ANALIZA BEZBEDNOSNIH NAPADA U NODEJS EKOSISTEMU
Ključne reči:
NodeJS, NPM, izvršavanje napada, mehanizmi odbrane
Apstrakt
U ovom radu opisano je kako rade NodeJS i NPM i koje su im mane. Opisani su neki od poznatih napada na NPM ekosistem i NodeJS kao platformu za izvršavanje JavaScript koda na serveru. Uz opise kako napadi mogu da se izvrše prikazane su i moguće mitigacije.
Reference
[1] Node.js [Na mreži] [Citirano 30 9 2022.] https://en.wikipedia.org/wiki/Node.js
[2] NPM [Na mreži] [Citirano 30 9 2022.] https://www.npmjs.com/
[3] V8 [Na mreži] [Citirano 30 9 2022.] https://v8.dev/
[4] Libuv [Na mreži] [Citirano 30 9 2022.] https://libuv.org/
[5] Serdar Yegulalp, How one yanked JavaScript package wreaked havoc [Na mreži] [Citirano 30 9 2022.] https://www.infoworld.com/article/3047177/how-one-yanked-javascript-package-wreaked-havoc.html
[6] Markus Zimmermann, Cristian-Alexandru Staicu, Small World with High Risks: A Study of Security Threats in the npm Ecosystem. 2019
[7] NPM Audit [Na mreži] [Citirano 30 9 2022.] https://docs.npmjs.com/cli/v8/commands/npm-audit
[8] Danny Grander, Malicious code found in npm package event-stream downloaded 8 million times in the past 2.5 months [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/,
[9] Liran Tal, Assaf Ben Josef, Open source maintainer pulls the plug on npm packages colors and faker, now what? [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/open-source-npm-packages-colors-faker/
[10] Liran Tal, Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
[11] Liran Tal, What is typosquatting and how typosquatting attacks are responsible for malicious modules in npm [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/typosquatting-attacks/
[12] Snyk – crossenv [Na mreži] [Citirano 30 9 2022.] https://security.snyk.io/package/npm/crossenv
[13] Github – npq [Na mreži] [Citirano 30 9 2022.] https://github.com/lirantal/npq,
[14] Alex Birsan, Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies [Na mreži] [Citirano 30 9 2022.] https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
[15] Ulises Gascón, What is a backdoor? Let’s build one with Node.js [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/what-is-a-backdoor/
[16] Karl Düüna, Secure Your Node.js Web Application, Keep Attackers Out and Users Happy
[17] Prototype pollution [Na mreži] [Citirano 30 9 2022.] https://learn.snyk.io/lessons/prototype-pollution/javascript/#pgwwpvrchiwtb
[18] Object prototypes [Na mreži] [Citirano 30 9 2022.] https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Objects/Object_prototypes
[19] Lodash [Na mreži] [Citirano 30 9 2022.] https://www.npmjs.com/package/lodash
[2] NPM [Na mreži] [Citirano 30 9 2022.] https://www.npmjs.com/
[3] V8 [Na mreži] [Citirano 30 9 2022.] https://v8.dev/
[4] Libuv [Na mreži] [Citirano 30 9 2022.] https://libuv.org/
[5] Serdar Yegulalp, How one yanked JavaScript package wreaked havoc [Na mreži] [Citirano 30 9 2022.] https://www.infoworld.com/article/3047177/how-one-yanked-javascript-package-wreaked-havoc.html
[6] Markus Zimmermann, Cristian-Alexandru Staicu, Small World with High Risks: A Study of Security Threats in the npm Ecosystem. 2019
[7] NPM Audit [Na mreži] [Citirano 30 9 2022.] https://docs.npmjs.com/cli/v8/commands/npm-audit
[8] Danny Grander, Malicious code found in npm package event-stream downloaded 8 million times in the past 2.5 months [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/,
[9] Liran Tal, Assaf Ben Josef, Open source maintainer pulls the plug on npm packages colors and faker, now what? [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/open-source-npm-packages-colors-faker/
[10] Liran Tal, Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
[11] Liran Tal, What is typosquatting and how typosquatting attacks are responsible for malicious modules in npm [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/typosquatting-attacks/
[12] Snyk – crossenv [Na mreži] [Citirano 30 9 2022.] https://security.snyk.io/package/npm/crossenv
[13] Github – npq [Na mreži] [Citirano 30 9 2022.] https://github.com/lirantal/npq,
[14] Alex Birsan, Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies [Na mreži] [Citirano 30 9 2022.] https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
[15] Ulises Gascón, What is a backdoor? Let’s build one with Node.js [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/what-is-a-backdoor/
[16] Karl Düüna, Secure Your Node.js Web Application, Keep Attackers Out and Users Happy
[17] Prototype pollution [Na mreži] [Citirano 30 9 2022.] https://learn.snyk.io/lessons/prototype-pollution/javascript/#pgwwpvrchiwtb
[18] Object prototypes [Na mreži] [Citirano 30 9 2022.] https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Objects/Object_prototypes
[19] Lodash [Na mreži] [Citirano 30 9 2022.] https://www.npmjs.com/package/lodash
Objavljeno
2023-01-08
Sekcija
Elektrotehničko i računarsko inženjerstvo