[Russia] Node.JS - Architecture and Vulnerabilities
15
1 Node.JS – Architecture and Vulnerabilities By Leon Maister Oct, 2015
Transcript of [Russia] Node.JS - Architecture and Vulnerabilities
![Page 1: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/1.jpg)
1
Node.JS –
Architecture and Vulnerabilities
By Leon Maister
Oct, 2015
![Page 2: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/2.jpg)
Agenda
• Architecture
• DoS – (Demo)
• Weak Crypto – (Demo)
![Page 3: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/3.jpg)
Event Loop Event Queue
Event Loop
(Single thread)
File System
Database
Network
Register Callback
Operation Complete
Trigger Callback
http://stackoverflow.com/questions/21596172/what-function-gets-put-into-eventloop-in-nodejs-and-js
![Page 4: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/4.jpg)
![Page 5: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/5.jpg)
Architecture (cont)
• I/O Intensive
• DB queries
• Application with user UI
(WebApps)
• CPU Intensive
![Page 6: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/6.jpg)
DoS
Function sum (p)
for (i=1;i<=p;++i)
{
f=f+i;
}
This makes node.js highly vulnerable to DoS
http://localhost:49090/sum?p=5
http://localhost:49090/sum?p=100000000
http://localhost:49090/sum?p=5
![Page 7: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/7.jpg)
Weak Crypto
?
![Page 8: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/8.jpg)
Seed State0[0,1]
State1[0,1]
State2[0,1]
State3[0,1]
Staten[0,1]
Random0
Random1
Random2
Randomn
Random3
V8 PRNG is known as weak
V8 PRNG is known to be weak.
For example, check Amit Klein’s
http://dl.packetstormsecurity.net/papers
/general/Google_Chrome_3.0_Beta_M
ath.random_vulnerability.pdf
![Page 9: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/9.jpg)
V8’s default PRNG Given 3 consecutive random numbers, the values of state[0] and state[1] can be
inferred – hence all future values can be known in advance.
But
In browsers, each tab has its own set of “state” variables. That’s one of the reasons
this issue is treated as low-severity
But
In node.js, all users are running within the same context. Each user can tell what
are the values of the global “state” variables.
![Page 10: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/10.jpg)
V8’ f u PRNG
Given 3 “random” new passwords – we will be able to tell all future ones
First, we need to “reverse” the MD5 for 3 passwords to their original “random” float
number. Then, we need to compute the “state” variable to get the 4th consecutive
value.
![Page 11: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/11.jpg)
Register FakeUser1
Register FakeUser2
Register FakeUser3
FakeUser1 Password
FakeUser2 Password
FakeUser3 Password
Reminder:
Password = MD5(random())
Step 1
![Page 12: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/12.jpg)
Step2
Register FakeUser1
Register FakeUser2
Register FakeUser3
FakeUser1 Password
FakeUser2 Password
FakeUser3 Password
Reminder:
Password = MD5(random())
![Page 13: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/13.jpg)
Step2
FakeUser1 – Clear Random
FakeUser1 Password
FakeUser2 Password
FakeUser3 Password
Reminder:
Password = MD5(random())
FakeUser2 – Clear Random
FakeUser3 – Clear Random
![Page 14: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/14.jpg)
Step2
FakeUser1 – Clear Random
FakeUser1 Password
FakeUser2 Password
FakeUser3 Password
Reminder:
Password = MD5(random())
FakeUser2 – Clear Random
FakeUser3 – Clear Random
RealUser1 – Future Password
![Page 15: [Russia] Node.JS - Architecture and Vulnerabilities](https://reader042.fdocuments.in/reader042/viewer/2022030307/58ea841c1a28ab0c0b8b6613/html5/page/15.jpg)
DEMO
