Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Meteor meets
Mallory*
Emily Stark, Meteor core developer
emily@meteor.com
* Mallory is usually the name of the bad guy in ...
Meteor security
model and best
practices
Outline
1. Meteor security principles
2. Cross-site scripting
3. Mongo injections
Meteor security
principles
Secure design principles
○ Data and code are separate
○ Easy to reason about client/server boundary
○ Stateful connections...
Securely structuring your app
○ Server code is trusted, client code is not
○ server/ or Meteor.settings for secrets
○ Mete...
Cross-site scripting
Cross-site scripting (XSS)
Cross-site scripting (XSS)
Meteor foils some attacks
< > ' " ` &
&lt; &gt; ' &quot; ` &amp;
when inside {{ }}
(packages/handlebars/evaluate-handlebar...
But not all
<a href="{{ userWebsite }}">
{{ username }}'s website
</a>
URL sanitization
<a href="javascript:alert(localStorage)">
{{ username }}'s website
</a>
URL sanitization
<a href="javascript:alert(localStorage)">
{{ username }}'s website
</a>
Can you execute any damaging Java...
URL sanitization
<a href="javascript:
eval(String.fromCharCode(77, 101, ...))">
{{ username }}'s website
</a>
CSS sanitization
<div style="background-color:
{{ usersFavoriteColor }}">
</div>
CSS sanitization
<div style="background-color:
expression(alert(localStorage))">
</div>
Sanitize untrusted URLs and CSS
○ Don't try to filter out "javascript:",
"expression", etc.
○ Do strict checking: urls sta...
Mongo injections
Mongo injections
Meteor.methods({
getUser: function(user, pwd) {
return Users.findOne({
username: user,
password: pwd
});
...
Using check
Meteor.methods({
getUser: function (user, pwd) {
check(user, String);
check(pwd, String);
return Users.findOne...
check is versatile
check(usernames, [String])
check(profile, {
admin: Boolean,
location: Match.Optional(String)
});
check(...
Using audit-argument-checks
Meteor.methods({
insertName: function (name) {
MyCollection.insert({
name: name
});
console.lo...
Using audit-argument-checks
Inserted {"name": {"foo":
"bar"}}
insertName({
foo: "bar"
})
Using audit-argument-checks
meteor add audit-argument-
checks
insertName({
foo: "bar"
})
Using audit-argument-checks
Inserted {"name": {"foo":
"bar"}}
Exception while invoking method
'insertName'
Error: Did not ...
What was that Meteor 0.6.4.1 release
all about?
Meteor.methods({
saveUser: function(profile) {
delete profile.admin;
Users...
Conclusion
○ Meteor security design principles
○ Securing boundary between client and server
○ Data/code separation
○ Some...
Questions?
Upcoming SlideShare
Loading in …5
×

Meteor Meets Mallory

5,264 views

Published on

devshop talk 7/25/13

Published in: Technology
  • Be the first to comment

Meteor Meets Mallory

  1. 1. Meteor meets Mallory* Emily Stark, Meteor core developer emily@meteor.com * Mallory is usually the name of the bad guy in crypto/security stuff
  2. 2. Meteor security model and best practices
  3. 3. Outline 1. Meteor security principles 2. Cross-site scripting 3. Mongo injections
  4. 4. Meteor security principles
  5. 5. Secure design principles ○ Data and code are separate ○ Easy to reason about client/server boundary ○ Stateful connections that must be deliberately authenticated
  6. 6. Securely structuring your app ○ Server code is trusted, client code is not ○ server/ or Meteor.settings for secrets ○ Meteor.isServer doesn't make code private ○ Use publications and allow/deny to lock down database API ○ Allow/deny rules not applied to server code
  7. 7. Cross-site scripting
  8. 8. Cross-site scripting (XSS)
  9. 9. Cross-site scripting (XSS)
  10. 10. Meteor foils some attacks < > ' " ` & &lt; &gt; ' &quot; ` &amp; when inside {{ }} (packages/handlebars/evaluate-handlebars.js)
  11. 11. But not all <a href="{{ userWebsite }}"> {{ username }}'s website </a>
  12. 12. URL sanitization <a href="javascript:alert(localStorage)"> {{ username }}'s website </a>
  13. 13. URL sanitization <a href="javascript:alert(localStorage)"> {{ username }}'s website </a> Can you execute any damaging Javascript when quotes are escaped?
  14. 14. URL sanitization <a href="javascript: eval(String.fromCharCode(77, 101, ...))"> {{ username }}'s website </a>
  15. 15. CSS sanitization <div style="background-color: {{ usersFavoriteColor }}"> </div>
  16. 16. CSS sanitization <div style="background-color: expression(alert(localStorage))"> </div>
  17. 17. Sanitize untrusted URLs and CSS ○ Don't try to filter out "javascript:", "expression", etc. ○ Do strict checking: urls start with http, css values come from a list of safe values ○ Use Content Security Policy Ex: Content-Security-Policy: default-src 'self'
  18. 18. Mongo injections
  19. 19. Mongo injections Meteor.methods({ getUser: function(user, pwd) { return Users.findOne({ username: user, password: pwd }); } }); user: "Alice" pwd: {$ne: "foo"}
  20. 20. Using check Meteor.methods({ getUser: function (user, pwd) { check(user, String); check(pwd, String); return Users.findOne({ user: user, password: pwd }); } });
  21. 21. check is versatile check(usernames, [String]) check(profile, { admin: Boolean, location: Match.Optional(String) }); check(age, Match.OneOf(String, Number))
  22. 22. Using audit-argument-checks Meteor.methods({ insertName: function (name) { MyCollection.insert({ name: name }); console.log("Inserted", {name: name}); } }); insertName({ foo: "bar" })
  23. 23. Using audit-argument-checks Inserted {"name": {"foo": "bar"}} insertName({ foo: "bar" })
  24. 24. Using audit-argument-checks meteor add audit-argument- checks insertName({ foo: "bar" })
  25. 25. Using audit-argument-checks Inserted {"name": {"foo": "bar"}} Exception while invoking method 'insertName' Error: Did not check() all arguments during call to 'insertName' insertName({ foo: "bar" })
  26. 26. What was that Meteor 0.6.4.1 release all about? Meteor.methods({ saveUser: function(profile) { delete profile.admin; Users.insert(profile); } }); <malicious input> {"admin": "true!", "x01...": null, ...}
  27. 27. Conclusion ○ Meteor security design principles ○ Securing boundary between client and server ○ Data/code separation ○ Some attacks to watch out for ○ Always validate untrusted user input ○ security-resources.meteor.com
  28. 28. Questions?

×