Presentation is loading. Please wait.

Presentation is loading. Please wait.

Amit Ashbel Product Marketing Manager www.gameofhacks.com.

Published byTeresa Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "Amit Ashbel Product Marketing Manager www.gameofhacks.com."— Presentation transcript:

1 Amit Ashbel Product Marketing Manager www.gameofhacks.com

2 How I am about to spend your time? o What is GoH? o What's behind it? o Not so wet T-Shirt contest o Node.js potential risks o Takeaways

3 Game of Hacks – An idea is born using System; using System.Security.Cryptography; class Program { static void Main() { using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider()) { // Buffer storage. byte[] data = new byte[4]; // Ten iterations. for (int i = 0; i < 10; i++) { // Fill buffer. rng.GetBytes(data); // Convert to int 32. int value = BitConverter.ToInt32(data, 0); Console.WriteLine(value); } // other Random Generation method Random otherRandomGenerator = new Random(); double otherRandomNumber = otherRandomGenerator.NextDouble(); Spot The Vulnerability

4 CISO Concerns – Education and Awareness (https://www.owasp.org/images/2/28/Owasp-ciso-report-2013-1.0.pdfhttps://www.owasp.org/images/2/28/Owasp-ciso-report-2013-1.0.pdf

5 1+1=? Launched on August More than 100,000 games were played since

6 Let’s take a look at the game

7 What was behind GoH?

8 Honeypot o We assumed the game would be attacked o We might as well learn from it o Vulnerabilities were left exposed and patched along the way

9 GoH Architecture Server Client

10 Single Thread Architecture - Event Loop Event Queue Network Database File System Register Callback Operation Complete Trigger Callback Event Loop Single Thread Node.js architeture

11 Single Thread Events handler Event Driven

12 12 Question Answers Code Snippet 60-Second Timer Question # Score Difficulty Level Game Entities

13 Answered Question o Initially users initiated app.sendAnswers multiple times, until they got “Correct answer” response. o This allowed malicious users to systematically locate the correct answer – and to gain points over and over for the same question. o Solutions “Question Already Answered” flag added

14 Timer o GoH Version 1 Timer handled by client User forced to go to next question when time ends Client sends to server Answer + Time spent o GoH 2 Time is now computed at the server with minor traffic influence o So what? Players stopped timer by modifying JS code

15 Timer o What else?

16 Get your Browsers ready! Checkmarx@Defcon 23 Turn your mobile devices ON! Go to: www.kahoot.it

17 More Node.js points to remember

18 Single Thread Events handler Event Driven - remember?

19 Denial of Service Function sum (p) for (i=1;i<=p;++i) { f=f+i; } Function sum (p) for (i=1;i<=p;++i) { f=f+i; }

20 Demo http://localhost:49090/sum?p=5 http://localhost:49090/sum?p=100000000 http://localhost:49090/sum?p=5

21 Node.JS, being a JSON based language, can accept JSON values for the.find method: A user can bypass it by sending 21 http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html http:///server/page?user[$gt]=a&pass[$gt]=a JSON-based SQL Injection

22 JSON-base SQL Injection This can lead to Regular Expression Denial of Service through the {“username”: {“$regex”: “……..}} So always validate the input length, structure and permitted characters Remembering that Node.js is highly sensitive to CPU-intensive tasks, and there’s a single thread for user-code – ReDoS is really bad db.users.find({username: username}); bcrypt.compare(candidatePassword, password, cb);

23 Re-Dos Demo http://localhost:49090/?user=admin&pass[$regex]=^(a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a| a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a |a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a| a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a |a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a| a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a |a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a| a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a|a |a|a|a|a|a|a|a|a|a)(d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d| d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d |d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d| d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d |d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d| d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d |d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d| d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d |d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d| d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d |d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d| d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d|d)$

24 Some Key Takeaways Gamification of education Knowledge is key to deliver secure code Students (of all ages) absorb and retain information better Anytime you have a chance to make learning a fun experience you should do it Using code Always validate the input length, structure and permitted characters Each coding language has its own pitfalls Research and learn a language before you use it publicly. Remember - Node.js is highly sensitive to CPU-intensive tasks

25 Thank You Questions? amit.ashbel@checkmarx.com @aashbel Amit Ashbel

Download ppt "Amit Ashbel Product Marketing Manager www.gameofhacks.com."

Similar presentations

ASP.NET Best Practices Dawit Wubshet Park University.

ASP.NET Best Practices Dawit Wubshet Park University.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Passwords suck Nico Smit November 2014. “The million passwords dilemma:”  Just like having a million keys suck, so also having a million usernames and.

Passwords suck Nico Smit November “The million passwords dilemma:”  Just like having a million keys suck, so also having a million usernames and.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.

Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
SE320: Introduction to Computer Games Week 8: Game Programming Gazihan Alankus.

SE320: Introduction to Computer Games Week 8: Game Programming Gazihan Alankus.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
CVSQL 2 The Design. System Overview System Components CVSQL Server –Three network interfaces –Modular data source provider framework –Decoupled SQL parsing.

CVSQL 2 The Design. System Overview System Components CVSQL Server –Three network interfaces –Modular data source provider framework –Decoupled SQL parsing.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
CTF Mike Gerschefske Justin Gray. What is it? Came from Defcon Came from Defcon UCSB sp0nsorz – won last years Defcon UCSB sp0nsorz – won last years Defcon.

CTF Mike Gerschefske Justin Gray. What is it? Came from Defcon Came from Defcon UCSB sp0nsorz – won last years Defcon UCSB sp0nsorz – won last years Defcon.

Similar presentations

Ads by Google