Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Testing NodeJS Security

1,169 views

Published on

Testing NodeJS Security

Published in: Technology

Testing NodeJS Security

  1. 1. Testing Node Security by @jmortegac NOV 18-19 · 2016
  2. 2. Agenda  Introduction nodejS security  Npm security packages  Node Goat project  Tools
  3. 3. nodeJS introduction  JavaScript in the backend  Built on Chrome´s Javascript runtime(V8)  NodeJs is based on event loop  Designed to be asynchronous  Single Thread  Concurrent requests.
  4. 4. Security updates
  5. 5. Security updates
  6. 6. Find nodeJS vulnerabilities  http://cve.mitre.org/find/
  7. 7. Last vulnerabilities  https://nodesecurity.io/advisories
  8. 8. NPM modules install
  9. 9. Npm security packages  Helmet  express-session / cookie-session  csurf  express-validator  bcrypt-node  express-enforces-ssl
  10. 10. Security HTTP Headers  Strict-Transport-Security  X-Frame-Options  X-XSS-Protection  X-Content-Type-Options  Content-Security-Policy
  11. 11. Helmet module  https://www.npmjs.com/package/helmet
  12. 12. Helmet module  https://github.com/helmetjs/helmet
  13. 13. Helmet module  CSPContent-Security-Policy header  hidePoweredBydeletes X-Powered-by header  Hpkpprotection MITM  Hstsforces https connections  noCachedesactive client cache  Frameguardprotection clickjacking  xssFilterprotection XSS
  14. 14. Helmet module
  15. 15. Check headers security  http://cyh.herokuapp.com/cyh  https://securityheaders.io/
  16. 16. Express versions  https://www.shodan.io/search?query=express
  17. 17. Disable x-powered-by  Avoid framework fingerprinting
  18. 18. Disable x-powered-by  Use Helmet and use “hide-powered-by” plugin
  19. 19. Sessions management  https://www.npmjs.com/package/cookie-session  secure  httpOnly  domain  path  expires
  20. 20. httpOnly & secure:true
  21. 21. Delete cookies from cache browser // Set cache control header to eliminate cookies from cache app.use(function (req, res, next) { res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"'); next(); });
  22. 22. XSS attacks  An attacker can exploit XSS vulnerability to:  Steal session cookies/Sesion hijacking  Redirect user to malicious sites  Defacing and content manipulation  Cross Site Request forgery
  23. 23. https://www.npmjs.com/package/csurf
  24. 24. CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button> </form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });
  25. 25. CSRF
  26. 26. Filter/sanitize user input  Avoid XSS attacks  https://www.npmjs.com/package/sanitizer  Module express-validator  https://www.npmjs.com/package/express-validator
  27. 27. Validator
  28. 28. Validator
  29. 29. Validator
  30. 30. Validator with reg exp
  31. 31. Regular expressions  https://www.npmjs.com/package/safe-regex  Detect vulnerable regular expressions that can cause DoS
  32. 32. NodeJS Crypto  http://nodejs.org/api/crypto.html  Use require(‘crypto’) to access this module  The crypto module requires OpenSSL require("crypto") .createHash("sha1") //algorithm .update(“cOdEmOtiOn") //text .digest("hex"); //hexadecimal result
  33. 33. Bcrypt-node  https://github.com/kelektiv/node.bcrypt.js
  34. 34. Bcrypt-node
  35. 35. Bcrypt-node
  36. 36. Bcrypt-node
  37. 37. Building a secure HTTPS server
  38. 38. Building a secure HTTPS server  https://www.npmjs.com/package/https-redirect-server  https://www.npmjs.com/package/express-enforces-ssl  Redirect all traffic to https and a secure port
  39. 39. Building a secure HTTPS server
  40. 40. Building a secure HTTPS server var helmet = require("helmet"); var ms = require("ms"); app.use(helmet.hsts({ maxAge: ms("1 year"), includeSubdomains: true }));  Send hsts header for all requests
  41. 41. Node Goat  http://nodegoat.herokuapp.com/tutorial
  42. 42. Node Goat  https://github.com/OWASP/NodeGoat
  43. 43. EVAL()
  44. 44. EVAL() on github
  45. 45. EVAL() ATTACKS res.end(require('fs').readdirSync('.').toString()) res.end(require('fs').readdirSync('..').toString())
  46. 46. Insecure Direct Object References  Use session instead of request param  var userId = req.session.userId;
  47. 47. Tools  NSP  Require Safe  David  KrakenJS / Lusca middleware  Retire  snyk.io
  48. 48. NSP  https://github.com/nodesecurity/nsp  npm install -g nsp  Analyze package.json  nsp check --output summary
  49. 49. NSP with Grunt  npm install –g grunt-nsp-package
  50. 50. Nsp execution
  51. 51. Nsp execution
  52. 52. Project dependences  https://david-dm.org/
  53. 53. Project dependences
  54. 54. Project dependences  npm install –g david
  55. 55. https://snyk.io
  56. 56. http://krakenjs.com/
  57. 57. https://github.com/krakenjs/lusca
  58. 58. Retire.js  http://retirejs.github.io/retire.js  Detecting components and js libraries with known vulnerabilities
  59. 59. Retire.js
  60. 60. Retire.js
  61. 61. Retire.js
  62. 62. Retire.js  https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json
  63. 63. Retire.js execution
  64. 64. NodeJsScan  https://github.com/ajinabraham/NodeJsScan python NodeJsScan.py -d <dir>
  65. 65. NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml
  66. 66. NodeJsScan
  67. 67. Passport
  68. 68. Passport
  69. 69. https://github.com/jmortega/testing_nodejs_security
  70. 70. GitHub repositories  https://github.com/cr0hn/vulnerable-node  https://github.com/rdegges/svcc-auth  https://github.com/strongloop/loopback-getting-started- intermediate
  71. 71. References  https://blog.risingstack.com/node-js-security-checklist/  https://blog.risingstack.com/node-js-security-tips/  https://groups.google.com/forum/#!forum/nodejs-sec  https://nodejs.org/en/blog/vulnerability/september-2016- security-releases/  https://expressjs.com/en/advanced/security-updates.html  http://opensecurity.in/nodejsscan/  http://stackabuse.com/securing-your-node-js-app/
  72. 72. Node security learning  https://www.udemy.com/nodejs-security-pentesting-and-exploitation/
  73. 73. Books

×