Fusker – NodeJS Security Fusker Security that fights back Eric Schoffstall @wearefractal
Comparisons <ul><li>Better than when Bill Grates invented MichaelSoft
Better than when Mork Zoonerberg invented Fezbook
Cooler than existing NodeJS security frameworks </li></ul>Mac Zerkerberg
WUTS DAT? THERE ARE NO SECURITY FRAMEWORKS
Why is Fusker so hot? <ul><li>Lightweight
Modular design
Flexible
Easy integration
Written in Coffeescript
Funny as hell </li></ul>
Integration/Support <ul><li>Can wrap HTTPServer
Can wrap Socket.IO
Compatible with UselessJS
Can be used as Connect/Express middleware
Easy to modify and integrate with any other frameworks </li></ul>
Upcoming SlideShare
Loading in …5
×

Fusker - A NodeJS Security Framework

9,284 views

Published on

Security that fights back.

Published in: Technology, Design
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,284
On SlideShare
0
From Embeds
0
Number of Embeds
486
Actions
Shares
0
Downloads
30
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Fusker - A NodeJS Security Framework

  1. 1. Fusker – NodeJS Security Fusker Security that fights back Eric Schoffstall @wearefractal
  2. 2. Comparisons <ul><li>Better than when Bill Grates invented MichaelSoft
  3. 3. Better than when Mork Zoonerberg invented Fezbook
  4. 4. Cooler than existing NodeJS security frameworks </li></ul>Mac Zerkerberg
  5. 5. WUTS DAT? THERE ARE NO SECURITY FRAMEWORKS
  6. 6. Why is Fusker so hot? <ul><li>Lightweight
  7. 7. Modular design
  8. 8. Flexible
  9. 9. Easy integration
  10. 10. Written in Coffeescript
  11. 11. Funny as hell </li></ul>
  12. 12. Integration/Support <ul><li>Can wrap HTTPServer
  13. 13. Can wrap Socket.IO
  14. 14. Compatible with UselessJS
  15. 15. Can be used as Connect/Express middleware
  16. 16. Easy to modify and integrate with any other frameworks </li></ul>
  17. 17. All your logs are belong to us Logs are saved any time a request is detected. Socket and HTTP attacks are saved in separate files. [- ATTACK DETAILS FOR Fri Aug 12 2011 19:28:33 GMT-0700 (MST) -] --> Detective: SQLi-0 --> Request: GET /index.html?id=1'%20OR%20'1'='1' --> IP: 127.0.0.1 [- END ATTACK DETAILS -]
  18. 18. Before switching to Fusker var http = require('http'); var url = require('url'); var sys = require('sys'); var fs = require('fs'); var path = require('path'); var serv = http.createServer(function (req, res) { var file = url.parse(req.url).pathname; if (file === '/') { file = '/index.html'; } fs.readFile(file, function (err, data) { if (!err) { res.writeHead(200); res.write(data, 'utf8'); res.end(); } }); }); serv.listen(8080); io = socketio.listen(serv);
  19. 19. After switching to Fusker var fusker = require('fusker'); var server = fusker.http.createServer(8080); var io = fusker.socket.listen(server);
  20. 20. Slick Diagram
  21. 21. Detectives <ul><li>Modules take incoming data and run it through a series of patterns
  22. 22. If a pattern matches the module can call the attack manager </li></ul><ul><li>Fusker comes with detectives for XSS, CSRF, SQLi and LFI vulnerabilities
  23. 23. Fusker can also treat 404s as a threat to punish people who are snooping around your server </li></ul>
  24. 24. Payloads <ul><li>Payloads are executed by the attack manager when an attack is detected
  25. 25. Payloads have access to the request and response objects so you can do fun stuff like redirects or even send back browser exploits </li></ul><ul><li>Fusker comes with a large amount of built-in payloads that were designed with lulz in mind
  26. 26. The blacklist payload will add users to a blacklist and drop all future incoming requests </li></ul>
  27. 27. Configuration fusker.config.dir = process.cwd(); fusker.config.banLength = 1; fusker.config.verbose = true; fusker.http.detectives.push('csrf', 'xss', 'sqli', 'lfi', '404'); fusker.http.payloads.push('blacklist', 'bush'); fusker.socket.detectives.push('xss', 'sqli', 'lfi'); fusker.socket.payloads.push('blacklist');
  28. 28. DIY Detectives exports.check = function (req, res) { for (var i = fusker.patterns.lfi.length - 1; i >= 0; --i) { if (fusker.patterns.lfi[i].test(req.url)) { fusker.http.handleAttack('LFI-' + i, req, res); return; } } }; <ul><li>Put an array of regex patterns for your detective in patterns.js
  29. 29. Loop through them and test against incoming data
  30. 30. Call handleAttack if a test is positive </li></ul>
  31. 31. DIY Payloads <ul><li>Easy as hell
  32. 32. Lots of fun to be had messing with people trying to hack you </li></ul>exports.run = function (req, res) { res.writeHead(302, {'Location': 'http://nyan.cat/'}); res.end(); };
  33. 33. Take a HWAK at it You think you're a raw dog? You think you can beat fusker? fusker.nodester.com Come at me bro.
  34. 34. Links Fusker: https://github.com/wearefractal/Fusker Other Projects: https://github.com/Contra Twitter: @wearefractal

×