Recommended
More Related Content
What's hot
What's hot (20)
Similar to Security in Node.js
Similar to Security in Node.js (20)
Recently uploaded
Recently uploaded (20)
Security in Node.js
- 1. Security in Node.js Forbes Lindesay
- 2. Security in Node.js • Cross Site Request Forgery (CSRF) • SQL Injection • Cross Site Scripting (XSS) • Guessing / Stealing Passwords • Click Jacking @ForbesLindesay
- 3. Security in Node.js • Cross Site Request Forgery (CSRF) • SQL Injection / Cross Site Scripting (XSS) • Guessing / Stealing Passwords • Click Jacking @ForbesLindesay
- 4. Security in Node.js • Cross Site Request Forgery (CSRF) - Session Storage • SQL Injection / Cross Site Scripting (XSS) • Guessing / Stealing Passwords - Rate Limits • Click Jacking @ForbesLindesay
- 6. Do you need passwords? • Secure storage • Secure validation • Password reset • Phishing attacks @ForbesLindesay
- 7. Do you need passwords? • Passwordless - send user’s an e-mail/SMS with a one time code • OAuth - rely on a third party service (Google, Twitter, Facebook, Apple) @ForbesLindesay
- 12. Limiting the number of password attempts Makes it super easy to lock someone out of their account! @ForbesLindesay
- 14. 1 second delay for the second attempt Double the delay for each attempt 6 days for 20 attempts 8 minutes for 10 attempts @ForbesLindesay
- 15. Exponential Delay Must reset on successful login Can only be per account @ForbesLindesay
- 17. Without rate limiting you are using your own CPUs to crack your user’s passwords @ForbesLindesay
- 18. Fixed Window Rate Limiting @ForbesLindesay
- 19. Error: Next Slide Rate Limit Exceeded. Try again in 60 seconds @ForbesLindesay
- 20. Sliding Window Rate Limiting Forces us to keep track of every event! @ForbesLindesay
- 21. Token Bucket Rate Limiting @ForbesLindesay
- 39. function update({tokenCount, timestamp}, {interval, bucketCapacity}, now) { const increase = Math.floor((now - timestamp) / interval); const newTokenCount = Math.min(tokenCount + increase, bucketCapacity); const newTimestamp = newTokenCount < maxSize ? timestamp + interval * increase : now; return {tokenCount: newTokenCount, timestamp: newTimestamp}; }
- 40. function take(oldState, options, now) { const {tokenCount, timestamp} = oldState ? updateBucketState(oldState, options, now) : {tokenCount: options.bucketCapacity, timestamp: now}; if (tokenCount > 0 && now >= timestamp) { // if there is a token available and the timestamp is in the past // take the token and leave the timestamp un-changed return {tokenCount: tokenCount - 1, timestamp}; } // update the timestamp to a time when a token will be available, leaving // the token count at 0 return {tokenCount, timestamp: timestamp + options.interval}; }
- 41. async function takeToken(key, options) { const now = Date.now(); const oldState = await db.getRateLimitState(key); const newState = take(oldState, options, now); // N.B. replaceRateLimitState should throw if current state // doesn't match oldState to avoid concurrent token usage await db.replaceRateLimitState(key, newState, oldState); if ((newState.timestamp - now) > 0) { await new Promise(r => setTimeout(r, newState.timestamp - now)); } }
- 43. function getDelay(attemptNumber, {baseDelay, factor}) { return baseDelay * Math.pow(factor, attemptNumber); } function take(oldState, options, now) { if (!oldState) { return {attemptNumber: 0, timestamp: now}; } return { value: state.attemptNumber + 1, timestamp: Math.max( state.timestamp + getDelay(state.attemptNumber, options), now, ), }; }
- 44. Exponential Delay • Timestamp of last attempt • Number of attempts Token Bucket • Timestamp when token count was last updated • Number of tokens in bucket @ForbesLindesay
- 47. @ForbesLindesay
- 48. Cookie NPM Package • httpOnly - prevents accessing via JavaScript - defaults to false • sameSite - prevents CSRF (in modern browsers) - defaults to false • secure - requires https - defaults to false @ForbesLindesay
- 50. Cookie NPM Package • @authentication/cookie - secure defaults and same-site polyfill + built in signing & encryption • @authentication/cookie-session - cookie-session compatible wrapper @ForbesLindesay
- 52. SQL Mixes Data & Code @ForbesLindesay
- 53. INSERT INTO Posts (body, author) VALUES ("My Post", "MyName") @ForbesLindesay
- 54. 'INSERT INTO Posts (body, author) VALUES ("' + body + '", "' + author + '")' @ForbesLindesay This code is insecure
- 55. INSERT INTO Posts (body, author) VALUES ("My Post", "SomeoneElse") -- ", "MyName") @ForbesLindesay
- 56. INSERT INTO Posts (body, author) VALUES ("My Post", "SomeoneElse") -- ", "MyName") @ForbesLindesay
- 59. INSERT INTO Posts (body, author) VALUES (?, ?) @ForbesLindesay
- 60. query( `INSERT INTO Posts (body, author) VALUES (?, ?)`, [body, author] ); @ForbesLindesay
- 62. import sql from ‘@databases/sql'; query( sql` INSERT INTO Posts (body, author) VALUES (${body}, ${author}) ` ); @ForbesLindesay
- 64. Open-source at Threads Please follow @threads_eng on Twitter for updates on open-source, etc. We have confirmed one of the top open source contributors @gajus to talk about his journey in open-source at JavaScript Open-source Meetup on 17/09 Please join at https://www.meetup.com/JavaScript-Open-source-Meetup/ or https://thrds.biz/ meetup