NodeJS: Switch is EVIL

switch statement in JavaScript is known to have bad effects as in other programming languages. In this post we discuss it's potential impact in server side JavaScript context like NodeJS. For more history on switch please refer Douglas Crockford's YUI blog post.

Let's look at a sample code snippet as in the screenshot below. This is an over-simplistic example. It is a funny little take on an app that reveals it's users the discount code based on their tiers. The logic that will determine the tier of the user and it's category is omitted for benefit of stressing on the issue at hand.

What should have happened was, the basic tier user Valued Customer should have been shown only 10% discount code. Now since our programmer forgot to apply the brakes (i.e. break highlighted in red in the previous case - in hurry or just human error or insufficient knowledge of switch may be), the second case code under case (dis < 5000) triggered leading to giving higher discount to a basic tier customer and showing a not so good message, as in the screenshot below.

Still in this fun app nothing really nasty happened. And the idea was exactly that to take a simple code and demo what switch could lead to.

In real world a similar mistake could lead to serious vulnerabilities - those are hard to detect. More I think of JavaScript, more I believe, coding best practices usually translate to security best practices. To be safe, anti-patterns like implied globals, with, eval, should be avoided. 

NodeJS: 'with' is evil

It is a known fact that with statement in JavaScript is evil. For a good read on why read Douglas Crockford's post on YUI blog.

Let's look at how it implies on server side JavaScript. Below is a fun little app coded by a beginner that tries to be funny although in real apps this could lead to unbelievably serious vulnerabilities.

So what went wrong here? The developer loves using with for it's shot handedness and thought she called the property names of the welcome object correctly. Also it didn't show any errors. But what her first user on the web saw was this (not that this)

So, she did a typo and ended up unintentionally modifying global variables she wasn't even aware of. Let's just imagine they existed in some other code base where she couldn't even see. This just reminds me how difficult will it be for a security guy like me to code review a code with with.

Now how with works is, it tries to find the property assignments in the context of the called object, if found, great, else it tracks back on the higher scope till reaching the global scope and assigning (actually clobbering) value of some other global variable if there is a match. Think common names like i, x, a, name... we all grew up coding with (not that with).

In short, do not use with, unless you are very sure of what you are doing. On a positive note, use of with is forbidden in ES5 strict mode.

NodeJS: Global Namespace Pollution

From a security standpoint, a big change for most server-side developers moving on to NodeJS would be the notion of JavaScript's global namespace. If misunderstood or with limited knowledge of this inherent property, writing secure NodeJS web apps will be a challenge.

So what is it? A prime property of JavaScript is, it is a 'global' language.

• variables by default have an implied global scope
• functions by default have an implied global scope
• all objects inherit from the native / built-in global objects

Let's understand more with a code snippet. In a traditional PHP script (or any other non-server side JS paradigm), each request  has it's own scope. So a code similar to below will always print 1, unlike in the case of NodeJS. Any request will share the same global scope.

In relevance to this code, each request will increase the global variable gbl by 1, as seen in the screenshot below for two different requests. In a PHP script such a model would only show 1 for every request.

So, what could go wrong from security perspective? Short answer - it depends, on the context and sensitivity of a global variable or function. An attacker could exploit this behavior to her benefit to achieve desired effects. What could those be,

• as a web user, could bypass logic flows
• a malicious library could over-ride native, built-in or known objects, variables, functions to adversely impact sensitive code base/libraries
• in a shared coding environment, an inexperienced developer could unintentionally over-ride native, built-in or known objects, variables, functions - adversely impacting sensitive code base/libraries

A lot more serious stuff could happen only time will tell.

So what's the defense? Unless really needed, always define your functions, variables, as local, as shown in the screenshot below.

Now you get the desired effect as in PHP. Each request now shows gbl as 1. For potential rogue/malicious libraries - audit them! JSLint (though a bit noisy) is a good bet.

I am a JavaScript beginner, hence for a healthy advise for typical programming requirements, I recommend reading Douglas Crockford's post on why Global is Evil and the best practices to avoid it.

Node.JS Security - the good, bad and ugly

At the moment, dev world is full of rave about Node and server side JavaScript (databases like MongoDB and the likes). There hasn't been a better time for front-end and JS developers. On the first look - it appears great, promising and exciting.

On the down side, as with most upcoming technologies, there isn't enough security analysis, consideration and advisory to reference and understand gotchas with server side JS. Nothing wrong with that - it's functions, coolness and innovation that brings business and not security (history/economics is a testimony).

In this post, I will share my security view point as I see it. This could be an ever growing list and the kind of things you can achieve with server side JavaScript - there is no early end to this.

Let's start with the good things. Node inherently introduces a great security benefit over
traditional server side programming paradigms and that is "secure by default" (reminds me of my NetBSD days). As highlighted in white below, your create your web server - a bare bone types and not a full blown with bells and whistles like Apache.

And then chose and pick what you want. Like define what your doc root will have - unlike anything and everything in a traditional web doc root. Like highlighted in yellow below - that is what your web server will respond to for requests. Rest needs to be caught by a 404.

Summarizing - your web server isn't configured and capable more than what you want it to be unlike Apache, Tomcat or IIS. I recall countless instances of Tomcat compromises due to default admin and manager apps that come installed and running with default passwords. And IIS getting exploited with WebDAV buffer overflow when in reality the web app never really needed it in first place. Typically web servers sent a false sense of security where developers mostly considered them to be secure. And we all know, more features, bigger the attack surface. Bigger the attack surface more chances of things going wrong. And something that can go wrong will go wrong!

On the flip side - the bad parts. Node carries over the known dangerous JavaScript APIs like the eval that can be trivially exploited to do server side injection (that were earlier only client side exploits like XSS).

Let's look at a PoC exploit where app evaluates the input and returns  an output like below

Abusing eval on client side would result an XSS but on server-side it induces a server side injection alike SQL Injection as seen below where we inject an HTTP response.

 The screenshot below highlights execution of server side injection.

To best of my knowledge, this issue was first brought to notice in context of Node by Bryan Sullivan at BlackHat. Not a brand new exploit. We know eval is evil. What is worth note here is most developers wouldn't imagine this happening at the first go. From that perspective this exploit vector server side is novel.

What do I see ugly? The ugly parts are the ones that introduce new attack vectors. There should have been default protection built-in ideally. The event driven single threaded programming model is not what web developers are used to. Node is single threaded and a simple error can create a denial of service condition as highlighted in the screenshot below.

As highlighted, hitting submit crashes the node server.

Similar DoS condition would result when messing with global variables - intentionally or unintentionally. Above scenarios are quite likely considering JS developers are usually quite used to errors. I see thousands of live sites day in and out that have a number of errors showing up in Firebug console and running absolutely ok which will not be the case as you go server side.

Another  ugly part is that web developers are not quite used to service permissioning. Web developers had it outsourced to Apache/IIS, would now end up running their node services as root, that earlier ran as nobody.

A 1000 feet high apple to apple comparison between let's say PHP and Node tells me - it took a step back in security. At least, you would come to expect a sanitization/validation library for a new programming language, if not a fancy new auto-sanitization module like PHP Filter (aah yes - Filter isn't a complete auto sanitization in PHP but you get what I mean).

An honest look and I feel node isn't meant to be used as is.  With a strong framework, is how it should be used. There are many in the fray right now - Express probably is the most widely used. I haven't tried it yet but from what I see, security in node is a work in progress.

Being a Yahoo, how can I end without not mentioning Yahoo Cocktails. Haven't played around with it yet, but this is something I have super high hopes with. The engineers I met there are fabulous. Come Q1 2012 it would be there for all of us to play around. Yahoo is a great company, the best  I have worked for - no doubt I would love to see it scoring high.

Learning more and more of Node, I keep reminding myself "Node is powerful, and with power comes responsibility".

Exploiting iGoogle Gadgets

Exploitation of iGoogle gadgets which uses iframes under the hood is well known. Here is an excellent paper on Frame Navigation that explores this attack vector on iGoogle gadgets.

Below is a quick demo on redirection attack on iGoogle gadgets. All the attacks that I mentioned on FB iframe tabs also apply here. It is just that iGoogle is less viral making FB a better ROI target.

Exploiting FB Iframe tabs

FBML was deprecated and Facebook iframe tabs were introduced in Feb'11. As expected it caught significant traction from the developer and security researchers alike. While developers applauded introduction of existing mechanisms like iframes that enable writing 3rd party apps without any learning curve that traditionally existed with Facebook, the security community alarmed concerns over the viral nature of Facebook that combined with iframes further exacerbated their evil nature. Below is a screenshot of Levi's iframe tab on FB.

I love iframes. Haven't they existed there would have been shouts of killing HTTP and inventing a new protocol to support client side mashups. So in a sense, iframe is a blessing that enabled an unexpected requirement by chance although with some security implications. Another assurance on my belief that these great technologies - HTTP, iframe and JS are there to stay for a very very long time, if someone still doubted. I also believe the new specifications HTML5 Sandbox and ES5 are moving in the right direction to enable secure mashups - 1 day when those (IE6) are buried!

Back to the topic. Nothing new but worth visiting what all an attacker could technically exploit on FB iframe tabs. 

1. Malicious Redirection via top.location = http://s0m3phishing.com, as seen in the video below. For demo I perform a redirect to http:///yahoo.com

2. Fake Login / Malicious UI via  and window.open()

3. Drive-by Downloads/ Install Malware via Content-Disposition: attachment

4. Denial of Service (DoS) and Noise by creating infinite alert()and while loops. This particularly is an issue not concerning many, including the security community, but for business it is, as an attacker can impact user engagement and experience which are of prime importance in this business.

5. Browser History Sniffing/Mining via getComputedStyle()as highlighted in the screenshot below

6. Referrer Leak like Referrer: http:///r.html?a=secret&b=private

7. LAN Scanning via JavaScript. A good write up on this is available here

Another SQL Injection Variant

Here is another variation of conducting successful SQL Injection attack, Truncation-Based SQL Injection, by Varun Sharma of Microsoft ACE team.

http://msdn.microsoft.com/hi-in/security/ee216344%28en-us%29.aspx

It is not a new vulnerability or something that defies existing security best practices against SQL Injection - use SQL Parameters, input validation, least privilege principle, but just highlights another way to break weak code.