Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security in NodeJS applications

531 views

Published on

Secure coding in NodeJS with OWASP

Published in: Software

Security in NodeJS applications

  1. 1. SECURE CODING WITH
  2. 2. SECURE CODING WITH NODE.JS OBJECTIVE ▸The purpose of the following micro-course is learning by examples the major security flaws in code in NodeJS, possible solutions and good security practices.
  3. 3. SECURE CODING WITH NODE.JS INDEX
  4. 4. SECURE CODING WITH NODE.JS OWASP TOP 10 WITH 1 PICTURE
  5. 5. SECURE CODING WITH NODE.JS CORRESPONDENCIA CON OWASP TOP 10
  6. 6. SECURE CODING WITH NODE.JS VULNERABLE NODE.JS PROJECT ▸ https://github.com/cr0hn/vulnerable-node
  7. 7. A1 - INJECTION: INJECTION FLAWS, SUCH AS SQL, OS, AND LDAP INJECTION OCCUR WHEN UNTRUSTED DATA IS SENT TO AN INTERPRETER AS PART OF A COMMAND OR QUERY. THE ATTACKER’S HOSTILE DATA CAN TRICK THE INTERPRETER INTO EXECUTING UNINTENDED COMMANDS OR ACCESSING DATA WITHOUT PROPER AUTHORIZATION. OWASP TOP 10 A1 - INJECTION
  8. 8. TEXTO CODE INJECTION: DEFINITION ▸Those application points with input information, usually from the user, which must be treated as untrusted by default. ▸Assimilate and understand the expression: This code smells injection
  9. 9. A1 - INJECTION :: SQL INJECTION (1/5) SQL INJECTION function do_auth(username, password) { var db = pgp(config.db.connectionString); var q = "SELECT * FROM users WHERE name = '" + username + "' AND password ='" + password + "';"; return db.one(q); } /model/auth.js:4
  10. 10. A1 - INJECTION :: SQL INJECTION (2/5) SQL INJECTION function do_auth(username, password) { var db = pgp(config.db.connectionString); var q = "SELECT * FROM users WHERE name = '" + username + "' AND password ='" + password + "';"; return db.one(q); } /model/auth.js:4
  11. 11. A1 - INJECTION :: SQL INJECTION (3/5) SQL INJECTION - ATTACK (1/2)
  12. 12. A1 - INJECTION :: SQL INJECTION (4/5) SQL INJECTION - ATTACK (2/2)
  13. 13. A1 - INJECTION :: SQL INJECTION (5/5) SQL INJECTION - SOLUTION Prepared statement
  14. 14. A1 - INJECTION :: LOG INJECTION (1/3) LOG INJECTION router.post('/login/auth', function(req, res) { var user = req.body.username; var password = req.body.password; var returnurl = req.body.returnurl; logger.error("Tried to login attempt from user = " + user); /model/login.js:25
  15. 15. A1 - INJECTION :: LOG INJECTION (1/3) LOG INJECTION router.post('/login/auth', function(req, res) { var user = req.body.username; var password = req.body.password; var returnurl = req.body.returnurl; logger.error("Tried to login attempt from user = " + user); /model/login.js:25
  16. 16. A1 - INJECTION :: LOG INJECTION (1/3) LOG INJECTION - ATTACK (1/2)
  17. 17. A1 - INJECTION :: LOG INJECTION (1/3) LOG INJECTION - ATTACK (2/2)
  18. 18. A1 - INJECTION :: LOG INJECTION (1/3) LOG INJECTION - SOLUTION Use a logging framework, adding variables as parameters If you can’t use a framework, remove CR & LR
  19. 19. A1 - INJECTION :: EVIL REGEX (1/4) EVIL REGEX - EXPLANATION Regex: ^(a+)+$ Denial Of System (DoS)
  20. 20. A1 - INJECTION :: EVIL REGEX (2/4) EVIL REGEX var re = /^([a-zA-Z0-9])(([-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a- z]{2,3}[.]{1}[a-z]{2,3}))$/ if (!re.test(cart.mail)){ throw new Error("Invalid mail format"); } /routers/products.js:120
  21. 21. A1 - INJECTION :: EVIL REGEX (3/4) EVIL REGEX - ATTACK 30 seconds
  22. 22. ▸ https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS A1 - INJECTION :: EVIL REGEX (4/4) EVIL REGEX - SOLUTION Use regex as simple as you can Check each regex before go to production
  23. 23. A2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT: APPLICATION FUNCTIONS RELATED TO AUTHENTICATION AND SESSION MANAGEMENT ARE OFTEN NOT IMPLEMENTED CORRECTLY, ALLOWING ATTACKERS TO COMPROMISE PASSWORDS, KEYS, OR SESSION TOKENS, OR TO EXPLOIT OTHER IMPLEMENTATION FLAWS TO ASSUME OTHER USERS’ IDENTITIES. OWASP TOP 10 A2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT
  24. 24. A2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT :: COOKIES (1/3) COOKIES app.use(session({ secret: 'ñasddfilhpaf78h78032h780g780fg780asg780dsbovncubuyvqy', cookie: { secure: false, maxAge: 99999999999 } })); /model/app.js:43
  25. 25. A2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT :: COOKIES (2/3) COOKIES
  26. 26. A2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT :: COOKIES (3/3) COOKIES - SOLUTION Enable HTTP-Only Limite expire time of cookie
  27. 27. A3 - CROSS-SITE SCRIPTING XSS FLAWS OCCUR WHENEVER AN APPLICATION TAKES UNTRUSTED DATA AND SENDS IT TO A WEB BROWSER WITHOUT PROPER VALIDATION OR ESCAPING. XSS ALLOWS ATTACKERS TO EXECUTE SCRIPTS IN THE VICTIM’S BROWSER WHICH CAN HIJACK USER SESSIONS, DEFACE WEB SITES, OR REDIRECT THE USER TO MALICIOUS SITES.OWASP TOP 10 A3 - CROSS-SITE SCRIPTING
  28. 28. A3 - CROSS-SITE SCRIPTING (1/4) XSS router.get('/products/search', function(req, res, next) { var url_params = url.parse(req.url, true).query; var query = url_params.q; db_products.search(query) .then(function (data) { res.render('search', { in_query: query, products: data }); }) /routers/products.js:62
  29. 29. A3 - CROSS-SITE SCRIPTING (2/4) XSS router.get('/products/search', function(req, res, next) { var url_params = url.parse(req.url, true).query; var query = url_params.q; db_products.search(query) .then(function (data) { res.render('search', { in_query: query, products: data }); }) /routers/products.js:62
  30. 30. A3 - CROSS-SITE SCRIPTING (3/4) XSS - ATTACK
  31. 31. A3 - CROSS-SITE SCRIPTING (4/4) XSS - SOLUTION ▸https://github.com/mdevils/node-html-entities HTML Entities
  32. 32. A4 - INSECURE DIRECT OBJECT REFERENCES A DIRECT OBJECT REFERENCE OCCURS WHEN A DEVELOPER EXPOSES A REFERENCE TO AN INTERNAL IMPLEMENTATION OBJECT, SUCH AS A FILE, DIRECTORY, OR DATABASE KEY. WITHOUT AN ACCESS CONTROL CHECK OR OTHER PROTECTION, ATTACKERS CAN MANIPULATE THESE REFERENCES TO ACCESS UNAUTHORIZED DATA. OWASP TOP 10 A4 - INSECURE DIRECT OBJECT REFERENCES
  33. 33. A4 - INSECURE DIRECT OBJECT REFERENCES INSECURE DIRECT OBJECT REFERENCES (1/2) router.all('/products/buy', function(req, res, next) { cart = { mail: params.mail, address: params.address, ship_date: params.ship_date, phone: params.phone, product_id: params.product_id, product_name: params.product_name, username: req.session.user_name, price: params.price.substr(0, params.price.length - 1)} db_products.purchase(cart) /routers/products.js:108
  34. 34. A4 - INSECURE DIRECT OBJECT REFERENCES INSECURE DIRECT OBJECT REFERENCES (2/2) function purchase(cart) { var db = pgp(config.db.connectionString); var q = "INSERT INTO purchases(mail, product_name, user_name, product_id, address, phone, ship_date, price) VALUES('" + cart.mail + "', '" + cart.product_name + "', '" + cart.username + "', '" + cart.product_id + "', '" + cart.address + "', '" + cart.ship_date + "', '" + cart.phone + "', '" + cart.price + "');"; return db.one(q); } /model/products.js:34 • User ownership check? • Price check?
  35. 35. A4 - INSECURE DIRECT OBJECT REFERENCES INSECURE DIRECT OBJECT REFERENCES - ATTACK (1/2)
  36. 36. A4 - INSECURE DIRECT OBJECT REFERENCES INSECURE DIRECT OBJECT REFERENCES - SOLUTION Check database & object references
  37. 37. A6 - SENSITIVE DATA EXPOSURE MANY WEB APPLICATIONS DO NOT PROPERLY PROTECT SENSITIVE DATA, SUCH AS CREDIT CARDS, TAX IDS, AND AUTHENTICATION CREDENTIALS. ATTACKERS MAY STEAL OR MODIFY SUCH WEAKLY PROTECTED DATA TO CONDUCT CREDIT CARD FRAUD, IDENTITY THEFT, OR OTHER CRIMES. SENSITIVE DATA DESERVES EXTRA PROTECTION SUCH AS ENCRYPTION AT REST OR IN TRANSIT, AS WELL AS SPECIAL PRECAUTIONS WHEN EXCHANGED WITH THE BROWSER. OWASP TOP 10 A6 - SENSITIVE DATA EXPOSURE
  38. 38. A6 - SENSITIVE DATA EXPOSURE (1/4) SENSITIVE DATA EXPOSURE router.post('/login/auth', function(req, res) { var returnurl = req.body.returnurl; auth(user, password) }) .catch(function (err) { res.redirect("/login?returnurl=" + returnurl + "&error=" + err.message); }); /routers/login:39
  39. 39. A6 - SENSITIVE DATA EXPOSURE (2/4) SENSITIVE DATA EXPOSURE - ATTACK (1/3)
  40. 40. A6 - SENSITIVE DATA EXPOSURE (3/4) SENSITIVE DATA EXPOSURE - ATTACK (2/3)
  41. 41. A6 - SENSITIVE DATA EXPOSURE (4/4) SENSITIVE DATA EXPOSURE - ATTACK (3/3)
  42. 42. A8 - CROSS-SITE REQUEST FORGERY A CSRF ATTACK FORCES A LOGGED-ON VICTIM’S BROWSER TO SEND A FORGED HTTP REQUEST, INCLUDING THE VICTIM’S SESSION COOKIE AND ANY OTHER AUTOMATICALLY INCLUDED AUTHENTICATION INFORMATION, TO A VULNERABLE WEB APPLICATION. THIS ALLOWS THE ATTACKER TO FORCE THE VICTIM’S BROWSER TO GENERATE REQUESTS THE VULNERABLE APPLICATION THINKS ARE LEGITIMATE REQUESTS FROM THE VICTIM.OWASP TOP 10 A8 - CROSS-SITE REQUEST FORGERY
  43. 43. A8 - CROSS-SITE REQUEST FORGERY (1/6) CROSS-SITE REQUEST FORGERY router.all('/products/buy', function(req, res, next) { cart = { mail: params.mail, address: params.address, ship_date: params.ship_date, phone: params.phone, product_id: params.product_id, product_name: params.product_name, username: req.session.user_name, price: params.price.substr(0, params.price.length - 1) } db_products.purchase(cart) .catch(function (err) { return res.json({message: "Product purchased correctly"}); }); /routers/products:89
  44. 44. A8 - CROSS-SITE REQUEST FORGERY (2/6) CROSS-SITE REQUEST FORGERY router.all('/products/buy', function(req, res, next) { cart = { mail: params.mail, address: params.address, ship_date: params.ship_date, phone: params.phone, product_id: params.product_id, product_name: params.product_name, username: req.session.user_name, price: params.price.substr(0, params.price.length - 1) } db_products.purchase(cart) .catch(function (err) { return res.json({message: "Product purchased correctly"}); }); /routers/products:89 Token?
  45. 45. A8 - CROSS-SITE REQUEST FORGERY (3/6) CROSS-SITE REQUEST FORGERY
  46. 46. A8 - CROSS-SITE REQUEST FORGERY (4/6) CROSS-SITE REQUEST FORGERY Buy by GET Request No token
  47. 47. A8 - CROSS-SITE REQUEST FORGERY (5/6) CROSS-SITE REQUEST FORGERY - ATTACK
  48. 48. A8 - CROSS-SITE REQUEST FORGERY (6/6) CROSS-SITE REQUEST FORGERY - SOLUTION Use POST requests for actions that modifies the system. Use a unique token (CSRF Token) for each requests that modify the system.
  49. 49. A10 - UNVALIDATED REDIRECTS AND FORWARDS WEB APPLICATIONS FREQUENTLY REDIRECT AND FORWARD USERS TO OTHER PAGES AND WEBSITES, AND USE UNTRUSTED DATA TO DETERMINE THE DESTINATION PAGES. WITHOUT PROPER VALIDATION, ATTACKERS CAN REDIRECT VICTIMS TO PHISHING OR MALWARE SITES, OR USE FORWARDS TO ACCESS UNAUTHORIZED PAGES. OWASP TOP 10 A10 - UNVALIDATED REDIRECTS AND FORWARDS
  50. 50. A10 - UNVALIDATED REDIRECTS AND FORWARDS (1/4) UNVALIDATED REDIRECTS AND FORWARDS router.post('/login/auth', function(req, res) { var returnurl = req.body.returnurl; auth(user, password) .then(function (data) { if (returnurl == undefined || returnurl == ""){ returnurl = "/"; } res.redirect(returnurl); }) /routers/login.js:36
  51. 51. A10 - UNVALIDATED REDIRECTS AND FORWARDS (2/4) UNVALIDATED REDIRECTS AND FORWARDS router.post('/login/auth', function(req, res) { var returnurl = req.body.returnurl; auth(user, password) .then(function (data) { if (returnurl == undefined || returnurl == ""){ returnurl = "/"; } res.redirect(returnurl); }) /routers/login.js:36
  52. 52. A10 - UNVALIDATED REDIRECTS AND FORWARDS (3/4) UNVALIDATED REDIRECTS AND FORWARDS - ATTACK
  53. 53. A10 - UNVALIDATED REDIRECTS AND FORWARDS (4/4) UNVALIDATED REDIRECTS AND FORWARDS - SOLUTION Only allow relative to domain redirection White list for redirections
  54. 54. SECURE CODING WITH NODE.JS REFERENCIAS ▸OWASP Top 10: https://www.owasp.org/index.php/Top_10_2013-Top_10 ▸NodeJS Security check list: https://blog.risingstack.com/node-js-security-checklist/ ▸Evil regex: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_- _ReDoS ▸Detect potentially evil regex: https://github.com/substack/safe-regex

×