ANALIZA BEZBEDNOSNIH NAPADA U NODEJS EKOSISTEMU

Boris Šuličenko

doi:10.24867/21BE12Sulicenko

Electrotechnical and Computer Engineering

Vol. 38 No. 01 (2023): Proceedings of Faculty of Technical Sciences

CYBERSECURITY ATTACK ANALYSIS IN THE NODEJS ECOSYSTEM

Boris Šuličenko

21BE12Sulicenko.PDF (Serbian)

DOI:: https://doi.org/10.24867/21BE12Sulicenko
Submitted: January 8, 2023
Published: 2023-01-08

Abstract

This paper describes how NodeJS and NPM work and what their disadvantages are. Some of the most popular attacks on NPM and NodeJS as a platform for executing JavaScript code on servers are described here. Also, with descriptions of how attacks are executed, this paper shows how users can mitigate those attacks.

References

[1] Node.js [Na mreži] [Citirano 30 9 2022.] https://en.wikipedia.org/wiki/Node.js
[2] NPM [Na mreži] [Citirano 30 9 2022.] https://www.npmjs.com/
[3] V8 [Na mreži] [Citirano 30 9 2022.] https://v8.dev/
[4] Libuv [Na mreži] [Citirano 30 9 2022.] https://libuv.org/
[5] Serdar Yegulalp, How one yanked JavaScript package wreaked havoc [Na mreži] [Citirano 30 9 2022.] https://www.infoworld.com/article/3047177/how-one-yanked-javascript-package-wreaked-havoc.html
[6] Markus Zimmermann, Cristian-Alexandru Staicu, Small World with High Risks: A Study of Security Threats in the npm Ecosystem. 2019
[7] NPM Audit [Na mreži] [Citirano 30 9 2022.] https://docs.npmjs.com/cli/v8/commands/npm-audit
[8] Danny Grander, Malicious code found in npm package event-stream downloaded 8 million times in the past 2.5 months [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/,
[9] Liran Tal, Assaf Ben Josef, Open source maintainer pulls the plug on npm packages colors and faker, now what? [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/open-source-npm-packages-colors-faker/
[10] Liran Tal, Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
[11] Liran Tal, What is typosquatting and how typosquatting attacks are responsible for malicious modules in npm [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/typosquatting-attacks/
[12] Snyk – crossenv [Na mreži] [Citirano 30 9 2022.] https://security.snyk.io/package/npm/crossenv
[13] Github – npq [Na mreži] [Citirano 30 9 2022.] https://github.com/lirantal/npq,
[14] Alex Birsan, Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies [Na mreži] [Citirano 30 9 2022.] https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
[15] Ulises Gascón, What is a backdoor? Let’s build one with Node.js [Na mreži] [Citirano 30 9 2022.] https://snyk.io/blog/what-is-a-backdoor/
[16] Karl Düüna, Secure Your Node.js Web Application, Keep Attackers Out and Users Happy
[17] Prototype pollution [Na mreži] [Citirano 30 9 2022.] https://learn.snyk.io/lessons/prototype-pollution/javascript/#pgwwpvrchiwtb
[18] Object prototypes [Na mreži] [Citirano 30 9 2022.] https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Objects/Object_prototypes
[19] Lodash [Na mreži] [Citirano 30 9 2022.] https://www.npmjs.com/package/lodash