Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Angular and Node.js Apps in Azure

114 views

Published on

Securing Angular and Node.js Apps in Azure

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Securing Angular and Node.js Apps in Azure

  1. 1. Securing Angular and Node.js Apps in Azure Brian Clark _clarkio
  2. 2. Casterly Rock
  3. 3. Casterly Rock
  4. 4. Casterly Rock
  5. 5. Casterly Rock “an impregnable fortress”
  6. 6. Casterly Rock ?!
  7. 7. Casterly Rock
  8. 8. Deter your enemies
  9. 9. Defending against…
  10. 10. MortarsArrowsInfantry Defending against…
  11. 11. O W A S P
  12. 12. pen eb pplication owasp.org O A P ecurity roject W S
  13. 13. Access Control
  14. 14. Authenticatio n Authorization You are who you say you are You have the required permissions for the request
  15. 15. Browser http://insecureheroes.com Server http://insecureheroes.com
  16. 16. Browser http://insecureheroes.com Server http://insecureheroes.com
  17. 17. Browser http://insecureheroes.com Server http://insecureheroes.com
  18. 18. Browser http://insecureheroes.comCookies Server http://insecureheroes.com
  19. 19. Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
  20. 20. Demo
  21. 21. Malicious Input
  22. 22. Insecure Heroes http://insecureheroes.com
  23. 23. An attack that injects malicious code into a trusted web site such that it may be executed unintendedly by other users Cross-site Scripting (XSS)
  24. 24. Prevention Content Security PolicyInput Handling Control what resources the browser is allowed to load Ensure data is aligned with the expectations for its intended use
  25. 25. Input Handling
  26. 26. Input Handling
  27. 27. Input Handling EscapingSanitizationValidation
  28. 28. Sanitization EscapingValidation Ensure the data is legit Invalid Email Result :
  29. 29. Validation EscapingSanitization Clean the bad data BC Result :
  30. 30. SanitizationValidation Escaping Encode the bad data B<script>alert(1);</script>C Result :
  31. 31. Do not trust user input
  32. 32. Where should we apply input handlers?
  33. 33. Where should we apply input handlers? Client? Server?
  34. 34. Browser http://insecureheroes.com Server http://insecureheroes.com
  35. 35. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary
  36. 36. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Untruste d
  37. 37. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Truste
  38. 38. Both
  39. 39. https://angular.io/guide/security
  40. 40. https://angular.io/guide/security
  41. 41. ?
  42. 42. https://www.npmjs.com/package/express-validator
  43. 43. https://www.npmjs.com/package/xss-filters
  44. 44. Demo
  45. 45. Content Security Policy
  46. 46. <script>var x = “yz”;</script> Content Security Policy Content-Security-Policy: default-src 'self ' Describes sources types in directives (css, image, etc.) <div style=“{margin-top:10px;}”> 1 3 4 2
  47. 47. https://www.npmjs.com/package/helmet
  48. 48. https://www.npmjs.com/package/helmet
  49. 49. Faking Requests
  50. 50. Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
  51. 51. Browser http://insecurehe roes.com Cookies Server http://insecureheroes.com http://clickbaity.co
  52. 52. Browser http://insecurehe roes.com Cookies Server http://insecureheroes.com http://attacker.com Attack insecureheroes.com Hero: Darth
  53. 53. Demo
  54. 54. An attack that executes a request on behalf of another authenticated user that was not intending to perform that action being requested Cross-site Request Forgery
  55. 55. Synchronizer Token Pattern Random token Unique to user and session Included as a header Validated server- side
  56. 56. https://www.npmjs.com/package/csu rf
  57. 57. https://angular.io/guide/http#security-xsrf-protection
  58. 58. Demo
  59. 59. Stealing Clicks
  60. 60. Demo
  61. 61. An attack that tricks users into clicking on content that they were not intending to click on Clickjacking
  62. 62. Clickjacking Mitigation X-FRAME-OPTIONS DENY SAMEORIGIN ALLOW-FROM: URL* *Content-Security-Policy: frame-ancestors: URL
  63. 63. https://helmetjs.github.io/
  64. 64. Demo
  65. 65. Package Management
  66. 66. https://nodesecurity.io/opensource
  67. 67. https://snyk.io
  68. 68. Demo
  69. 69. Summary Access Control Faking Requests Stealing Clicks Package Management Malicious Input
  70. 70. © DEVintersection 2017. All rights reserved. https://www.DEVintersection.com References  https://owasp.org  https://github.com/Azure-Samples/angular-cosmosdb  (branch: insecure-heroes)  https://angular.io/guide/security  https://www.npmjs.com/package/csurf  https://angular.io/guide/http#security-xsrf-protection  https://www.npmjs.com/package/helmet  https://nodesecurity.io/opensource  https://snyk.io
  71. 71. © DEVintersection 2017. All rights reserved. https://www.DEVintersection.com Please use EventsXD to fill out a session evaluation. Thank you! Brian Clark _clarkio

×