Discovering Hidden Properties to Attack Node.js ecosystem

Presented at DEF CON 28 (2020) Virtual, Aug. 6, 2020, 9:30 a.m. (30 minutes)

Node.js is widely used for developing both server-side and desktop applications. It provides a cross-platform execution environment for JavaScript programs. Due to the increasing popularity, the security of Node.js is critical to web servers and desktop clients. We present a novel attack method against the Node.js platform, called hidden property abusing (HPA). The new attack leverages the widely-used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks. To help developers detect the HPA issues of their Node.js applications, we develop a tool, named LYNX, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply LYNX on a set of widely-used Node.js programs and identify 13 previously unknown vulnerabilities. LYNX successfully generates 10 severe exploits. We have reported all of our findings to the Node.js community. At the time of paper writing, we have received the confirmation of 12 vulnerabilities and got 12 CVEs assigned. Moreover, we collaborated with an authoritative public vulnerability database to help them use a new vulnerability notion and description in related security issues. The talk consists of four parts. First, we will introduce recent offensive research on Node.js. Second, we will introduce HPA by demonstrating an exploit on a widely-used web framework. Third, we will explain how to leverage program analysis techniques to automatically detect and exploit HPA. In the end, we will have a comprehensive evaluation which discusses how we identified 13 HPA 0days with the help of our detection method.

Presenters:

• Feng Xiao - security researcher at Georgia Tech
  Feng Xiao is a security researcher at Georgia Tech. His research interests include software/system security. He has published three papers on top security venues such as DEFCON, IEEE S&P, and CCS. https://fxiao.me/

Links:

• https://defcon.org/html/defcon-safemode/dc-safemode-speakers.html#Xiao
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Feng Xiao - Discovering Hidden Properties to Attack Node.js ecosystem - Q&A.mp4
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Feng Xiao - Discovering Hidden Properties to Attack Node.js Ecosystem.mp4
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Feng Xiao - Discovering Hidden Properties to Attack Node.js ecosystem.srt (subtitles)
• https://www.youtube.com/watch?v=oGeEoaplMWA

Similar Presentations:

• Black Hat USA 2020 Virtual / Discovering Hidden Properties to Attack the Node.js Ecosystem
• BSides Austin 2016 / The Node.js Highway: Attacks Are At Full Throttle
• Black Hat USA 2015 / The Node.js Highway: Attacks are at Full Throttle