Introduction
We all know and everybody does agree that javascript is awesome. It is a language that by any metrics is growing faster than anything else. There is a lot of reasons for this. There is a lot of goodness in this. This are some core javascript traits.
• Built-in memory management
• Native serialization (JSON)
• Naturally scalable (via Eventloop)
• Frequent template /encoding use
• Flourishing npm package ecosystem
Javascript capabilities
These are amazing capabilities. They are core allowing the building of amazing things. But sometimes the same capabilities that make it awesome also make it vulnerable. So you look at this various different capabilities and what you can see as Built- in memory management one can look at the flaws and see buffer objects and leaking memory from servers. If you talk about native serialization hackers can look at it and do some type manipulation because types a decided in runtime and those kind of changes can be manipulated. A lot of our talk today is going to center on how javascript capabilities can be manipulated and abused.
• Built-in memory management : Buffer vulnerabilities
• Native serialization (JSON) : Type manipulation
• Naturally scalable (via Eventloop): Regex Dos
• Frequent template /encoding use: Sandbox Escaping
• Flourishing npm package ecosystem: Vulnerable packages
Another thing to remember is that this vulnurebalities don’t just happen in your code. Part of the core part of the javascript ecosystems are libraries . Npm, node, jquery. Much of the codes are open source codes. A typical application has thousands of dependencies which leads to a situation where your app is very large but your code is so small. It is slightly frightening from a security perspective. Most of your apps code come from npm which makes most of your apps vulnerabilities to come from npm. This is not a theoretical problem, it is practically what happens when we use npm packages.
Risk front-end Apps
Packages use packages that use other packages and within that ecosystem is vulnerabilities. Pretty every node shop has these and this risk node apps and front-end app has vulnerabilities in front-end apps like angular, react and node apps with all the packages we pull in from npm. Also there is the internet of things, we hear about Ddos and other massive attacks that take down the internet. Many of these devices run node apps and light weight apps and these can have vulnerabilities. We are going to look at
• Explain and exploit real world javascript vulnerabilities using npm
• Discuss remediation and solutions for vulnerable code and packages
We will discuss this in our next write up
Top comments (0)