Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package...
Transcript of Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package...
![Page 1: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/1.jpg)
Patterns in Node Package Vulnerabilities
Chetan Karande
![Page 2: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/2.jpg)
{“Principal Software Engineer”: “Depository Trust & Clearing Corporation (DTCC)”,“Project Leader”: “OWASP NodeGoat Project”,“Author”: [ ]
,
}
JSON.stringify(me);
![Page 3: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/3.jpg)
532 packages/day
![Page 4: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/4.jpg)
~ 700,000 packages
![Page 5: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/5.jpg)
88 Disclosures
![Page 6: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/6.jpg)
603 Vulnerabilities
![Page 7: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/7.jpg)
1,098 Advisories
![Page 8: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/8.jpg)
![Page 9: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/9.jpg)
![Page 10: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/10.jpg)
![Page 11: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/11.jpg)
1 : 600
![Page 12: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/12.jpg)
![Page 13: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/13.jpg)
![Page 14: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/14.jpg)
npm audit
Snyk CLI
![Page 15: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/15.jpg)
By seeking and blundering we learn.
- Johann Wolfgang von Goethe
![Page 16: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/16.jpg)
![Page 17: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/17.jpg)
528
1,084
+
1,023 Unique Advisories
![Page 18: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/18.jpg)
![Page 19: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/19.jpg)
![Page 20: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/20.jpg)
Insecure Access to File System
Pattern # 1 Directory Traversal
![Page 21: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/21.jpg)
![Page 22: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/22.jpg)
Caused by an insecure dependency vulnerable to Directory Traversal
![Page 23: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/23.jpg)
Missing or insufficient user input validation for path traversal characters before using it in a URL to serve contents on the server.
Directory TraversalCommon Coding Mistakes
![Page 24: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/24.jpg)
Missing or insufficient user input validation for path traversal characters before using it in a URL to serve contents on the server.
• /•../•%2f•%2e%2e/•%2e%2e%2f
Directory TraversalCommon Coding Mistakes
![Page 25: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/25.jpg)
Directory TraversalCommon Coding Mistakes
![Page 26: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/26.jpg)
Directory TraversalMitigations
✓ If the path needs to be supplied from the user input, sanitize the input to remove path traversal characters (./ and ../ as well as encoded variations)
![Page 27: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/27.jpg)
Insecure Access to File System
Pattern # 2 Symlink Attack /Arbitrary File Write
![Page 28: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/28.jpg)
Symlink Attack
![Page 29: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/29.jpg)
Symlink Attack
Application sharing the host server with external users
![Page 30: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/30.jpg)
Symlink Attack
Application sharing thehost server with external users
Shared folders
![Page 31: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/31.jpg)
A malicious user sharing the host, could exploit this vulnerability to:
Symlink Attack
![Page 32: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/32.jpg)
A malicious user sharing the host, could exploit this vulnerability to:
Corrupt or destroy vital system or application files to which only the target application has the access.
Symlink Attack
![Page 33: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/33.jpg)
Using predictable file or folder names when writing to shared directories on a host server shared with external users.
Symlink AttackCommon Coding Mistakes
![Page 34: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/34.jpg)
Example: The package writing logs to the shared /tmp directory with a predictable file name
![Page 35: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/35.jpg)
> ln –s <source file> <target file>
![Page 36: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/36.jpg)
✓ Avoid using shared system folders.
Symlink AttackMitigations
![Page 37: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/37.jpg)
✓ Avoid using shared system folders.
✓ If you have to use a shared folder for writing non-sensitive data, use crypto module’s randomBytes method to generate random filenames.
Symlink AttackMitigations
![Page 38: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/38.jpg)
![Page 39: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/39.jpg)
The more you leave out,
the more you highlight
what you leave in.
- Henry Green
![Page 40: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/40.jpg)
Sensitive Data Exposure
Pattern # 3 Leaking Application Secrets
![Page 41: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/41.jpg)
Application-specific secrets appearing at insecure places such as as:
•code repositories, •log files, •client-side storage, •URLs, •application global namespace
Leaking Application SecretsCommon Coding Mistakes
![Page 42: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/42.jpg)
Example: Leaking the SSL private key in the code repository
![Page 43: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/43.jpg)
Example: URLs with authentication tokens appearing in the logs
![Page 44: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/44.jpg)
Example: OAuth Bearer Token appearing in the browser local-storage
![Page 45: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/45.jpg)
✓ Securely store applications secrets in Hardware Security Module (HSM) or Key Management Services.
Leaking Application SecretsMitigations
![Page 46: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/46.jpg)
✓ Securely store applications secrets in Hardware Security Module (HSM) or Key Management Services.
✓ Mask any sensitive data before it appears in the log
files.
Leaking Application SecretsMitigations
![Page 47: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/47.jpg)
✓ Securely store applications secrets in Hardware Security Module (HSM) or Key Management Services
✓ Mask any sensitive data before it appears in the log files
✓ To reduce impact of a leak, use short-lived tokens.
Leaking Application SecretsMitigations
![Page 48: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/48.jpg)
Sensitive Data Exposure
Predictable Secrets
![Page 49: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/49.jpg)
Sensitive Data Exposure
Predictable SecretsPattern # 4 Insecure Randomness
![Page 50: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/50.jpg)
• Using Math.random() method is to generate random values in a security-sensitive context (random tokens, resource IDs, or UUIDs).
• Math.random() is cryptographically insecure. It can produce predictable values.
Insecure RandomnessCommon Coding Mistakes
![Page 51: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/51.jpg)
Example: Using Math.random() to generate UUID
![Page 52: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/52.jpg)
Example: Using Math.random() to generate Socket IDs
![Page 53: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/53.jpg)
✓ Use crypto module to generate random numbers instead of Math.random()
Insecure RandomnessMitigations
![Page 54: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/54.jpg)
Insecure RandomnessMitigations
![Page 55: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/55.jpg)
Insecure RandomnessMitigations
![Page 56: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/56.jpg)
Sensitive Data Exposure
Predictable SecretsPattern # 5 Non-constant Time Comparison
![Page 57: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/57.jpg)
Using fail-fast comparison logic to match user inputs against sensitive values.
Non-constant Time ComparisonCommon Coding Mistakes
![Page 58: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/58.jpg)
Using fail-fast comparison logic to match user inputs against sensitive values.
Example: JavaScript native string comparison operators ( === , ==)
Non-constant Time ComparisonCommon Coding Mistakes
![Page 59: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/59.jpg)
Example: Using Fail Fast operators to compare csrf tokens
![Page 60: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/60.jpg)
Example: Using a Fail Fast iterator to compare byte arrays
![Page 61: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/61.jpg)
✓ Use a constant-time comparison logic that takes the same amount of time regardless of the input values.
Non-constant Time ComparisonMitigations
![Page 62: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/62.jpg)
✓ Use a constant-time comparison logic that takes the same amount of time regardless of the input values.
Non-constant Time ComparisonMitigations
![Page 63: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/63.jpg)
Sensitive Data Exposure
Pattern # 6 Remote Memory Exposure
![Page 64: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/64.jpg)
•Prior to Node.js 8, the Buffer constructor that takes a number as an argument, generates a Buffer instance with uninitialized underlying memory.
•The contents of a newly created Buffer remain unknown and might contain sensitive data.
Remote Memory ExposureCommon Coding Mistakes
![Page 65: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/65.jpg)
Examples of Uninitialized Memory Exposure
Example: Using unsafe Buffer constructor
![Page 66: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/66.jpg)
Example: Using unsafe Buffer constructor
![Page 67: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/67.jpg)
Example: Using unsafe Buffer constructor
![Page 68: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/68.jpg)
✓ Upgrade to Node.js version 8.11.3 or later (also fixes DoS Vulnerability related to Buffer)
Remote Memory ExposureMitigations
![Page 69: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/69.jpg)
✓ Upgrade to Node.js version 8.11.3 or later (also fixes DoS Vulnerability related to Buffer)
✓Use a safe method Buffer.alloc(size) to create a buffer that is initialized with zeroes:
Remote Memory ExposureMitigations
![Page 70: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/70.jpg)
Sensitive Data Exposure
Pattern # 7 Insecure Network Usage
![Page 71: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/71.jpg)
•Using insecure HTTP protocol to download resources as part of install scripts or at runtime.
Insecure Network UsageCommon Coding Mistakes
![Page 72: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/72.jpg)
•Using insecure HTTP protocol to download resources as part of install scripts or at runtime.
Insecure Network UsageCommon Coding Mistakes
![Page 73: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/73.jpg)
✓ Download resources over secure HTTPS connection.
✓ Provide an option for users to download dependencies in advance and specify the location path.
Insecure Network UsageMitigations
![Page 74: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/74.jpg)
![Page 75: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/75.jpg)
Denial of Service (DoS)
Pattern # 8 Exhausting System Resources
![Page 76: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/76.jpg)
Example: Exceeding V8’s maximum string size limit
![Page 77: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/77.jpg)
Example: Exceeding V8’s maximum buffer size limit
![Page 78: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/78.jpg)
Example: Unrestricted file uploads exhausting file-system space
![Page 79: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/79.jpg)
•Allocating unrestricted amount of system resources based on the size of a user input.
DoS by Exhausting System ResourcesCommon Coding Mistake
![Page 80: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/80.jpg)
✓ Validate size of a user input before processing it
DoS by Exhausting System ResourcesMitigations
![Page 81: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/81.jpg)
Denial of Service (DoS)
By Small Targeted Inputs
![Page 82: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/82.jpg)
Event Loop(Main Thread)
Event Queue
Worker Pool
![Page 83: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/83.jpg)
Event Loop(Main Thread)
Requests
Event Queue
Worker Pool
![Page 84: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/84.jpg)
Event Loop(Main Thread)
Requests
Event Queue
Worker Pool
JavaScript Code (Synchronous / callback code)
![Page 85: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/85.jpg)
Event Loop(Main Thread)
Requests
Event Queue
Worker Pool
File System
Network
Database
Expensive I/O Operations
![Page 86: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/86.jpg)
Event Loop(Main Thread)
Requests
Event Queue
Worker Pool
File System
Network
Database
Callback
Expensive I/O Operations
![Page 87: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/87.jpg)
Event Loop(Main Thread)
Worker Pool
![Page 88: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/88.jpg)
A malicious client could submit an "evil input", make your threads block, and keep them from working on other clients.
This would be a Denial of Service attack. - Node.js Docs
![Page 89: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/89.jpg)
Event Loop(Main Thread)
![Page 90: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/90.jpg)
Denial of Service (DoS)
Pattern # 9 Blocking Event Loop
![Page 91: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/91.jpg)
•Running an execution loop whose iterations depend on the length of a user input.
DoS by Blocking Event LoopCommon Coding Mistakes
![Page 92: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/92.jpg)
DoS by Blocking Event LoopCommon Coding Mistakes
![Page 93: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/93.jpg)
DoS by Blocking Event LoopCommon Coding Mistakes
![Page 94: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/94.jpg)
•Running an execution loop whose iterations depend on the length of a user input.
•Using unsafe Regular Expressions
DoS by Blocking Event LoopCommon Coding Mistakes
![Page 95: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/95.jpg)
•By default, regular expressions get executed in the main event loop thread
•Evil regex can take exponential execution time when applied to certain non-matching inputs.
DoS by Blocking Event LoopRegular Expression Denial of Service (ReDoS)
![Page 96: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/96.jpg)
![Page 97: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/97.jpg)
^(.*,)+(.+)?$/
![Page 98: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/98.jpg)
Input format: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n
Input Length Execution Time25 2 sec26 4 sec27 9 sec28 15 sec30 1 minute35 34 minutes
![Page 99: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/99.jpg)
Denial of Service (DoS)
Pattern # 10 Crashing Event Loop By Unhandled Operational Errors
![Page 100: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/100.jpg)
1. Failing to handle Invalid User Inputs
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
![Page 101: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/101.jpg)
Invalid Character Root Cause: Unexpected Trailing \ in URL localhost:3000/index.html\
![Page 102: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/102.jpg)
Malformed Request Header Root Cause: Unexpected accept-encoding HTTP Header Value
![Page 103: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/103.jpg)
Invalid Object ShapeRoot Cause: Type coercion of HTTP Request Parameters
![Page 104: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/104.jpg)
• User input coercion via HTTP Request Parameters in qs, Express, Koa
// GET /search?conference=appSecEU request.query.conference //=> ”appSecEU”
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
![Page 105: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/105.jpg)
• User input coercion via HTTP Request Parameters in qs, Express, Koa
// GET /search?conference=appSecEU&conference=appSecUSA request.query.conference //=>
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
![Page 106: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/106.jpg)
• User input coercion via HTTP Request Parameters in qs, Express, Koa
// GET /search?conference=appSecEU&conference=appSecUSA request.query.conference //=> [”appSecEU”, “appSecUSA”]
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
![Page 107: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/107.jpg)
• User input coercion via HTTP Request Parameters in qs, Express, Koa
// GET /search?conference[]=appSecEU request.query.conference //=> [” appSecEU”]
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
![Page 108: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/108.jpg)
• User input coercion via HTTP Request Parameters in qs, Express, Koa
// GET /search?conference[appSecEU][year]=2018 request.query.conference //=>
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
![Page 109: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/109.jpg)
• User input coercion via HTTP Request Parameters in qs, Express, Koa
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
// GET /search?conference[appSecEU][year]=2018 request.query.conference //=> {appSecEU: { year: '2018' }}
![Page 110: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/110.jpg)
✓ Validate user inputs for expected value, type, or shape before processing it. (using joi package, for example)
DoS by Crashing Event Loop by Unhandled Operational ErrorsMitigations
![Page 111: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/111.jpg)
1. Failing to handle Unexpected User Inputs 2. Missing or incorrect operational error handling
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
![Page 112: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/112.jpg)
Mechanisms to communicate Operational Errors
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
throw new Error('something bad happened!');
![Page 113: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/113.jpg)
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
callback(new Error('something bad happened!'));
throw new Error('something bad happened!');
Mechanisms to communicate Operational Errors
![Page 114: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/114.jpg)
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
callback(new Error('something bad happened!'));
throw new Error('something bad happened!');
return Promise.reject(new Error('something bad happened!'));
Mechanisms to communicate Operational Errors
![Page 115: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/115.jpg)
DoS by Crashing Event Loop by Unhandled Operational Errors Common Coding Mistakes
callback(new Error('something bad happened!'));
throw new Error('something bad happened!');
return Promise.reject(new Error('something bad happened!'));
myEmitter.emit('error', new Error(something bad happened!'));
Mechanisms to communicate Operational Errors
![Page 116: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/116.jpg)
Example: Failure to handle error object passed in the callback
![Page 117: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/117.jpg)
✓ Be aware of the error delivery mechanism used by the invoked function and handle errors accordingly.
DoS by Crashing Event Loop by Unhandled Operational ErrorsMitigations
![Page 118: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/118.jpg)
Quick Recap
![Page 119: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/119.jpg)
![Page 120: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/120.jpg)
• Insecure Access to File System• Pattern #1 Directory Traversal• Pattern #2 Symlink Attack
Quick Recap
![Page 121: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/121.jpg)
![Page 122: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/122.jpg)
• Sensitive Data Exposure• Pattern #1 Leaking Application Secrets• Pattern #2 Predictable Secrets (Insecure Randomness)• Pattern #3 Predictable Secrets (Non-constant Time Comparison)• Pattern #4 Remote Memory Exposure• Pattern #5 Insecure Network Usage
Quick Recap
![Page 123: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/123.jpg)
![Page 124: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/124.jpg)
• Denial of Service• Pattern #1 Exhausting System Resources• Pattern #2 Blocking Event Loop• Pattern #3 Crashing Event Loop By Unhandled Operational Errors
Quick Recap
![Page 125: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/125.jpg)
![Page 126: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/126.jpg)
Patterns in Node Package Vulnerabilities
![Page 129: Patterns in Node Package Vulnerabilities - Global AppSec · 2018-07-28 · Patterns in Node Package Vulnerabilities Chetan ... Common Coding Mistakes. Missing or insufficient user](https://reader036.fdocuments.in/reader036/viewer/2022070714/5ed6e54bdf0eda5e752aeb09/html5/thumbnails/129.jpg)
@karande_c