@bmeck @vdeturckheim @erights @MylesBorins
I'm nearing feature completeness on some security relevant Node packages, and would like to organize attack reviews.
These packages all relate to the integrity of messages that leave Node, for example HTML to the browser, SQL to a database, or strings to a shell.
I could use help coming up with attackable demo applications and help defining what constitutes a breach. Once that's done, I need people to attack the system and share any vulnerabilities found.
The packages that are in bounds are:
Contextual escaping for HTML : https://npmjs.com/package/pug-plugin-trusted-types
Safely composable SQL queries : https://npmjs.com/package/safesql
Safely composable Shell strings : https://npmjs.com/package/sh-template-tag
Module Keys : https://npmjs.com/package/module-keys
Contract Type Utilities : https://npmjs.com/package/node-sec-patterns
Web Contract Types : https://npmjs.com/package/web-contract-types
Good initiative.
I think we can find a few hackable apps around:
Are any other known?
Not everything itself is a Node application that we can make as an attack surface, however, I really like the idea of popping up a nicer exercise based tutorial if we go through things.
https://rawgit.com/Agoric/SES/master/demo/?dateNow=enabled
Is interesting in part because it is so explanatory (even if needing specialized knowledge a bit) and easy to show to others.
I think some of the big things we are going to have to do is define what a valid attack will be fore these. I don't think mucking with the primordials is something we should really account for usually. All attempts at hygiene within an Agent require Realm isolation or frozen Realms.
@vdeturckheim Yeah. I think a target app would be good.
@bmeck Yeah, I think we have to assume good faith on the part of developers. That's pretty fuzzy, but out of bounds I think are custom C++ extensions, abuse of bindings, and attacking builtin modules via primordials. For modules like node-sec-patterns which should initialize early and preserve properties even in the face of hostile JS code, I have tests for the ability of late-running code to breach isolation via primordials.
I'm working on a demo app that will tie these together and a script to run it locally so we can craft attacks.
Tentatively,
npm packed tarball that is deployednode is launched.The CODE and SMELLY-CODE victory conditions are unfortunately subjective but I've no better way to represent the need for security under maintenance when developers or reviewers are under time pressure.
I've got a skeletal demo-app at github.com/mikesamuel/attack-review-testbed that has an intentionally high attack surface to allow testing the effectiveness of mitigations
require a handler but uses resource integrity hooks to prevent loading of code from untrusted sourcesTrustedHTML values instead of strings, and hooks the server to only append TrustedHTML to the body.queryeval and new Function via V8 flags but re-enables them for modules like promise and depd using new Proxy(Function, ...) tricks.I still have some work to increase the attack surface. I plan to
required onto the system.sh-template-tag to untar uploaded images.new Function protections.Anyone interested in a weekly call to sort out logistics for the attack review, and how to recruit attackers?
@lirantal Thanks for the fix.
maybe copy the information you added in this thread comments (1, 2), to a README on the project
Will do. I'm almost feature complete, then I'll focus on getting those disparate pieces of documentation organized.
As @lirantal mentioned, there's a draft README and a breach report template.
The pre-launch issue tracker labels collects tasks that should be completed before inviting attack.
I have a line on some attack reviewers, but would appreciate suggestions on where to recruit more.
@mikesamuel I think we can use the Security WG Slack workspace to host a channel dedicated to this effort. I can spread the word among my team mates, they love a good challenge.
Thanks @MarcinHoppe
I created a channel on https://nodejs-security-wg.herokuapp.com/ and I changed the support links from
Getting Answers To Questions
TODO: Slack channel or something similar
to
Getting Answers To Questions
Post on the # attack-review channel at
https://nodejs-security-wg.slack.com/ if you're having trouble.We'll try to update the wiki in response to common questions.
If you need a private channel:
| Contact | Availability | DMs |
| ----------- | -------------- | ----------------- |
| Mike Samuel | US EST (GMT+5) | twitter/@mvsamuel |
@MarcinHoppe @lirantal @deian
I think it's ready for early attackers to at least iron out any bugs in the getting started discussions.
I'll be on the #attack-review slack channel in case anyone wants to chat.
Next I'll be putting together a short screencast video walking through the target app.
Implemented a vulnerable variant of the server.
Testing Attacks against a vulnerable server
Running scripts/build-vulnerable.sh will copy the server source files over to a directory vulnerable/.
You can then run vulnerable/scripts/run-locally.js to start up the modified server.
The vulnerable server has most of the mitigations disabled, so you can try an attack against the vulnerable server. If it doesn't work against the target server, then the difference between the two mitigated the attack.
Seems it will be quite some undertaking of manual work to pentest the app, but the concept of a security-hardened Node.js is intriguing and I think that it is interesting to see how this will work with Anna's security policies PR as well as possibly @vdeturckheim efforts of fuzzing Node.js core to help with this test-bed.
@lirantal
Seems it will be quite some undertaking of manual work to pentest the app, but the concept of a security-hardened Node.js is intriguing
I think if I can get enough eyes on this, we can get coverage without any one person having to test the whole thing.
and I think that it is interesting to see how this will work with Anna's security policies PR as well as possibly @vdeturckheim efforts of fuzzing Node.js core to help with this test-bed.
@addaleax
There is a vulnerable variant of the server that has mitigations removed. That could serve as the basis for a target app with Anna's policies.
IIUC, Anna's policies focus on controlling what process-external endpoints can be connected to, not the integrity of messages sent to those endpoints. If that's the case, then the message-integrity preserving goals of this could complement Anna's policies.
This attack review focuses on:
- XSS: Arbitrary code execution client-side.
- Server-side arbitrary code execution
- CSRF: Sending state-changing requests that carry user credentials without user interaction or expressed user intent.
- Shell Injection: Structure of shell command that includes crafted substrings does not match developers' intent.
- SQL Injection: Structure of database query that includes crafted substrings does not match developers' intent.
IIUC, Anna's work is relevant to (2, 4, 5) but its goals do not include addressing (1, 3).