Black Hat

SOOS @ Black Hat USA 2022
August 9-11 | Booth #IC58

NodeBB Open Source Software Vulnerabilities

As a software service, NodeBB supports either a PostgreSQL, Redis, or MongoDB database that facilitates web sockets for real-time notifications and interactions between users. The software allows for real-time discussions and mobile interactions while also providing an original forum format for users. NodeBB contains certain functionalities, while additional integrations can be accomplished through external plugins or programs. 

NodeBB is a JavaScript-based open-source software. While it is generally considered secure, open-source software vulnerabilities are possible. Information technology researchers found three distinct vulnerabilities in the software, which could lead to remote code execution if abused by hackers.

Open Source NodeBB Bugs

Open source refers to any widely available code that users can modify. All open source codes come with a license that allows users to use the source code, change it, and share it with others under certain regulations. 

Many people confuse open-source software and free software. All free software is classified as open-source. Thus, you can change the code to free software, though you may not be allowed to distribute it to others without the original author’s permission. However, with open-source software, programmers can use and change the code without permission, but it may not be a free program. 

NodeBB is an open-source program. Thus, users can detect and fix any associated bugs without the permission of the source code author. 

Path Traversal Bugs

A path traversal bug allows an attacker to illicitly access files on your web server without the proper permissions. Hackers do this by accessing files that are housed outside the webroot folder.  It is often possible to access directories and files stored on the main file system by manipulating variables and sequences associated with source files. 

Path traversal vulnerabilities should be identified and mitigated by all individuals and business owners housing secure information.  

Reading Arbitrary Files Throughout Directory Traversal

Also known as file path traversal, directory traversal is a software vulnerability that lets an attacker view arbitrary files on the webserver that is operating an application. Examples of arbitrary files often read by hackers include application data, back-end credentials, and files containing personal information. Occasionally, cybercriminals can change applications or data by modifying arbitrary server files after gaining access. Thus, a hacker can control your system by gaining access to arbitrary files.

File Path Traversal Vulnerabilities

Unfortunately, file paths come with inherent vulnerabilities. A file path traversal attack allows a hacker to access commands, files, or directories located outside of the root directory. Attackers can exploit path commands to disclose the content of files on the webserver. While web servers restrict user access, hackers can access these files by utilizing special character formats. 

Typing ../ is a common way hackers can access server files through file path traversal. Though many security solutions attempt to prevent this method from escaping the web document root, alternate encodings occasionally slip through security controls. 

Avoiding Exploitation of the File Path Traversal

Almost every web application contains data such as scripts, images, and themes. Unfortunately, there are open source security vulnerabilities every time a file is included in an application. With such issues, an attacker can potentially view your files or upload a source you did not authorize. 

It is essential to know if you are vulnerable to file path traversal attacks. Consider the following to mitigate risk factors:

  • Learn how your operating system processes filenames and how security mechanisms are configured.
  • Know if your private configuration files are housed inside the webroot.
  • Check that the webroot is not housed on the system disk if you are using a Windows IIS server.

All of these actions can counter potential file path traversal vulnerabilities. To further prevent attacks, follow these simple tricks to avoid attackers exploiting the file path traversal:

  • Make sure you operate without user input when using file system calls
  • Utilize indexes as opposed to partial file names when templating
  • Surround your path code to ensure attackers cannot alter parts of the path
  • Always validate the input of outside users
  • Utilize code user policies to restrict how files can be accessed 

Perhaps the most important thing you can do to protect yourself is to validate all the code and consistently evaluate the security mechanisms’ strength. 

Cross-Site Scripting

Cross-site scripting is often referred to as XSS by developers and engineers. It is a common web application vulnerability that allows a hacker to take control of a user’s session. It enables an attacker to bypass the Same Origin Policy, which keeps websites and applications separate from one other. Cross-scripting allows an attacker to carry out any original user’s action, giving them complete control over the user’s session. If the original user has stored sensitive information within an application, the hackers can view it and modify the data. 

Cross-Site Scripting Bugs

 XSS is one of the most common risks found on web applications. Cross-site scripting bugs occur when a hacker executes client-side JavaScript code using another person’s browser. XSS bugs are dynamic and often challenging to detect and mitigate. They are considered severe vulnerabilities for the following risks:

  • The severity of attacks can range from mild to critical, depending on the software and the context.
  • These bugs can occasionally enable attackers to gain access to your system remotely.
  • Automated security tools often miss these bugs.
  • These risks are difficult to mitigate during the software development lifecycle.

Gaining access to cross-site scripting can enable an attacker to fully control the user’s session, bypass authentication controls, and accomplish the exfiltration of user information. 

Cross-Site Scripting Attacks

There are three main types of cross-site scripting attacks. These include:

  • Reflected attacks: An attacker creates a malicious script that is obtained from the current HTTP request.
  • Stored attacks: The hacker creates a malicious script using the website’s database. 
  • DOM-based attacks: The attacker infiltrates an application by accessing the client-side code instead of the server-side data. 

This is not a comprehensive list of cross-site scripting attacks. While the attack types described above are common, there are many more types being developed on an annual basis. 

Often, web applications or websites have open source software security vulnerabilities if they use unsanitized user input in the generated output. 

Cross-Site Scripting Attack Vulnerability 

Unfortunately, cross-site scripting attacks are challenging to identify and eliminate from a website or application. The best way to know if you are vulnerable to such an attack is to perform a security review of the source code. Use an automated tool to search areas where HTTP request input could potentially make its way into the HTML output. HTML code submitted by a user can introduce malicious JavaScript if you don’t sanitize it.

Many automated tools, including Nessus and Nikto, can help detect these vulnerabilities. Unfortunately, many of these tools are basic and cannot see every vulnerability. Automated tools should be seen as a complement to other types of security testing. Manual security testing performed by a developer is usually the best way to detect all types of open source software vulnerabilities.

How To Avoid XSS Attacks?

Avoiding cross-site scripting attacks can be difficult depending on the complexity of the website or application. Avoiding attacks is also impacted by how the application handles user-controllable data. Following these measures can help you prevent cross-site scripting attacks:

  • Immediately filter input: Filter input based on the data expectations when received and look for issues. The more quickly a malicious script is detected, the faster you can remove it from the website. 
  • Encrypt output data: There are certain circumstances in which user-controlled data is configured into HTTP responses. In these cases, encrypt the output to prevent it from being mistaken for active content. Encoding data can be done using HTML, URL, JavaScript, and CSS coding.
  • Utilize Content Security Policies: As a final prevention effort, utilize the application’s Content Security Policy to reduce the impact of vulnerabilities that have not been eliminated.
  • Use proper response headers: Use Content-Type or X-Content headers to eliminate cross-site scripting in HTTP responses that should not contain any JavaScript or HTML. Using these headers can help applications properly internalize input. 

Perhaps the best way to prevent cross-site scripting attacks is to avoid inserting untrusted data except in allowed locations. There are many situations in which HTML encoding rules get very complex. Thus, there are no practical reasons to insert untrusted data. Encoding and encryption are challenging, so the best choice is to not trust any user-submitted data.

While open source security vulnerabilities can be difficult to detect and mitigate, it is not impossible. Having the proper safety mechanisms in place and never accepting untrusted data can help prevent many attacks. 

Obtain Security Solutions With SOOS

Obtain the advanced security solutions you need for your business with SOOS. We offer easy-to-integrate open-source software scanning solutions. Our software composition analysis tool offers unlimited scans to unlimited users at a $99 flat monthly price. Take charge of the security of your web application data by adding SOOS to your toolkit. Contact us today to speak with a security expert about the cybersecurity needs of your business. 

Copyright © 2022 SOOS| Terms of Service | Privacy Policy