Testing Node Security by @jmortegac NOV 18-19 · 2016
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Testing Node Security by @jmortegac
NOV 18-19 · 2016
Agenda
Introduction nodejS security
Npm security packages
Node Goat project
Tools
nodeJS introduction
JavaScript in the backend
Built on Chrome´s Javascript runtime(V8)
NodeJs is based on event loop
Designed to be asynchronous
Single Thread
Concurrent requests.
Security updates
Security updates
Last vulnerabilities https://nodesecurity.io/advisories
NPM modules install
Npm security packages
Helmet
express-session / cookie-session
csurf
express-validator
bcrypt-node
express-enforces-ssl
Security HTTP Headers
Strict-Transport-Security
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy
Helmet module https://github.com/helmetjs/helmet
Helmet module
CSPContent-Security-Policy header
hidePoweredBydeletes X-Powered-by header
Hpkpprotection MITM
Hstsforces https connections
noCachedesactive client cache
Frameguardprotection clickjacking
xssFilterprotection XSS
Helmet module
Check headers security http://cyh.herokuapp.com/cyh
https://securityheaders.io/
Express versions
https://www.shodan.io/search?query=express
Disable x-powered-by
Avoid framework fingerprinting
Disable x-powered-by
Use Helmet and use “hide-powered-by” plugin
Sessions management
https://www.npmjs.com/package/cookie-session
secure
httpOnly
domain
path
expires
httpOnly & secure:true
Delete cookies from cache browser
// Set cache control header to eliminate cookies from cache
app.use(function (req, res, next) {
res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"');
next();
});
XSS attacks
An attacker can exploit XSS vulnerability to:
Steal session cookies/Sesion hijacking
Redirect user to malicious sites
Defacing and content manipulation
Cross Site Request forgery
https://www.npmjs.com/package/csurf
CSRF
<form action="/process" method="POST">
<input type="hidden" name="_csrf" value="{{csrfToken}}">
<button type="submit">Submit</button>
</form>
app.use(function (request, response, next) {
response.locals.csrftoken = request.csrfToken();
next();
});
CSRF
Filter/sanitize user input
Avoid XSS attacks https://www.npmjs.com/package/sanitizer
Module express-validator https://www.npmjs.com/package/express-validator
Validator
Validator
Validator
Validator with reg exp
Regular expressions
https://www.npmjs.com/package/safe-regex
Detect vulnerable regular
expressions that can cause DoS
NodeJS Crypto
http://nodejs.org/api/crypto.html Use require(‘crypto’) to access this module
The crypto module requires OpenSSL
require("crypto")
.createHash("sha1") //algorithm
.update(“cOdEmOtiOn") //text
.digest("hex"); //hexadecimal result
Bcrypt-node
Bcrypt-node
Bcrypt-node
Building a secure HTTPS server
Building a secure HTTPS server
https://www.npmjs.com/package/https-redirect-server
https://www.npmjs.com/package/express-enforces-ssl
Redirect all traffic to https and a
secure port
Building a secure HTTPS server
Building a secure HTTPS server
var helmet = require("helmet");
var ms = require("ms");
app.use(helmet.hsts({
maxAge: ms("1 year"),
includeSubdomains: true
}));
Send hsts header for all requests
Node Goat http://nodegoat.herokuapp.com/tutorial
Node Goat https://github.com/OWASP/NodeGoat
EVAL()
EVAL() on github
EVAL() ATTACKS
res.end(require('fs').readdirSync('.').toString())
res.end(require('fs').readdirSync('..').toString())
Insecure Direct Object References
Use session instead of request param
var userId = req.session.userId;
NSP https://github.com/nodesecurity/nsp
npm install -g nsp
Analyze package.json
nsp check --output summary
NSP with Grunt
npm install –g grunt-nsp-package
Nsp execution
Nsp execution
Project dependences https://david-dm.org/
Project dependences
Project dependences npm install –g david
https://github.com/krakenjs/lusca
Retire.js
http://retirejs.github.io/retire.js
Detecting components and js libraries
with known vulnerabilities
Retire.js
Retire.js
Retire.js
Retire.js https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json
Retire.js execution
NodeJsScan
https://github.com/ajinabraham/NodeJsScan
python NodeJsScan.py -d <dir>
NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml
NodeJsScan
Passport
Passport
https://github.com/jmortega/testing_nodejs_security
GitHub repositories
https://github.com/cr0hn/vulnerable-node
https://github.com/rdegges/svcc-auth
https://github.com/strongloop/loopback-getting-started-
intermediate
References
https://blog.risingstack.com/node-js-security-checklist/
https://blog.risingstack.com/node-js-security-tips/
https://groups.google.com/forum/#!forum/nodejs-sec
https://nodejs.org/en/blog/vulnerability/september-2016-
security-releases/
https://expressjs.com/en/advanced/security-updates.html
http://opensecurity.in/nodejsscan/
http://stackabuse.com/securing-your-node-js-app/
Node security learning
https://www.udemy.com/nodejs-security-pentesting-and-exploitation/
Books
Related Documents
