Blog Posts

Home /
Blog Posts

In Memory Backdoor for Node.js Express Apps

Earlier this week Zach Grace published an article on one way that you could backdoor a Node.js Express application without touching disk. This jogged my memory of something I posted in our team’s chat this last week but never wrote about; how I would in memory backdoor an express application. It’s a bit different than how Zach approached it so I thought it would be good to expand upon his post sharing the knowledge.

Compromising Node.js apps using Machine-in-the-Middle

Just before the New Years I published 140+ advisories on Node.js modules. I’ve been researching ways to compromise developers & node.js applications without compromising the npm registry or their CDN.

Pillaging Distributed Version Control 5 Years Later

5 years ago at DEFCON 19 I gave a talked titled “Pillaging DVCS repos for fun and profit.” The technique & tool I outlined in that talk has been very fruitful through out the years and plenty of security consultants have told me that this had helped them have breakthroughs during penetration tests. If it’s useful to us it’s also useful to attackers.

What Are the Bots Up to on npm?

Last year (2015) I had a thought, “who else is downloading and running / testing random modules on npm.” Postulating that there might be bots, build systems or other researchers mass downloading and running modules from npm. I figured it might be an interesting vector to attack systems and gain a foothold for some org and I was curious to know what that traffic looked like.

Atom.io Misconfiguration Allowed Code Execution on Untrusted Networks

Developers have increasingly become a more valuable target to compromise in recent years. The DevOps movement means they have more access to production, not to mention the plethora of source code and keys that you are likely to find.

Brilliant Hire Exposure No Bounty

During security research a few years back, I discovered an exposure on SAP’s BrilliantHire API - an exposed Node.js debugger instance that provided full remote code execution capabilities and access to sensitive AWS credentials, database encryption keys, and production source code. The finding highlights how a simple misconfiguration can lead to complete system compromise.

Regular Expression Denial of Service Affecting Express.js

At the end of April I found a flaw in a module that Express and many other frameworks use. This flaw allows a remote attacker to block the event loop of a remote site causing a Denial of Service effectively blocking the site from being accessed. This type of attack is known as a Regular Expression Denial of Service attack and we’ve found it to be quite common in applications and modules we test.