Your SlideShare is downloading. ×
Fusker - A NodeJS Security Framework
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Fusker - A NodeJS Security Framework

8,438
views

Published on

Security that fights back.

Security that fights back.

Published in: Technology, Design

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,438
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
27
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Fusker – NodeJS Security Fusker Security that fights back Eric Schoffstall @wearefractal
  • 2. Comparisons
    • Better than when Bill Grates invented MichaelSoft
    • 3. Better than when Mork Zoonerberg invented Fezbook
    • 4. Cooler than existing NodeJS security frameworks
    Mac Zerkerberg
  • 5. WUTS DAT? THERE ARE NO SECURITY FRAMEWORKS
  • 6. Why is Fusker so hot?
  • 12. Integration/Support
    • Can wrap HTTPServer
    • 13. Can wrap Socket.IO
    • 14. Compatible with UselessJS
    • 15. Can be used as Connect/Express middleware
    • 16. Easy to modify and integrate with any other frameworks
  • 17. All your logs are belong to us Logs are saved any time a request is detected. Socket and HTTP attacks are saved in separate files. [- ATTACK DETAILS FOR Fri Aug 12 2011 19:28:33 GMT-0700 (MST) -] --> Detective: SQLi-0 --> Request: GET /index.html?id=1'%20OR%20'1'='1' --> IP: 127.0.0.1 [- END ATTACK DETAILS -]
  • 18. Before switching to Fusker var http = require('http'); var url = require('url'); var sys = require('sys'); var fs = require('fs'); var path = require('path'); var serv = http.createServer(function (req, res) { var file = url.parse(req.url).pathname; if (file === '/') { file = '/index.html'; } fs.readFile(file, function (err, data) { if (!err) { res.writeHead(200); res.write(data, 'utf8'); res.end(); } }); }); serv.listen(8080); io = socketio.listen(serv);
  • 19. After switching to Fusker var fusker = require('fusker'); var server = fusker.http.createServer(8080); var io = fusker.socket.listen(server);
  • 20. Slick Diagram
  • 21. Detectives
    • Modules take incoming data and run it through a series of patterns
    • 22. If a pattern matches the module can call the attack manager
    • Fusker comes with detectives for XSS, CSRF, SQLi and LFI vulnerabilities
    • 23. Fusker can also treat 404s as a threat to punish people who are snooping around your server
  • 24. Payloads
    • Payloads are executed by the attack manager when an attack is detected
    • 25. Payloads have access to the request and response objects so you can do fun stuff like redirects or even send back browser exploits
    • Fusker comes with a large amount of built-in payloads that were designed with lulz in mind
    • 26. The blacklist payload will add users to a blacklist and drop all future incoming requests
  • 27. Configuration fusker.config.dir = process.cwd(); fusker.config.banLength = 1; fusker.config.verbose = true; fusker.http.detectives.push('csrf', 'xss', 'sqli', 'lfi', '404'); fusker.http.payloads.push('blacklist', 'bush'); fusker.socket.detectives.push('xss', 'sqli', 'lfi'); fusker.socket.payloads.push('blacklist');
  • 28. DIY Detectives exports.check = function (req, res) { for (var i = fusker.patterns.lfi.length - 1; i >= 0; --i) { if (fusker.patterns.lfi[i].test(req.url)) { fusker.http.handleAttack('LFI-' + i, req, res); return; } } };
    • Put an array of regex patterns for your detective in patterns.js
    • 29. Loop through them and test against incoming data
    • 30. Call handleAttack if a test is positive
  • 31. DIY Payloads
    • Easy as hell
    • 32. Lots of fun to be had messing with people trying to hack you
    exports.run = function (req, res) { res.writeHead(302, {'Location': 'http://nyan.cat/'}); res.end(); };
  • 33. Take a HWAK at it You think you're a raw dog? You think you can beat fusker? fusker.nodester.com Come at me bro.
  • 34. Links Fusker: https://github.com/wearefractal/Fusker Other Projects: https://github.com/Contra Twitter: @wearefractal