Slides available on http://asfws12.files.wordpress.com/2012/11/node_security_presentation_v3_asfws.pdf

In a similar way than the previous day’s OPA presentation of Alok, Sven Vetsch guided us through Node.js, a high performance JavaScript web server based on Google’s V8 engine. Node.js (abbreviated Node afterwards) features a full API with no blocking actions. With a simple “Hello World!” example in JavaScript we got an understanding how easily client-side scripting skills can be reused on the server-side. Fun fact, console.log also works in Node and having character %07 (BEL) printed via this function will inevitably lead to a chorus on your server.

But reuse of insecure client-side scripting patterns may result in much more dramatic results when occurring on the server-side. Vulnerable functions such as eval() will not only “just” result in DOM based XSS flaws within a browser but now can be leveraged to quickly compromise your whole web server. As a proof-of-concept, Sven developed his own Metasploit module to backdoor a Node server within one request containing a vulnerable script. And due to the magic of JavaScript, you can redefine any existing function to your needs and not only within the scope of your request but for the whole server, achieving persistency until the next server reboot.

As listed on slide 35, many features aren’t natively supported by Node. But the package manager npm allows you to complement your installation and also takes care of package dependencies. A vulnerability or backdoor in a popular package may therefore impact the security of many websites. As often, the quality of the different modules varies enormously within the repository, making reviews of all involved dependencies tough. Many other vulnerable examples are provided in Sven’s slide set, featuring a set of code you absolutely don’t want to see in any of your productive application.