How to Hack an Angular app? - Asim Hussain

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

pretty misleading title, uh?

👍︎︎ 12 👤︎︎ u/fusionove 📅︎︎ May 10 2018 🗫︎ replies

Dude just took a general security talk and repackaged it. I stopped going to conferences because most talks end up like this.

👍︎︎ 3 👤︎︎ u/viveleroi 📅︎︎ May 10 2018 🗫︎ replies
Captions
thank you you too hi so before I begin today I just like to ask a really quick question to the audience could you put your hands up if you've ever been so scared in your life so frightened that a little bit he has come out yeah hands up look at me okay you put your hands down now that's about 43% of the audience and hopefully by the end of today I'll increase that number a little bit because today we're talking about web security now the types of talk is how to hack an angular app and I will be talking about angular briefly but I've got very short amount of time so another way to talk about it is how to hack a web app and actually know the title for this talk could be real life hacking stories now that's because I'm gonna be talking about web security by telling you three different hacking stories midol really isn't to teach you anything my goal is to gator Purcell's so thank you for the intro my name is asking musain you can find me on twitter as jaw ache a blog about angular and javascript on my site code Croft TV and on a cloud developer advocate at Microsoft which means well you can chat to me whenever you see me about wherever you want but if you chat to be about as your I probably bring on my notebook it's not making some notes I'm also an instructor on udemy which is a teaching platform and recently they're just added in subtitling z' and thankfully finally they replace my name with the word awesome so my name is awesome and this talk is going to be very awesome so I'm not a security expert I'm a web developer web developer they got hacked one day so I'll learn a thing or two about it so I'm gonna be teaching you really the basics right and I'm gonna be teaching you some of the terminology as well so this is just some of the terminology a vulnerability is just a hole in your security so not setting up a firewall is just the vulnerability an exploit is a series of commands a series of steps things you do to take advantage of a vulnerability to do bad things okay luckily I'm going to start off with the first story Equifax okay so who had this Equifax hack last year okay a fair amount of the audience so it's like one of the largest hacks in history about I think the latest number is 184 million people's records were taken Equifax is a billion dollar company ten thousand employees but before I explain what happened let's again dig into a little bit more of terminology so a zero-day exploit it's just an exploit that we don't know about yes just private okay it's a secret but once a zero-day exploit becomes known it comes in the public domain we don't call it a zero-day exploit anymore we just call it an exploit you might think of it as a six-month exploit or a one-year exploit or something like that and that's because the value of the exploit goes down over time because it's public that people start releasing fixes and patches for their software okay how hard do you think it would be to get hold of a zero-day exploit very hard right it's a role in the right circles it cost a lot of money as well how hard do you think you'll be to get a hold of a exploit that's been in the public domain for six months pretty easy super easy in fact just google it there's loads of websites out there this is one called exploit dB I'm just going to search PHP just for fun if you scroll down it was still in 2017 all you've got to do is click on one of these links and it gives you details about the exploit and how to apply the exploit okay so did Equifax get hacked by zero-day exploit know they got hacked through a known vulnerability in their web framework Apache struts that had already been fixed for two months all they had to do to protect themselves was install an update that's it now a couple of loves and laughs in the audience but this is actually much much more common than you might think sneak is a web securities firm when they do lots of reports this is one from 2016 yep so twelve of the top 50 data breaches were through known vulnerabilities that's about 25% another report from last year so there's 77 percent of that number of sites that you were using vulnerable javascript libraries so by angular so who here is using the latest version of angular free hands up who here isn't using the latest version of angular there we go if you look at the angular Doc's website for both angularjs and their angular IO and modern angular you'll you'll see that the number one security item is keep updated to the latest version the number one and this is why this is the reason why because attacking a website there are known vulnerability is incredibly incredibly easy one of the most common ways to get access to a site and we talked about migrating a lot there's always the issues when you want to upgrade to the latest version next time you're trying to convince your manager that you want to do it just to Equifax what are some of the things you can do well if you host your code on github they added in end of last year some features into the dependency graph so it will scan your package Jason look at the version numbers look in one of those databases if it is using a version which has a vulnerability or report and let you know with a big warning message when you look at your github repo if that's not your bag and you want you've got some kind of CI tooling you can use things like NSP from know to cure which essentially gives you the same thing but on the command line and also sneak sneak the i/o have their own web version web tool link as well which you can use so just to summarize as prehab it's pretty easy to hack somebody through a known vulnerability there's got a Google stuff and it happens a lot more than we think how people feeling we're good alright let's see next story github so this is a story of skip as a bug bounty they pay you if you found a security hole in your software and this is a report from a expert called orange side this is oranges Twitter please follow up orange is a good guy lots of great stuff he tweets out and this is this is his bug this is his issue that he found at github I think it's a fascinating story it reads like a heist movie so I love it and I want to share it with you okay I'm going to share it a little bit differently Mac's gonna show you a video that orange created to prove that he had hacked github I'm gonna show you it now so its github Enterprise you basically to trigger this actor to set up this hack what you've got to do is add a web hook URL just a web hook URL so you're going to go into this repo add web hook the URL is a little bit complicated so it opens up a terminal runs a Python script to print out the URL I'm gonna paste that into the webhook section now now to actually trigger this exploit all you've got to do is do a search just a search okay so this is just something he's printing out so you can see what command gets executed to trigger it it's just going type a search anything ggggg runs a search command gets executed on the service the ID command on linux just adding in a web hook URL doing a search ran a command on the server anybody's get let's figure out how we did it yeah so web hooks if you do a get port you can set up so it does a post to some URL okay and what orange discovered was that they'd forgot to check for zero so zero resolves the localhost and certain machines okay so that means when you do the post it post back onto the server behind the firewall behind any security that you've got going walk graphite sir processes running on the server and you can have to do if you do post it to this endpoint in graphite it's gonna call a piece of code a piece of Python code I'm scared I'll explain it to you step by step this is the code itself what it does is it gets the URL from the query parameters and then does it get requests with it okay so if this is the web put URL the whole URL is going to get posted to the send email function is gonna extract the read URL it's gonna do a get request to it so all it's doing is conveying a post into a get that's it put unison right that's two exploits based chaining together already but the thing is it's usually something called a HTTP connection librarian this has a known vulnerability and some of the versions of pipes and the recent versions of Python has a known vulnerability and that vulnerability is called carriage return line feed injection so carriage return backslash R is newline on windows backslash n is newline on everything else so this is a cross-platform way of doing new line okay what can you do with this well you can vert it to hex code UA and the biggie but then what if you did a get request to this URL in fact what is a get request actually what is HTTP does anybody know I mean we're all web developers here we all know what HTTP is right no okay I'll explain it so maybe we've seen some something that looks like a little bit like this maybe we've done a curl request or we're looking at some network paneling in some browsers and we've seen something look that looks like this this is the HTTP protocol okay so what it does is it opens up TCP connection to this host and this port and it starts sending each of these lines our strings to that host port ending with character so in line feed okay and the other side knows that hate these key messages complete because it sends to character 10 line feeds in a row all right but the HTTP connection library converted those odos to character in line feed to basically turns into this and this is actually just a malformed HTTP message if you sent this it would return that 400 because Hello is not part of the HTTP protocol okay so all we just now found a way to send a malformed HTTP message not a big issue right but what if instead of that you sent to this does anybody know what this port number is what process is it any guesses memcache there's a memcache memcache doesn't speak HTTP memcache to each memcache so what happens when you do a HTTP request to this it gets turned into this again opens up a TCP connection to this host this poor which is memcache you then going to send to memcache this first line is a string memcache doesn't know what this line is memcache just throws that way knows it thinks it's an error then you send memcache a second line and memcache like I know what this is I can speak this on what this actually does this sets data on the key key with these are the numbers that kind of timeout parameters right and then the rest of stuff just gets ignored cuz memcache just ignores it what this is is something called protocol smuggling within the HTTP protocol you're smuggling the memcache protocol using HTTP library to speak memcache what's the big deal well we all use memcache whether we think we use memcache or whether don't use memcache we all use memcache at some level or another in our websites right and what happens is we serialized some code into a string we store it in memcache we deserialize the code and then we execute it or good but what orange found a way of doing is basically changing what's in memcache so then you serialize your code you store it in memcache and deserialize your code in the execute code but you're not executing your code you're executing oranges paradigm what he'd figured out how to do is store a certain object or chains represent representation of a certain object inside memcache so just the act of deserializing it executes a command on the server that's what you did how you're feeling now I'm afraid we don't have time please go to toilet but what a summary innocent the summary here is a big exploits come from small exports you chain them together right we all think that when we're gonna get attacked we're gonna get attacked do one giant security hole in our application we don't we get this much less subtle than that which is why hacking stories are so interesting right for they all go through you'll chain multiple different exploits together last story you can say who can tell me what that code does that's right so takes your environment variables and converts them into a base64 string okay what about this it's taking that taking that environment variable turning into HTTP POST request and posting them to my server so who hit stores passwords connection strings in environment variables on their server unless the rest of you are hard-coded in them in your scripts I don't know what's going on right but yeah they're common weighted to deal a lot of the security stuff it's a store like the sensitive information in environment variables many use them in your application so if I told you I could make you run this code on your server and send me all of your environment variables do you believe me no maybe not reveal a little bit more this the scripts core package setup yes okay a little bit more this is an NPM module is a setup script for an NPM module if you just install this NPM module you'll be sending me all of your environment variables probably thinking well why would I install your NPM module Assam and I don't know you're right I don't have very many popular modules on NPM unfortunately but did anybody see this end of last year so you thought that Kent Dodds package will cross M had been somehow corrupted to steal environment rebels but in fact it wasn't out well what it was was this so cross - M is the good one cross M without the - is the hacked one all it was was the same Co with a different package setup script published 10 p.m. this is actually really common issue it's called type o squatting it's really common issue is cross language ball language has got these issues pythons got everybody's got it and it's a really big issue and we all do it right I often when I'm installing from NPM I can't remember if it's got - if it doesn't have a - I'll try it without and it works a great yeah but think about it when you installing from NPM what are you doing you're giving somebody that you've probably never ever met in your entire life the ability to run code as if it was you behind your firewall access to all of your keys everything so it's a summary after this summary there were a little bit too trusting and I think it's because it's open source right we instantly trust everything this open source if it's an open source project you might think it's got a vulnerability all never expect it to have an exploit but this one did in fact it was up for two weeks before I was discovered cross them I think is downloaded about two million times a month okay so just a few little spelling errors and people would have had died installed in that computer so what some solutions well on NPM you can install stuff under a scope on a private scope this probably maybe indicates to you why angular's under at angular right only if you own this scope can you add any package underneath there right but they've recently added in some interesting rules and package moniker rules if you if there's a package already call package - name you now cannot deploy a package which changes only by punctuation okay that's something that's happened recently how's that buddy feeling now I think he got a break after this so y'all good okay to summarize keep everything updated might update all the things no one wants to be that person in the meeting room with their CEO telling them why the company's failed because you didn't bother come you bother to install an update there's no such thing as a small vulnerability fix it and at the MPM issue scare anybody yeah I don't have a solution for that so [Music] thank very much if you want to if you want to follow me if you you can follow me on Twitter as Jake I can wait now you can follow me on jorik and I'll be polar be posting up the slides later one after the conference thank you very much good time [Applause] you
Info
Channel: ng-conf
Views: 18,296
Rating: undefined out of 5
Keywords:
Id: C7D4WTLNEUQ
Channel Id: undefined
Length: 20min 39sec (1239 seconds)
Published: Wed Apr 18 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.