M IN ING

@TIMMEDIN

@TIMMEDIN

T I M M E D I N

Founder, Red Siege Information Security

Red Team, Penetration Testing > 10 years

Kerberoast Inventor

Principal SANS Instructor

DerbyCon, ShmooCon, nullSingapore, …

@TIMMEDIN

W H AT I S M E T E O R ?

Open-source javascript framework

Uses Node.js

Real-time framework

@TIMMEDIN

M E T E O R M AT T E R S

#1 rated web app framework on GitHub

@TIMMEDIN

D E V E L O P E R H A P P I N E S S

Does not come with whiskey!

@TIMMEDIN

W H AT A R E W E B S O C K E T S

RFC 6455 in 2011

Provides full-duplex communications over a TCP connection

Also provides bidirectional communications

If the connection starts HTTP or HTTPS the switch to WebSocket is an upgrade HTTP 101 to WS:// or WSS://

Currently supported by most browsers and servers

The application must also support it

@TIMMEDIN

W H AT A R E W E B S O C K E T S

Designed for performance and convenience

Little security was built into the protocol

No authentication beyond upgrade request is performed

HTTP cookie is passed over during the handshake

Same Origin Policy is not enforced

@TIMMEDIN

H A C K I N G W E B S O C K E T S

Lack of tools, automated scanners miss it

Manual tools:

• Burp can proxy WebSocket traffic

• OWASP ZAP can proxy and fuzz WebSocket traffic

• Chrome offers a WebSocket client and developer tools (F12)

@TIMMEDIN

M E T E O R C O D E

JavaScript (or CoffeeScript)

Same language on the front and back end

Client-side rendering

No matching server generated HTML with client JavaScript!

@TIMMEDIN

M O N G O D ATA B A S E

NoSQL format

Protections against traditional SQLi injection

@TIMMEDIN

M A N A G I N G D ATA W I T H D D P

Protocol based on JSON

Based on WebSockets and SockJS

Handles Remote Procedure Calls (RPC)

Manages Data

@TIMMEDIN

D D P M E S S A G E S

ref: https://meteorhacks.com/introduction-to-ddp/

1.{"msg":"method", "method": "transferMoney", "params": ["1000USD", "arunoda", "sacha"], id": "randomId-1"} 2.{"msg": "result", id": "randomId-1": "result": "5000USD"} 3.{"msg": "updated", "methods": ["randomId-1"]}

@TIMMEDIN

S U B S & P U B S

Client – Data requested via subscription

Server – Pushes data via a publication

Client subscriptions map to user publications

Pub/sub can use additional params

@TIMMEDIN

M I T I G AT I N G AT TA C K S

XSS – Output data is escaped by default

Mongo – No Traditional SQLi

CSRF – Server requests via specialized calls (normally)

@TIMMEDIN

S U B S & P U B S

Subscription Meteor.subscribe('myAccount', myAccountId);

Publication Meteor.publish('myAccount', function(myId){ return Accounts.find({ _id: myId }); });

@TIMMEDIN

S U B S & P U B S

The same data can be pushed by multiple publications

The publication can push too much data

• Too many fields

• Too many records

Look at the JavaScript console

@TIMMEDIN

M E T E O R < 1 . 4

Everything loaded into the global namespace

> 1.4, likely migrated from older code, may be in global namespace

@TIMMEDIN

C L I E N T- S I D E L E A K A G E

The rendering and routing is done on the client

The client has to know what to load

The client has to know what data to request

@TIMMEDIN

C O L L E C T I O N N A M E S

Meteor.connection._mongo_livedata_collections

@TIMMEDIN

C O L L E C T I O N N A M E S

cols = []; for (var globalObject in window) { if (window[globalObject] instanceof Meteor.Collection) { cols.push(window[globalObject]); } } return cols;

pretty

@TIMMEDIN

C O L L E C T I O N D ATA

CollectionName.find().fetch()

Fields may be different for each record, we might find a leak

@TIMMEDIN

E X T R A C T I N G S U B S C R I P T I O N S

Meteor.connection._subscriptions

@TIMMEDIN

E X T R A C T I N G R O U T E S

Router.routes

@TIMMEDIN

AT TA C K A U T O M AT I O N

Chrome Web Extension – DOM is accessible but JavaScript variables are not

Firefox Web Extensions – Based on Chrome’s Web Extensions…no go

Firefox Add-on – Variables are accessible, but dev environment is horrific

IE – LOL

@TIMMEDIN

TA M P E R M O N K E Y

Allows access to page (and JavaScript variables) via unsafeWindow

Access Meteor variables with unsafeWindow.Meteor

@TIMMEDIN

M E T E O R M I N E R D E M O

Demo goes here

Drink `em if you got `em, it appeases the demo gods

Tim Medin tim@redsiege.com @TimMedin

Offensive Services from Offensive Minds

Code https://github.com/nidem/MeteorMiner https://github.com/nidem/MeteorTodosGoat

Presentation http://bit.ly/2i3bP7v