node.js right before one of the biggest weeks in ecommerce, Black Friday. This allowed Walmart to roll Node.js into production for Black Friday, processing 53% of all walmart.com traffic (ReadWrite), which is very impressive and will give Node.js more credability, potentially bringing more companies and developers to the framework. 3

4 As stated before the internet is the dominant factor in technology today. Even more than that, mobile has really taken off since the release of the iphone in In 2009 global mobile traffic represented a measly 1% (Forbes) of Internet traffic, and then it edged up to 4% in 2010, and it hit 13% in November 2012 (Forbes). This growth is only going to increase as cellular networks become faster, and smartphones become even cheaper, as more competition is bound to join the market. In terms of phones there are 5 billion mobile phone users in the world, but only 1 billion smartphone users (Forbes), so there are 4 billion people who in the next few years are likely to make the switch to a smartphone if the possibility presents itself. Node lends itself to mobile development. When developing mobile applications that communicate with a shared collection of data or communicate with other mobile devices it is essential that there is also an API to support this swapping of information. This means that attackers will be trying to break into these APIs and access data, making it very essential that web frameworks be secure, as to avoid being hacked into. As a developer I have used many frameworks, including Node, and know that it is very important to use a web framework as it has a lot of built in code and great developer communities. Frameworks would not be used by companies such as Instagram, or Walmart if web frameworks were not an important part of the development process. The usage of web frameworks is only going to increase as mobile usage increases. As more and more native and web apps are created it is critical that developers know how secure frameworks are before using them. If Node were to have a vulnerability that gave an 4

5 attacker access to the server side code they could potentially take any data they found valuable. In the case of Uber, PayPal, and Walmart this could potentially mean an attacker could steal credit card information from millions of users. In a post Edward Snowden America, it is even more important to show users that their data is safe, and this starts from the bottom up. If a company relies on unreliable software, then they are inherently unreliable and could be attacked through code they did not necessarily write. Action Items So far Node has been a pretty reliable framework or else it would not have had as much traction as it has. That being said, unfortunately Node.js has already experienced a few bugs. Software is very dynamic and it is almost impossible to avoid bugs in large projects such as a framework that has many different moving parts. In the mobile environment it is necessary to send data back and forth from the many devices using the app back to the server where the data is collected. This allows many devices to access the same data, such as in a social network or an app that provides the same information to different users. This data transfer is clearly done through the Internet by using HTTP methods such as GET, POST, PUT, and DELETE. With that means of sending the data there also has to be a standard format to send the data. This format has to be easy to parse on both the client and the server since data potentially is flowing in both directions. The main formats currently used are XML and JSON. XML was used a lot in the past but is increasingly starting to lose usage to JSON. Twitter a microblogging service that has mobile applications has recently begun to drop support for their XML services. 5

6 JSON, which stands for JavaScript Object Notation, is based on a subset of the JavaScript Programming Language (JSON). That being said it makes sense for a Node.js application to deal with JSON to and from the client and server. When the server receives the JSON payload it is in the form of a string. In order to use this data it first must be parsed into a JavaScript Object. A simple way to do this is by using JavaScript s built in eval method. JavaScript s eval takes a string as the only argument and executes it as JavaScript code. When given a JSON payload this properly transforms it into a JavaScript object as expected. However if any other valid JavaScript code is passed in it will be executed, opening up the Node.js program to server side injection. This can happen anywhere in Node where eval is used with a string from the user. With the ability to run any JavaScript code an attacker would be able to access just about anything they would want. An earlier version of Node did not check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string (MITRE). This is bad because often authorization parameters and cookie data is sent from the client within the header. So if an attacker exploited this vulnerability they could pretend to be another user by spoofing the HTTP header with the data they just obtained. This could be detrimental as an attacker could access someone else s sensitive information stored in the server since the server believes the attacker to be the trusted user. The attacker could also make requests on the user s behalf without them knowing. The most recent vulnerability in Node.js has to do with HTTP pipelining. This is a technique introduced in HTTP version 1.1. HTTP pipelining allows multiple HTTP requests 6

7 to be written out to a socket together without waiting for the corresponding responses. The requestor then waits for the responses to arrive in the order in which they were requested (Mozilla). This can greatly improve page loading times as the requests all get fired off one after another instead of waiting for the response for each request before sending the next request. This also adds an improvement in terms of number of packets sent because multiple HTTP requests can fit into one TCP/IP packet. The vulnerability arises in the way Node handles all of the sent requests, before sending back the responses. While still receiving the requests from the client, Node populates a response buffer which is never consumed. Writes to this buffer are written in memory. This means that if too many requests are sent using HTTP pipelining the buffer could use up all of the available memory on the server. An attacker exploiting this could cause a denial of service attack. Once there was no more available memory the server would no longer be able to function, and therefore would stop anyone else from using the server. Defenses Node as a framework has no real way of preventing eval being used in code, because it is a JavaScript function that developers may want access to in certain situations. Instead Node can just recommend one of two things to developers. First, since the only malicious string that could be evaluated is from the user, the developer could look at the input to ensure that it is not malicious code before passing it to eval. The second option is to avoid using eval altogether. JSON is based on JavaScript so of course there are better ways to parse JSON. The best option is to use JSON.parse, which is meant to handle only JSON 7

8 instead of any JavaScript code. So JSON.parse will take in a JSON string and parse it back into a JavaScript object. If the given string is anything other than valid JSON it will raise an exception without executing the code, guarding against malicious code being passed to the server. The other vulnerabilities talked in this paper are fixes on Node s end as opposed to the developer working with Node. For spoofing the headers by passing a zero length string, Node.js has a patch for this. Use any version of Node.js that is not earlier than versions and is not between versions 0.7 and The fix was just to ensure that it properly checked the length of strings. HTTP pipelining uses Stream objects to hold all of the incoming data. It has a property, needsdrain, that is set once the Stream has too much data. Previously this was ignored so data just kept getting written into the Stream object. To fix this, the needsdrain property is checked before doing writes. If needsdrain is set, then it stops writing and stops reading/parsing incoming data. it then waits until the drain event is fired and then proceeds as normal (Y Hacker News). Conclusion Node is definitely a great web framework, that is here to stay. It has already seen a few vulnerabilities but it is a very young framework that is still working through some kinks. One of the most promising aspects about it is the strong developer community that has already been formed around it in support. This community helped find and create a fix for the few vulnerabilities shown in this paper. There will always be bugs but with developer communities such as Node s code will continue to become more and more secure. 8

9 Works Cited Fisher, Darin. "Mozilla." HTTP/1.1 Pipelining FAQ. Mozilla, n.d. Web. 13 Dec < archive.mozilla.org/projects/netlib/http/pipelining faq.html>. "Introducing JSON." JSON. N.p., n.d. Web. 13 Dec < Joyent, Inc. "Node.js." Node.js. Joyent, Inc, n.d. Web. 12 Dec < MITRE Corporation. "Nodejs : Security Vulnerabilities (Gain Information)." Nodejs : Security Vulnerabilities. N.p., 22 Aug Web. 13 Dec < list/vendor_id 12113/opginf 1/Nodejs.html>. "Node Has Critical Security Fix." Node V Stable Has Critical Security Fix Hacker News. Y Hacker News, n.d. Web. 13 Dec < Olson, Parmy. "5 Eye Opening Stats That Show The World Is Going Mobile." Forbes. Forbes Magazine, 04 Dec Web. 12 Dec < eye opening stats that sho w the world is going mobile/>. Singer, Michael. "Node.js Is Big, And Still Getting Bigger." ReadWrite. ReadWrite, 6 Dec Web. 13 Dec < os infrastructure>. 9

SEO For Security Guard Companies

startasecuritycompany.com SEO For Security Guard Companies How We Built Two Multi-Million Dollar Security Companies Using Search Engine Optimization Contents 1. Thanks For Downloading! Congratulations!