Snyk 今月の脆弱性 オンライン勉強会シリーズ　2024年3月27日水曜日開催の録画

00:00

hi everyone good morning good afternoon

00:03

good evening wherever you are and

00:05

especially I know that we our audience

00:07

is mostly from Japan so I am honored but

00:11

I would let um Heroku speak more in

00:14

Japanese I will try to speak

00:18

slowly thank

00:28

you

00:53

go

00:53

ahead thank you so uh everyone um thank

00:58

you for joining our monthly

01:00

vulnerability webinar series which is

01:02

designed to keep you informed and

01:05

empowered in the ever revolving threat

01:07

landscape or cyber security threats and

01:11

um each month we would be diving into uh

01:15

the latest trends we would also be

01:18

covering the different

01:19

vulnerabilities and we will be uh taking

01:22

the proactive strategies to mitigate the

01:25

risks from zero day to emerging Mal

01:28

trins to a

01:58

topics

02:04

so for today um we would be covering the

02:06

key topics like current Trend landscape

02:10

analysis vulnerability Deep dive best

02:13

practices and even proactive strategies

02:16

uh we will have a Q&A section as well uh

02:19

I would say if you have any question

02:21

please keep posting in the chat box and

02:23

we will be picking it up so that we can

02:26

answer it um one thing I want to say

02:29

that as it's a half an hour session uh

02:33

so there will not be every question that

02:35

will might be answered or we will not be

02:38

explaining to the core we will be

02:39

sharing tips and tricks topics briefly

02:43

explaining um but we will tell you where

02:46

you can find every detail so that you

02:48

can go through that and um you can ask

02:52

us any questions at any

02:58

time

03:28

for

03:49

now let's start with uh the sneak

03:51

vulnerability database so sneak

03:54

vulnerability database is is a place

03:57

where you have a lot of vulnerabilities

03:59

uh are updated as soon as they come in

04:02

and there are vulnerabilities which

04:04

researchers have found so on this page

04:07

let me give you the URL as

04:28

well

04:30

great so here if you look at this this

04:33

vulnerability database there are

04:34

multiple applications and operating

04:37

system that you can see so let's click

04:38

on one of

04:52

them so here if you can see we have

04:55

cargo Coco PS composer go uh you must be

04:58

using one of them if you are a developer

05:00

even as a security person you might be

05:03

working with developers which who might

05:05

be using these languages and operating

05:22

systems so here if you can see uh there

05:26

are vulnerabilities which have been

05:28

updated on 24th March 21st March 20th

05:31

March and description about each of them

05:34

whether it's high low medium and if you

05:37

want to get deep into these

05:39

vulnerability you can just click on them

05:41

and it talks about the package what you

05:44

need to do overview details attack

05:47

complexity threat intelligence uh what

05:50

information we've got from nvd database

05:52

which is National vulnerability

05:53

disclosure

05:58

database

06:18

uh and it gives you more information for

06:21

references where you can find such

06:23

vulnerabilities now today if let's say

06:26

go back I want to know more about npm so

06:30

npm is the ecosystem which I use a lot

06:32

which which ecosystem do you use npm go

06:35

python you can put it in the chat box I

06:37

would love to know more about

06:55

it all right so for npm if you can see

06:58

there's prototype pollution improper

07:01

input validation cross-site scripting

07:03

malicious packages uh which are here and

07:07

today we will be covering prototype

07:16

pollution uh so let's get to know what

07:19

is prototype pollution so if you're

07:21

using uh npm ecosystem prototype

07:24

pollution is a very big vulnerability

07:27

and a prototype pollution is a

07:29

vulnerability affecting

07:47

JavaScript uh so prototype pollution

07:49

refers to the ability to inject

07:52

properties into the existing JavaScript

07:54

language construct prototypes uh for

07:57

example objects so I can add a a magical

08:01

attribute such as Proto Constructor and

08:04

prototype and play around with the

08:07

application

08:09

[Music]

08:28

protas

08:43

so in Prototype pollution attacker monip

08:46

manipulates the attributes to override

08:48

or pollute a JavaScript application

08:51

object uh uh object prototype of the

08:54

base object by injecting other values uh

08:57

so properties on the object attribute

08:59

are then inherited by all the other

09:01

objects which is like a chain and one

09:05

polluted parameter passed on malicious

09:08

information to other objects as

09:28

well object

09:58

prot

10:25

yeah and if you want to know more about

10:28

it that's sque vulnerability database

10:30

you have information about each of them

10:32

from overview what is the PC how you can

10:35

actually replicate if you're using npm

10:38

ecosystem to details about like if you

10:41

see um that JavaScript language if we

10:43

add these magical attributes uh we as an

10:46

attacker I can play around and overwrite

10:49

or pollute the JavaScript application

10:51

and make it unsafe similarly what are

10:54

the unsafe objects we have how we can

10:56

actually secure them what are the things

10:58

which can go wrong like these are the

11:01

attacks which can happen um even if you

11:04

see prompt property injection to remote

11:06

code execution denial of service can

11:09

actually happen um so it talks about

11:22

everything can you scroll up to the

11:28

overview

11:58

for

12:04

right so now we have got to know about

12:07

these attributes we've got to know about

12:10

that uh this is how we can pollute it

12:12

but then we need to know how we can

12:14

prevent it so the most important thing

12:16

is let's start with input validation

12:19

validating anything that comes

12:28

in

12:35

I can't learn till the time I do it

12:37

myself so we have an application called

12:40

sneak learn so which has multiple

12:42

learning

12:51

Parts let me give you the exact URL so

12:54

that you can actually try it yourself as

12:56

well even after the session hi

13:12

so uh heru if you can send the URL in

13:14

the chat box for attendees that'll be

13:17

great and what I've have done is I have

13:20

six learning Parts the the top three

13:22

talks about the implementing sneak uh

13:26

managing application security with sneak

13:28

and developing so these are more sneak

13:30

focused but if you look at the three

13:32

below they are for developers again the

13:36

different programming languages being

13:37

used in open source ecosystem and OAS

13:40

top

13:42

[Music]

13:58

10

14:01

now let's go step by step and understand

14:04

and uh let me actually look at the

14:06

Prototype pollution

14:15

[Music]

14:28

here

14:36

now if you look at the Prototype

14:38

pollution here uh what is prototype

14:41

pollution explained now as As you move

14:44

down the uh down the reading uh on the

14:47

right hand side if you see there is a

14:49

progress bar which keeps a track of your

14:51

progress and once you complete all the

14:53

lessons in a pting learning progress for

14:56

example if I go to lessons and and um I

15:00

have multiple lessons but if I've

15:01

completed one lesson it'll keep a track

15:05

and once the whole learning path is done

15:07

I'll get a

15:27

certificate

15:55

so here if you look at it it talks about

15:57

what is prototype pollution

15:59

what this lesson is all about like we

16:02

will be playing around with a vulnerable

16:04

API uh how JavaScript prototype can be

16:07

polluted and how we can fix and prevent

16:10

it so this is about the

16:27

lesson yeah and here how exactly it can

16:31

be done in an action so let's learn step

16:34

by step there is a use there is a API

16:37

which has user ID in the um uh in the

16:40

request which is in the post form

16:43

there's another uh API that we have

16:46

where we trying to get the user ID Ro

16:48

using get parameter so we are going to

16:52

be exploiting the vulnerable API here

16:57

today

17:05

now uh so they have given a code snippet

17:08

which we can leverage but now you must

17:10

be thinking how we can do

17:27

it

17:29

now uh what is the the most interesting

17:32

part is that it's a click through app so

17:34

I'll just copy the snippet put it into

17:37

the

17:38

terminal and hit enter it'll give me the

17:42

details that I

17:54

needed and let's say if we asked for

17:57

these details they gave me this now

17:59

let's understand what role uh we have

18:02

for 1337 user now this is an open API so

18:06

I'm a attacker I'm just trying to

18:09

understand more about these

18:19

roles uh so this is where we get to know

18:22

that the the role is user let's get to

18:24

know more details and while adding these

18:27

urls can I get more uh in-depth

18:40

information now what uh so I have to

18:43

share one more thing which I miss that

18:45

I'm using curl here you can use Postman

18:48

you can use any other tool to run the

18:50

API request but curl is something which

18:52

I really like so uh I use here but you

18:55

can use Postman or any other API tool

18:57

that we have

19:09

uh and here when we use this request

19:12

where we says curl the header which is

19:15

which has the content type as

19:17

application gjon and we're trying to

19:19

post the role as admin but again we were

19:23

not able to do it we still got the

19:25

information as Ro user here right

19:38

now what we trying to do is we are

19:40

trying to elevate the privilege from a

19:42

user to an admin

19:55

here here look at this request we're

19:58

trying to Cur the header which ISS

20:00

application Json and we are adding an

20:02

interesting parameter which is this here

20:06

where we defining a third party objects

20:09

as Proto but the role as

20:21

admin let me copy and paste it in the

20:24

terminal and see if the magic happens

20:26

with the magic uh

20:40

object so you can see we are

20:42

successfully managed to elevate

20:44

ourselves to admin Hood by just sending

20:46

a mysterious payload which says that

20:49

Proto roll admin to the back end hi

20:57

there

21:06

now you must be thinking that why this

21:08

magical prefix worked don't worry about

21:10

it we will discuss more detail here

21:23

hi so what happened here is that uh when

21:27

we are sending an object that's being

21:30

stored somewhere in the back end and

21:33

especially with JavaScript objects here

21:35

we added an attribute and we sent it to

21:37

the back end which actually worked

21:40

because it was taking input from the

21:42

user and not validated what validating

21:45

what we're trying to

21:57

send

22:07

here if you can see um what we can try

22:10

we are trying to do is we are again

22:12

trying to G the content type as

22:14

application Json we're trying to post

22:16

Proto but instead of just the admin we

22:19

are trying some random bit of characters

22:22

and bring down our

22:25

[Music]

22:27

application

22:36

so let's exploit the application and see

22:40

if it brings down

22:44

that so if you see it gave 500 in tener

22:47

error which means it actually bring down

22:49

the API now what happened here uh let's

22:53

let's understand more so when it was

22:55

accepting the objects external objects

22:57

in Javas script we sent random things

23:01

and it accepted which actually led to a

23:04

vulnerability and at the same time um it

23:08

brought down the

23:22

application uh now why this happened is

23:25

because JavaScript is a prototype um OB

23:28

object based application and when we

23:31

sent an external object as a prototype

23:34

it accepted and it started to exploit

23:55

that uh if you want to know more about

23:57

it you can see every detail how you can

24:01

run the code why it is accepting it uh

24:04

the different prototypes everything is

24:06

and you can run the code it's a

24:08

clickthrough app that's the most amazing

24:10

part so you can experience it and in

24:13

detail if you see it has been explained

24:16

with the

24:27

architecture

24:41

and not just that it actually talks

24:43

about how we can mitigate as

24:53

well and not just that we have a quiz as

24:56

well in the end which will give you

24:57

bonus

25:06

points let's see if it's

25:09

[Music]

25:11

uh right or wrong let's see see it's

25:15

wrong and if it's right it'll say it's

25:18

right if you see it talks about why it's

25:21

wrong so it gives you that information

25:23

as well till the time you make it

25:27

correct

25:38

and you can actually uh if you want to

25:41

know more about it you have all the

25:43

details

25:47

here keep

25:55

learning uh one thing in the end that I

25:58

want to share that as it's a half in our

26:00

session we can only cover this much but

26:02

we will try and share as much as

26:04

Resources with

26:19

you uh next month we have a session on

26:23

25th of April the same

26:27

time

26:35

uh next month we will be talking more

26:37

about uh different programming languages

26:39

especially covering AI so we would be

26:42

covering prototype pollution and other

26:45

llm level vulnerabilities so make sure

26:47

you join

26:57

us

27:02

so let's say uh I went to this learning

27:05

site and looked for llm so these are the

27:07

two vulnerabilities for llms which we

27:10

have added for prompt injection and

27:12

excessive agency yet but we will have

27:14

more coming

27:26

soon um so next week uh next month when

27:30

we talk about these vulnerabilities

27:32

we'll also be using an external

27:33

application where you can also play

27:35

around you can also try and see how you

27:38

can manipulate these new AI things um

27:42

but yes if you have any questions at any

27:44

given point of time please do feel free

27:46

to reach out to

27:57

us

28:08

in the end if you have any questions

28:10

please do type it in the Q&A section or

28:13

in the chat box uh don't be shy because

28:16

if you don't ask questions they will

28:17

never be answered and if you still want

28:19

to if you're still feeling shy you can

28:22

reach out to us on

28:27

LinkedIn

28:56

thank you so much everyone for joining

28:57

today today uh it was wonderful to have

29:00

you as an audience um hope to see you in

29:03

the next month webinar with lot of

29:04

questions lot of enthusiasm and thank

29:08

you

29:17

everyone see you next

29:21

month thank you

29:23

everyone