Application security is often an afterthought for developers, as we concentrate on the next shiny new feature for our projects. In this talk, we’ll highlight the importance of application security and explore some simple and practical ways that we as developers can defend our services from intrusion.
We’ll look at how my team at the BBC approached security concerns when creating the new BBC ID applications, and dive into some code examples to explore the best practices for Node.js server security.
Talk originally given at JavaScript North West meetup. https://www.meetup.com/JavaScript-North-West/events/239152184/
6. WHY DEVELOPERS SHOULD CARE
BBC ID ARCHITECTURE
BECOMING A “SECURITY EXPERT”
OWASP TOP 10
ENCRYPT TRAFFIC (VERY BRIEFLY)
WHAT’S THIS ALL ABOUT?
7. WHAT’S THIS ALL ABOUT?
INPUT VALIDATION
OUTPUT SANITISATION (XSS)
ID-NODE-SERVER
EXPRESS SECURITY MIDDLEWARE
CROSS SITE REQUEST FORGERY
// TODO : FUTURE WORK
52. OWASP TOP 10 (2013)
A1 INJECTION
A2 BROKEN AUTHENTICATION / SESSION
MANAGEMENT
A3 CROSS SITE SCRIPTING (XSS)
A4 INSECURE DIRECT OBJECT REFERENCES
A5 SECURITY MISCONFIGURATION
53. OWASP TOP 10
A6 SENSITIVE DATA EXPOSURE
A7 MISSING FUNCTION LEVEL ACCESS
CONTROL
A8 CROSS SITE REQUEST FORGERY (CSRF)
A9 USING COMPONENTS WITH KNOWN
VULNERABILITIES
A10 UNVALIDATED REDIRECTS & FORWARDS
72. INPUT VALIDATION
WHITELIST VALIDATION > SIMPLE
VALIDATION
VALIDATE ALL USER INPUT
VALIDATE ON CLIENT AND SERVER
CLEAN & WHITELIST DATA BEFORE API CALLS
BEWARE OF DATA EXPOSURE THROUGH
ERROR MESSAGING...
79. CROSS SITE SCRIPTING (XSS)
INJECTION OF MALICIOUS SCRIPT INTO PAGE
DATA FROM AN UNTRUSTED SOURCE
DATA INCLUDED WITHOUT VALIDATION
STORED XSS
REFLECTED XSS
98. SANITISE IN CONTEXT
SANITISE AS JS FOR JS OUTPUT
SANITISE AS HTML FOR HTML OUTPUT
WHITELIST TAGS AND ATTRIBUTES
BE CAREFUL WITH QUERY PARAMETERS
PARSING IS HARD!
114. X-Content-Type-Options
PREVENT CLIENT FROM GUESSING MIME TYPE
SERVER CAN SEND WRONG “CONTENT-TYPE”
BROWSER WILL EXECUTE JAVASCRIPT
<img src=”http://bad.com/bad-html.jpg” />
app.use(helmet.noSniff());
117. Content-Security-Policy
TELL GOOD JS FROM BAD JS
WHITELIST ALLOWED CONTENT SOURCE
JS / CSS / IMAGES / FONTS
HARD TO GET RIGHT FOR US
app.use(helmet.contentSecurityPolicy(
cspConfiguration
));
118. Content-Security-Policy
SHARED HEADER (LOADS OTHER RESOURCES)
NO OWNER OF ALL VALID SOURCES
DUAL DOMAIN (BBC.COM & BBC.CO.UK)
SOME “UNSAFE” EXTERNAL DEPENDENCIES
USE REPORT-URI DIRECTIVE FOR FAILURES
133. USER IS AUTHENTICATED
CLICKS ON MALICIOUS LINK
REQUEST HAS SIDE EFFECTS / MUTATES STATE
BROWSER SENDS AUTHENTICATED COOKIES
USER COMPROMISED WITHOUT REALISING
WHAT IS CSRF?
136. AFTER CALLBACK
RETRIEVE NONCE FROM STATE
RETRIEVE NONCE FROM COOKIE
IF EQUAL THEN ALL IS GOOD
TAMPERED REQUEST IF NOT
REMOVE NONCE COOKIE IN BOTH CASES
MITIGATE CSRF: SESSION
138. POST PROFILE
RETRIEVE NONCE FROM HIDDEN FIELD
RETRIEVE NONCE FROM COOKIE
IF EQUAL THEN ALL IS GOOD
TAMPERED REQUEST IF NOT
REMOVE NONCE COOKIE IN BOTH CASES
MITIGATE CSRF: SESSION
143. // TODO: FUTURE WORK
WHITELIST REDIRECTS
REQUEST PARAMETER POLLUTION
REGULAR EXPRESSION DOS
HTTP STRICT TRANSPORT SECURITY (HSTS)
TIMING ATTACKS
144. // TODO: FUTURE WORK
ADD SNYK / NSP INTO BUILD PIPELINE
SECURITY TEST SUITE
LOG CHECKING TEST SUITE
MAP ATTACK SURFACES
STRICT SECURITY CODE REVIEWS
154. IMAGE CREDITS
Digital background image / Designed by Freepik
Email icon / Chanut is Industries licensed under CC 3.0 BY
Other Icons / Bogdan Rosu licensed under CC 3.0 BY
All other images / CC0 / Unsplash or Pexels