surrogate dependencies in nodejs
play

Surrogate Dependencies (in NodeJS) @DinisCruz London, 29th Sep - PowerPoint PPT Presentation

Nov 25, 2022 •323 likes •651 views

Surrogate Dependencies (in NodeJS) @DinisCruz London, 29th Sep 2016 Me Developer for 25 years AppSec for 13 years Day jobs: Leader OWASP O2 Platform project Application Security Training JBI Training, others Part of

  1. Surrogate Dependencies (in NodeJS) @DinisCruz London, 29th Sep 2016

  2. Me • Developer for 25 years • AppSec for 13 years • Day jobs: • Leader OWASP O2 Platform project • Application Security Training • JBI Training, others • Part of AppSec team of: • The Hut Group • BBC • AppSec Consultant and Mentor • “I build AppSec teams….” • https://twitter.com/DinisCruz • http://blog.diniscruz.com • http://leanpub.com/u/DinisCruz

  3. A SURROGATE DEPENDENCY

  4. Defintion https://en.wikipedia.org/wiki/Surrogate https://en.wikipedia.org/wiki/Surrogate_model

  5. What is it? • It tests the API and replays responses – Use integration tests to ‘lock’ the api used – Save responses in JSON format – Replay data to client • Allow client to be offline

  6. Locking the API using tests A ‘client’ Network API Integration tests Network API Git repo with data store as JSON files

  7. Replay stored JSON Client/app is running Offline! A ‘client’ Network API Modify data 
 Surrogate (optional) Dependency Git repo with data store as JSON files

  8. Adding security tests (to server) Insert Payloads here To attack the server Integration tests Network API Git repo with data store as JSON files

  9. Adding Security Tests (from server) A ‘client’ To attack the client 
 Network (from the server) Modify data 
 Surrogate Insert Payloads here (optional) Dependency What kind of issues can be found this way? - XSS Git repo with data - SQL Injection store as JSON files - CSRF (to server) - DoS - Steal Sessions tokens

  10. Once you know where the client is vulnerable You ‘ask’ the API 
 A ‘client’ where did 
 API Network that data 
 come from? Once you know which 
 data received from the server will exploit the client … and follow the rabbit holes Which might lead to 
 and external source 
 (i.e. attacker)

  11. With Proxy Request for xyz url (GET , POST , PUT) A ‘client’ no in Load data from Cache? real service Send data to user yes Modify data 
 Load data from Save data to (optional) cache cache Git repo with data store as JSON files

  12. Demo Running a mobile app ‘offline’

  13. BUILDING A TEST FRAMEWORK

  14. Problems that developers have • Fragile dev and QA environments • Inefficient TDD (specially for Integration tests) • Lack of ‘production-like’ data • Can’t work offline • Lots of manual testing • Massive Versioning issues with dependencies (namely Web Services) • Weak Schema contracts – remember that ‘String’ is not a type and Strings are not Strongly typed :) • No/few dedicated micro services for their app

  15. Key for AppSec is to make Devs more productive • We need projects/activities that align AppSec needs with Dev needs • The ‘Surrogate dependencies’ 
 (which allows the app to run offline is one of those projects)

  16. Aligning AppSec with Dev Surrogate Dependencies are here What Developers 
 What AppSec 
 want want

  17. What do I mean by an Dependency • Anything that is external to the application under development – Web Services – Message Queues – Inbound Http traffic (i.e. users) – Other protocols (SMTP , FTP) • Basically all inputs (i.e. the real Attack surface) • For now lets focus on Web Services (i.e. json, xml and html traffic)

  18. Why a new Test Framework • Be able to answer: – What APIs are used at each layer? – What is their schema? ‘string’ is not a type • we need to ban 
 • strings 
 – What happens if the 
 server’s response is 
 is malicious http://www.grahamlea.com/2015/07/microservices-security-questions/

  19. Answer Questions • What happens if data is malicious: – from Client – from Server – to Server • How can we have assurance of the Application properties – “…prove there are no exploitable XSS…”

  20. Why NodeJS • It’s JSON Native • Fast • Effective TDD • Powerful APIs • JsDom

  21. TECHNOLOGIES

  22. JSDom • Ability to simulate the browser DOM in Node • Even supports complex frameworks (and event loops) like Angular – yes, you can run on NodeJS (i.e. server) Angular controllers, directives, services (with live Http Requests)

  23. WallabyJS • WallabyJS – real time unit test execution – real time code coverage

  24. Unit/Integration tests • That hit the live server and save the JSON

  25. 
 
 
 
 
 
 Git as database • Content is stored as JSON on the file system 
 • Version control received data (using git diffs)

  26. JSON • Very good for data storage • Powerful diffs (between test execution runs) – provide visualisation of dynamic data – identify inconsistent data • Write tests against store JSON to confirm schema, data received – easy to identify bad server data deliveries (for example: multiple requests required, when one should be used) – Over supply of data (i.e. assets sent when they are not needed by client) • Confirms ‘happy paths’ data • Will be used for payload injections and DoS tests

  27. Microservices • Surrogate dependency is a model/template for dedicated micro-services • Eventually Microservices should replace the original Surrogate dependency • the Microservices will have their own Surrogate dependencies

  28. JSDom • Used to load html pages and render the Javascript • Much better than selenium and PhatomJS since it is native to Node • Test execution is super fast

  29. XSS Proxy • New module will add ability to act like a proxy – make requests to live server when request is not in cache – save response from live server in cache • Idea is to auto-generate the tests for the requests recorded • This will make it easier to create new ‘surrogate dependencies’ projects

  30. Containers • Best surrogates are the real code running inside a container – 2nd best solution is when the surrogates only exist on the 2nd level of dependencies • Btw, if the app your are coding today is not designed to support containers (i.e micro services) in the near future • Where you will be able to run dozens, hundreds or thousands versions in a separate container (aka Docker) – You are not aligned with the next major dev revolution (similar to git) – In a couple years, your app will be as ‘legacy’ as what you today call ‘legacy’ – key vision is that each ‘user’ should run in it’s own container

  31. Open source project • XSS Proxy is already there – https://github.com/o2platform/node-ssl-strip • Other code coming soon to OWASP • Be involved :) – Your developers will love it and you will dramatically improve yours testing capabilities

  32. Thanks, any questions @diniscruz dinis.cruz@owasp.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda

Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda

Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda Introduction nodejS security Npm security packages Node Goat project Tools Node JS JavaScript in the backend Built on

762 views • 43 slides
Lab 0: Dev Env Setup Rizky Wellyanto (wellyan2) NodeJS + NPM Download here:

Lab 0: Dev Env Setup Rizky Wellyanto (wellyan2) NodeJS + NPM Download here:

Lab 0: Dev Env Setup Rizky Wellyanto (wellyan2) NodeJS + NPM Download here: https://nodejs.org/en/download/ NPM tutorial: https://docs.npmjs.com/about-npm/ NodeJS Documentation: https://nodejs.org/docs/latest-v9.x/api/ Terminal Example setup

120 views • 8 slides
T8: NodeJS CPSC 513 Dr. P. Federl University of Calgary Arshia Hosseini T01/T02 What is

T8: NodeJS CPSC 513 Dr. P. Federl University of Calgary Arshia Hosseini T01/T02 What is

T8: NodeJS CPSC 513 Dr. P. Federl University of Calgary Arshia Hosseini T01/T02 What is NodeJS Open source JavaScript framework Event-driven Cross-platform Server-side 2 Installing and Running Node

690 views • 15 slides
MOVING AWAY FROM NODEJS TO A PURE PYTHON SOLUTION FOR ASSETS Alessandro Molina @__amol__

MOVING AWAY FROM NODEJS TO A PURE PYTHON SOLUTION FOR ASSETS Alessandro Molina @__amol__

MOVING AWAY FROM NODEJS TO A PURE PYTHON SOLUTION FOR ASSETS Alessandro Molina @__amol__ amol@turbogears.org Why? NodeJS has a rich toolkit, but using it has some serious drawbacks. People really dont know there are very good or

410 views • 24 slides
Study of the surrogate-reac1on method via the simultaneous

Study of the surrogate-reac1on method via the simultaneous

Study of the surrogate-reac1on method via the simultaneous measurement of fission and gamma- decay probabili1es (ACTISUR->ACTInides-SURrogate) P. Marini ,

586 views • 44 slides
Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline

Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline

Task Dependencies: ant Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline The ant Command 1 Build Files 2 Targets Properties File Sets and Lists Path Sets Filters Tasks Case Studies 3

807 views • 59 slides
The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials

The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials

Surrogate Endpoint Frameworks Optimal Surrogate Framework Simulation Studies Application to Dengue Trials Discussion The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials Peter Gilbert, Brenda

1.62k views • 119 slides
Surrogate models for Single and Multi-Objective Stochastic Optimization: Integrating Support

Surrogate models for Single and Multi-Objective Stochastic Optimization: Integrating Support

Covariance Matrix Adaptation-Evolution Strategy Support Vector Machines Comparison-Based Surrogate Model for CMA-ES Dominance-based Surrogate Model for Multi-Objective Optimization Surrogate models for Single and Multi-Objective Stochastic

1.1k views • 53 slides
Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies +

Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies +

Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies + abstraction Neil Mitchell http://nmitchell.co.uk Building stuff with Shake Neil Mitchell http://shakebuild.com What is Shake? A Haskell

813 views • 49 slides
Converting a biomarker to a surrogate What should it take? AstraZeneca Priority List- case

Converting a biomarker to a surrogate What should it take? AstraZeneca Priority List- case

Converting a biomarker to a surrogate What should it take? AstraZeneca Priority List- case studies Andrew Stone BSc MSc Andrew Hughes MA PhD MRCP FFPM Friday 15 th December 2006 The need for surrogate endpoints In many settings, the

427 views • 17 slides
Content Comparison of two nearness-to- collision surrogate indicators at a Problem statement

Content Comparison of two nearness-to- collision surrogate indicators at a Problem statement

Content Comparison of two nearness-to- collision surrogate indicators at a Problem statement signalized intersection in Minsk Literature review Surrogate measures of safety using Extreme Value Theory Application of EVT

457 views • 6 slides
Comparison of Ordinal and Metric Gaussian Process Regression as Surrogate Models for CMA

Comparison of Ordinal and Metric Gaussian Process Regression as Surrogate Models for CMA

DTS-CMA-ES Surrogate models Experimental results Comparison of Ordinal and Metric Gaussian Process Regression as Surrogate Models for CMA Evolution Strategy ek Pitra 1 , 2 , 3 , Luk Bajer 1 , 4 , Jakub Repick 1 , 4 , Zbyn na 1 Martin

730 views • 33 slides
Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline

Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline

Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline completing an instruction every cycle When a later instruction depends on the result of an earlier instruction, stalls happen There are 3

1.35k views • 122 slides
X TTC / PET / DRAC / CPI Some research applications have been done with the use the surrogate

X TTC / PET / DRAC / CPI Some research applications have been done with the use the surrogate

32nd ICTCT Conference in Warsaw, Poland October 24 & 25, 2019 The simulation of potential crashes Purpose as a new safety performance conflict-based indicator The aim of this study is to improve the current session: SURROGATE MEASURES

343 views • 6 slides
Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and Runtime Security About ActiveState Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby

727 views • 47 slides
Guided Evolutionary Strategies Augmenting random search with surrogate gradients Niru

Guided Evolutionary Strategies Augmenting random search with surrogate gradients Niru

Guided Evolutionary Strategies Augmenting random search with surrogate gradients Niru Maheswaranathan // Google Research, Brain Team Joint work with: Luke Metz, George Tucker, Dami Choi, Jascha Sohl-dickstein Optimizing with surrogate gradients

379 views • 24 slides
Unicode Introduction Ken Zook November, 2006 1 Unicode properties 0041;LATIN CAPITAL LETTER

Unicode Introduction Ken Zook November, 2006 1 Unicode properties 0041;LATIN CAPITAL LETTER

Unicode Introduction Ken Zook November, 2006 1 Unicode properties 0041;LATIN CAPITAL LETTER A;Lu;0;L;;;;;N;;;;0061; A Representative glyph Code point: 0041 Name: LATIN CAPITAL LETTER A Semantic General category: Uppercase letter (Lu)

483 views • 15 slides
Multifidelity importance sampling methods for rare event simulation Benjamin Peherstorfer

Multifidelity importance sampling methods for rare event simulation Benjamin Peherstorfer

Multifidelity importance sampling methods for rare event simulation Benjamin Peherstorfer University of Wisconsin-Madison Karen Willcox and Boris Kramer MIT Max Gunzburger Florida State University July 2017 1 / 24 Introduction

600 views • 46 slides
Incremental and Stochastic Majorization-Minimization Algorithms for Large-Scale Optimization

Incremental and Stochastic Majorization-Minimization Algorithms for Large-Scale Optimization

Incremental and Stochastic Majorization-Minimization Algorithms for Large-Scale Optimization Julien Mairal INRIA LEAR, Grenoble Gargantua workshop, LJK, November 2013 Julien Mairal Incremental and Stochastic MM Algorithms 1/28 A simple

583 views • 46 slides
Understanding the Effectiveness of Plutonium Surrogates for Waste and Stockpile Immobilisation

Understanding the Effectiveness of Plutonium Surrogates for Waste and Stockpile Immobilisation

2018-09-17 Understanding the Effectiveness of Plutonium Surrogates for Waste and Stockpile Immobilisation Lewis R Blackburn Immobilisation Science Laboratory University of Sheffield Supervisors: - Neil Hyatt (UoS) - Martin Stennett(UoS) -

298 views • 18 slides
SoDeep: A Sorting Deep Net to Learn Ranking Loss Surrogates June, 2019 Martin Engilberge, Louis

SoDeep: A Sorting Deep Net to Learn Ranking Loss Surrogates June, 2019 Martin Engilberge, Louis

SoDeep: A Sorting Deep Net to Learn Ranking Loss Surrogates June, 2019 Martin Engilberge, Louis Chevallier, Patrick Prez, Matthieu Cord SoDeep: A Sorting Deep Net to Learn Ranking Loss Surrogates June, 2019 Martin Engilberge, Louis

558 views • 11 slides
Cross-platform fi le names in Rust WTF-8: a wonderful and horrifying hack! Simon Sapin, Mozilla

Cross-platform fi le names in Rust WTF-8: a wonderful and horrifying hack! Simon Sapin, Mozilla

Cross-platform fi le names in Rust WTF-8: a wonderful and horrifying hack! Simon Sapin, Mozilla Research !!Con, 2015-05-16 I work at Mozilla Research on Servo, a browser engine written in Rust. I also contribute a little bit to Rust. 1.0

469 views • 13 slides
Legislative Update Heidi Junge June 20, 2019 The webinar will begin shortly. Phone |

Legislative Update Heidi Junge June 20, 2019 The webinar will begin shortly. Phone |

Welcome to todays webinar! Legislative Update Heidi Junge June 20, 2019 The webinar will begin shortly. Phone | 1-800-619-3315 Passcode | 4597908 Q&A Process Ask questions in two ways: 1. Use online chat feature during webinar 2.

1.25k views • 110 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides

More recommend