Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP

641 views

Published on

Liran is leading the core team for the MEAN.js JavaScript framework. He recently published Essential Node.js Security. Passionate about Open Source since an early age, he is continuously contributing to many projects on GitHub around Node.js, JavaScript, Docker, and Security.

Being an avid supporter and contributor to the open source movement, in 2007 Liran has redefined network RADIUS management by establishing daloRADIUS, a world-recognized and industry-leading open source project (http://www.daloradius.com).

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP

  1. 1. Node.js Security: Breaking The Loop Liran Tal Engineering Manager @ Nielsen Marketing Cloud November 2017
  2. 2. Essential Node.js Security https://leanpub.com/nodejssecurity/c/jsheroes
  3. 3. The Magical 2010
  4. 4. The Magical 2010 Backbone.js Underscore.js AngularJS Knockout.js Node.js npm
  5. 5. Node.js is JavaScript
 JavaScript is Everywhere
  6. 6. Security Horror Stories
 in Node.JS
  7. 7. Fail #1
  8. 8. By January 2015 ◇ rimrafall package published to npm
  9. 9. rimrafall ◇ npm pre-install script: $ rm –rf /*
  10. 10. Fail #2
  11. 11. validator.js ◇ helps validate and sanitize strings
  12. 12. $ npm install validator.js --save
  13. 13. validator.js
 !=
 validator
  14. 14. malicious modules of similar names
  15. 15. 3,500,000 socket.io 2,000 socketio malicious modules of similar names
  16. 16. Fail #3
  17. 17. seemingly innocent tutorial to learn from
  18. 18. Enough with the Horror!
  19. 19. Node.js
 Security Mindset
  20. 20. Security by HTTP Headers1
  21. 21. The Big 3
  22. 22. The Big 3
  23. 23. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3
  24. 24. 1. Strict-Transport-Security The Big 3 Browsers enforce secure (HTTPS) connections to the server Security by HTTP Headers
  25. 25. 1. Strict-Transport-Security The Big 3 http://www.bank.com <a href=“https://bank.com/login"> http://www.bank.com/login Security by HTTP Headers
  26. 26. 1. Strict-Transport-Security The Big 3 http://www.bank.com https://www.bank.com Security by HTTP Headers
  27. 27. 2. X-Frame-Options The Big 3 Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on Security by HTTP Headers
  28. 28. 2. X-Frame-Options The Big 3 Security by HTTP Headers
  29. 29. 2. X-Frame-Options The Big 3 Security by HTTP Headers
  30. 30. 3. Content-Security-Policy The Big 3 Whitelist Trusted Content Security by HTTP Headers
  31. 31. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3 Security by HTTP Headers
  32. 32. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3 Security by HTTP Headers
  33. 33. Helmet Securing ExpressJS
  34. 34. Putting it all together
 with Helmet and ExpressJS
  35. 35. 2 noSQL Injections
  36. 36. What is going on here?
  37. 37. No HTTP body in ExpressJS it relies on bodyParser lib
  38. 38. ExpressJS uses bodyParser library to access HTTP body payload
  39. 39. ExpressJS uses bodyParser library to access HTTP body payload
  40. 40. Validate Input ◇ Validate Length and Type ◇ Validate & Sanitize input to expected type ◇ Parameters Binding ◇ Security in Depth
  41. 41. ReDoS 3 Regular Expressions DoS
  42. 42. Regular Expressions
  43. 43. • ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d d?|2[0-4]d|25[0-5]).([01]?dd?| 2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d| 25[0-5])$
  44. 44. Matching an IP address • ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d d?|2[0-4]d|25[0-5]).([01]?dd?| 2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d| 25[0-5])$
  45. 45. Let’s Match Song Titles Can you help with the regex?
  46. 46. ^([a-zA-Z0-9])$ • Match words and numbers
  47. 47. ^([a-zA-Z0-9]+s?)$ • Match words and numbers • Allow spaces in between (duh)
  48. 48. ^([a-zA-Z0-9]+s?)+$ • Match words and numbers • Allow spaces in between (duh) • Repeat
  49. 49. ReDoS Attacks ◇ Catastrophic Backtracking ◇ Exploits greedy quantifiers ◇ Simple regex are vulnerable too:
 /^(a+)+$/
  50. 50. Regex DoS is a Real Problem ◇2017 - ms ◇2016 - Hawk ◇2016 - Tough Cookie ◇2016 - Moment ◇2015 - Uglify ◇2014 - Marked ◇2013 - Validator.js
  51. 51. Regex Best Practices?
  52. 52. University of Birmingham UK http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf
  53. 53. Best Practice #1 ◇ DO NOT WRITE YOUR OWN REGEX
  54. 54. Best Practice #2 ◇ DO NOT WRITE YOUR OWN REGEX
  55. 55. Best Practice #3 ◇Validator Node.js Module
  56. 56. Best Practice #4 ◇ safe-regex node.js module ◇ checks regex complexity/backtracking vulnerability
  57. 57. Secure Dependencies Management 4
  58. 58. ◇ Who takes care of the risk for those packages? ◇ Can I code review every single package?
  59. 59. ◇ Malicious Contributors ?
  60. 60. ◇ Compromised Contributors ?
  61. 61. ◇ 14% of npm packages compromised ->
 20% of npm total monthly downloads
  62. 62. ◇ 14% of npm packages compromised ->
 20% of npm total monthly downloads ◇ debug, react, electron, jasmine,
 moment, express, gulp, request
  63. 63. ◇ 662 users had password: 123456
  64. 64. ◇ 662 users had password: 123456 ◇ 124 users has password: password

  65. 65. ◇ 662 users had password: 123456 ◇ 124 users has password: password
 ◇ 1409 users had their username as password

  66. 66. ◇662 users had password: 123456 ◇124 users has password: password
 ◇1409 users had their username as password
 ◇11% of users re-used their leaked password
  67. 67. Are my dependencies vulnerable? ask yourself
  68. 68. Secure Dependencies Management Snyk
  69. 69. marked npm package
  70. 70. snyk ◇ check cve db for known issues ◇ check installed node_modules dir ◇ provides patch-level fix ◇ provides interactive patch wizard
  71. 71. SecurityOps Integrated Security into your
 build pipeline
  72. 72. 1 2 3 Employ Secure HTTP headers with Helmet Be mindful to NoSQL Injections Summary 4 Snyk to secure Your npm dependencies Avoid writing your own RegEx
  73. 73. Благодаря! liran.tal@gmail.com @liran_tal https://leanpub.com/nodejssecurity/c/jsheroes

×