The Node.js Highway: Attacks Are At Full Throttle

communication resources and faster and more reliable I children walking around so nobody's going to see me in a wet t-shirt don't worry but we're going to play a game and the winner will get a t-shirt not this particular one but just like this one we will talk about if we have time we're going to talk about potential risks of developing nodejs although this is not the prime goal of the presentation well we have 30 minutes all right let's go how did we come up with the idea well a couple of my colleagues actually wasn't me there were it black hat a couple of years ago they know we're walking around and saw a big wall with code snippets on it and a

bunch of people just staring it at wall it turns out they were looking trying to find vulnerabilities and in other people's code right have you ever seen things like that yeah it's pretty cool right now at that same conference a study came out that bio asp no less that the top of the sea so concerns around the country around the world probably is that developers don't have a lot of security training they're not trained in developing secure code there isn't enough awareness of the need to develop secure code so put one and one together and we have a game of hacks website we built a game for developers to test the application security knowledge all right

we'll launched it at again black cotton 2014 in the first 24 hours we had over 35,000 players responses really caught us by surprise completely didn't think it was you know check marks is not really a big household name wouldn't command a whole lot of attention from media since then it's been over 300,000 games played the game is actually still up available free completely free no sign ups needed so actually let's take a look going to switch to the browser Scott works you can play our self you can charge your colleagues it's always more fun and great should have done

kind of like some popular TV shows of trivia games right right you look at the code you pick the answer that you think is correct well I can't really read the code I know about you so I'm going to pick one and it's either right around by the way this oops the answer was wrong so the idea of course is to answer as many questions as you can in the shortest possible time you get points for doing that and if you win your name is at the top of the leaderboard well what could go wrong right when you when you invite when you kind of talk about this at the hackers conference sorry the black hat invite hackers to play game

against other side so let's see I'm going to go back to the presentation I do encourage you to check that game out right so what else was behind this development it wasn't just the game we actually developed it using new to us techniques at the moment we wanted to extend our services to cover nodejs for example so we use no GS nodejs was nude to our development team I will still decided that the game definitely would be attacked right so we try to plant a few honey pots to see what the hackers would go after first not everything actually was planned on purpose I admit some things did surprise us but so let's talk about what happened right

these are some messages from a from the message boards right see that some of this was not very flattering some was okay but these are kind of high scores notice the problem none of these class scores look real I can get that much let me get points so let's see how how this happened I'd said game of Fox architecture there's a web client JavaScript web client there's no GS on the server hosted by Heroku scores our users are kept on a MongoDB database very simple right that anybody has apps that that look similar to this one probably not that uncommon on the actual client page you have question you have a question you have source code you know

can object of the question you have the question itself answers count score difficulty level in the timer pretty simple these all kind of objects in the client-side JavaScript so the first problem was that wouldn't actually keep track of which answers were answered right so what happened was that there was a call back to the server to submit an answer turned out you can actually call this over and over again I didn't have to to run the client so once you figure out the right answer you can just call it and call it and call it and get points and get points and get points what's the mitigation well you actually had a flag whether the sensors been

submitted or not and so that prevents somebody from trying multiple times seems kind of logical but oh so it's good to have somebody else find it for you right interesting makes life interesting timer in in the first version of the app the timer was handled by the client side JavaScript you know its 60-second timer you you put your submit n surplus time spent on the answer as part of the request to the server what could possibly go wrong well JavaScript if you know on runs on the client doesn't really take a whole lot to modify the JavaScript which runs on the client so you can submit a time that you want with your answer right negative

very very low it was all been I was all built being done by um by users so app send ANSWER Answer one and time spent negative billion or whatever there's ten billion so you see the hacker community is very helpful right it kind of tell each other how to how to hack the game it's pretty cool so we had to modify the game a little bit and start competing time on the server there's certainly possibility for a lag being introduced all right but now with decent Wi-Fi and decent direct connection that's typical not an issue right keep that in mind for your own development this is a soul for your benefit now what else now these are kind of

things we thought about writing in advance but there's the interesting find that somebody did and you play this game and it actually there's a mobile-friendly website too if you play it on an iPhone you're going to call down your finger to the word web browser and it stops the time so you can pause figure out the correct answer and then click it now that I have to say I really would get no clue to expect couldn't expect that some hacking the hack all right so I mentioned the contest this is going to be a different type of presentation I'm get you're going to encourage you to get your phones ready laptops one people connect to Wi-Fi

Wi-Fi we're going to play a game I how many of you have never written a single line of code nobody admits to that but that's fine so we'll find out a promise that some light some questions everybody is going to be able to answer some questions so here's what you're going to have to do

you're going to have to go to Kahoot dot IT and enter the game pen and while I'll give everybody a few minutes and in the meantime enjoy the the goats web goats if you want to prefer so let's see i'd say we probably have got about 50 people here 40 i expect that number to match number of players

fascinating is that it was that a question at the back in the back no 46 47 look at that okay you can still enter I sink anyways where's my is my

alright 10 questions same ideas game of hacks right you have to answer you can't change your answer after after you selected one of the answers sorry don't try to use your back button okay let's get on with it told you everybody can answer some some of these questions now let's see last chance to join these are warm-up questions okay warm-up questions don't worry

boring so who is doing fine is doing fine whoever is fine mr. so now it's the real stuff right thousand points at stake how can you see it actually oh I didn't think about it

don't you two make the code larger hard to see out

all right nicely done everybody what's the key combination to zoom in somebody remember ctrl + is that control shift + you know all right now think might be better oh wait I'm not playing well that happen well namesake in the audience great is it better back there a little

so the previous one was pretty simple right there was a format string so no check what kind of format string you are using the for unformatted uncontrolled format strangers to vulnerability path traversal anybody tell me what can happen when you do that you can open any file you want you can overwrite any file you want basically whatever the privilege level of your application so what happens serious stuff all right hey what happened to you or can do better

then you pay actual remember this very politically incorrect cartoon ok I don't know I never I don't think my kids actually I've ever seen that bonus question what's the what's the mouse named there you go good

All Right see we have a clear winner

ah this is nice the questions by the way our random out of the database so I don't really know what's what's going to be next every time I play save save with game of hacks there's a big database of questions and now it's some sort of random order I'll have to say these are sort of a beginner level questions right right ah how many of you got confused by all the sequel statements in there there you go Igor's pretty close getting so oh you know what I should have talked about that when client randomizes the how the answer order right actually the server sends the questions the client and the client presents them in random order in

order to prevent script script running right if the client does it there's no way for the server to match what was not was number one what was number two Oh ABC whatever it is but you know good good try questions there you go things back on track

so where should we validate the answer

any cultural references in here

that should be easy right right those are because that server good answer this that client think of what could happen right what happened to our game of hacks right you can submit any answer you want and I think we have the last now next to last

I think this might be the code snippet straight from our game you just had to pay attention we didn't really have to look at the code have to say check the pay attention to the presentation and now you also have to pay attention to the Commerce to the presentation

alright so i have a as i mentioned i have t-shirts here see me after the actually raise your hand who's a nicely done i have a couple others who sues number two number three alright thanks everybody hope you enjoyed it rest of you hope you enjoyed it but the presentations are over yet don't worry

i mentioned we're going to talk about a couple of know GS they have five minutes who's there where is there folks running the show I guess I do it's nobody else here what is specific to know GS that we talked about a couple of logical flows flaws in the app that sort of allowed hackers to to to to hack the app on I really want to say hat but abused or bypassed the verification of the rules so what are things that that you should remember about programming no GS in general nodejs is a single-threaded has single ferret architecture there's an event loop that calls out workers to do actual job for non-programmers among you this is the metaphor right there's a

single thread order taker and maybe several people who go around and fulfill the orders the problem is that if the single thread is busy right the order taker is busy there are no more orders coming in and customers aren't being served so the attack is the denial of service I see not everybody is laughing but you should be I mean so actually kind of a very appropriate a picture here now every simple piece of code like that with sufficiently large bound boundary condition can actually hold up your kick-ass machine for yep seconds which is typically enough to do denial of service if you do it on a large scale so the key is not to put any

computationally intensive code inside the main thread and no GS so first thing that you probably get burned on but yet people still get burned on it and I guess the protection also is to verify any input especially if these boundary conditions come from user as my eyes 3pm here well yes okay well we'll we'll run quickly from a couple of others just actually 11 so another interesting thing about no GS is that it's all JSON based right um language you can do queries against databases based on JSON objects you can you can easily manipulate JSON object right so typically you can use actual JSON values for the fine method now this if you do this let's say to validate a

username and password it's very easy to bypass this this validation by supplying something that actually looks will be interpreted by by the database as a code and the conditions that will be interpreted by databases code so what do people do the typical defense against this is to find the user first and then compare it to to the password stored for that user but remembering that jace that no GS is a single single threaded app it's easy actual to supply a regex for that last password parameter that will hold up your server by this big crib compare hold up your server for a couple seconds it's also not good leads to denial of service rep regex to the

health service sorry we didn't have much time to to to to go in details to this but a couple of takeaways applications application development is difficult to secure application development is even more difficult developers learn much better when they are part of a game right special if they compete with each other so anytime you have a chance to integrate elements of games into education take it and also you know all different all the same rules apply to programming in newer frameworks like no GS as they applied to Java for example validate input and be careful with them with strings ok so this is it questions thank yous phrases you know what's the best thing to do is

to stop by our booth you can you can win beats headphones alright thanks guys