Slowloris

Slowloris is an HTTP connection exhaustion attack. The attack involves opening up a large number of HTTP connections from one computer and very slowly sending the request bytes over the connection. In effect, this causes the server to become unresponse and unable to process further requests if certain mitigations are not put in place. Generally slowloris only requires one attacking machine, instead of the multiple machines necessary in botnet DDoS style attacks.

Details about the attack and original implementation can be found here: https://en.wikipedia.org/wiki/Slowloris_(computer_security)

NodeJS Implementations

Recently I decided to take a look ...

Continue reading »

In late 2015, I decided to start researching IP Cameras. I decided to try out the cheapest models available on Amazon.com, both because I thought those models would be more “fruitful” and because I was trying to do this research on a budget. It turns out that the security on these lower model IP Cameras is really bad.

I looked at five different IP Cameras and was able to gain root access on four of them within a few hours of starting to poke at them. All of the cameras I looked at cost between $30-$70, and can ...

Continue reading »

Earlier this week Zach Grace published an article on one way that you could backdoor a Node.js Express application without touching disk. This jogged my memory of something I posted in our team’s chat this last week but never wrote about; how I would in memory backdoor an express application. It’s a bit different than how Zach approached it so I thought it would be good to expand upon his post sharing the knowledge.

My “vulnerable” proof of concept is below. It uses a fairly common pattern of putting routes in a separate file. The eval is ...

Continue reading »

Denial of Service through Disk Space Exhaustion

Background

Two popular WordPress plugins for disk caching are W3 Total Cache and WP Super Cache. These plugins allow pages and posts to be rendered to disk as html files and subsequently served off the filesystem instead of being generated from data driven sources on every web request.

Take for example a WordPress page route at /2017/01/30/hello-world. Once a user visits this page, the output HTML will be rendered on the file system in the wp-content directory, with a subdirectory structure that matches the route.

Disk Space Exhaustion

By appending ...

Continue reading »

As recently announced the npm client supports installing packages from locations that are outside of the official npm registry (such as at HTTP urls). Due to a design flaw introduced in late 2014 the authentication bearer tokens used to authenticate the npm client with the registry were being sent along with all requests, not just to the official registry.

So, if you or one of the modules you use specified a dependency like the below example, your authentication token would be leaked to that location. Note this is not your password but a token representing that credential.

{
  "dependencies": {
    "fantastic-dependency": "http ...
Continue reading »

Wednesday afternoon we put a new version of the Node Security API in place to allow for some new and exciting features in the future.

This morning Dan Silivestru, CEO of BitHound, notified us that they saw a couple of advisories that were available publicly but were incomplete information wise.

We investigated and found a flaw in our API, specifically related to authorization that allowed access to non public advisories. This case was also not checked with our test suite, despite having 100% code coverage. It's an embarrassing reminder that even with diligent development practices, code coverage and peer ...

Continue reading »

One question we've been asked a lot since launching requireSafe: "How is this different from the Node Security Project?"

We've fought that confusion ourselves so today we're announcing that requireSafe will be fully consolidated into the Node Security Project.

This change lets us focus on the one thing we want to do really well: make security a core value of the node community. We couldn't be more excited about simplifying this effort by merging these projects.

Along with this change, we're putting significant work into improving the tooling, education materials, and guidance that the community ...

Continue reading »

requiresafe v2.3.0 was just published and includes a small pile of updates implemented by Nathan LaFreniere based on the feedback by pdehaan and naugtur.

Here is a summary of the updates.

  • added summary formatter similar to the nsp client
  • added vulnerable and patched version display to default formatter
  • cleaned up version numbers for unpatched modules in formatters
  • added --warn-only flag to check command
  • moved linting configuration to a central module, eslint-config-requiresafe
  • removed the scoped dependency for npm < 2.7 support
  • cleaned up the shrinkwrap file

And a bit more detail for some of the more exciting features.

Summary ...

Continue reading »

Combining a continuous integration service like circleci and requireSafe gives you continuous security for your node.js projects.

If you haven't used circleci before, be sure to check out the docs for how to get started before you dive in to integrate requireSafe.

Once you have circleci all setup, it's quite easy to add in requireSafe checking so that you will know right away when a dependency with a known vulnerability ends up in your dependency tree.

First, add requiresafe as a dev dependency by typing

npm i requiresafe --save-dev

Next, add a script to your package.json ...

Continue reading »

If you are using Travis Ci it should take you about 30 seconds to add requireSafe to start continually monitoring your apps for known security vulnerabilities.

If you haven't used Travis before, be sure to check out the docs for how to get started and then dive in to adding requireSafe.

Let's get started.

First add requiresafe as a dev dependency by typing npm i requiresafe --save-dev

Next add a script to your package.json to allow npm to run requiresafe check. Ours looks something like this:

"scripts": { "test": "lab -a code -t 100 -L", "requiresafe": "requiresafe check ...

Continue reading »