Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
JAVASCRIPT SECURITY
RAN BAR-ZIK, HPE 2016
RAN BAR-ZIK Blogger an
writer @
internet-
Israel.com
[Hebrew]
Software
developer
at HPE
Father of 4
children
Marathoner
Ex...
HACKERS - MYTH
Source: https://commons.wikimedia.org/wiki/File:Hacker_-_Hacking_-_Symbol.jpg
HACKERS - REALITY
Source: https://pixabay.com/static/uploads/photo/2014/04/03/11/55/robot-312566_960_720.png
HACKS CYCLE
Security hole
created
Someone finds it
(Vulnerability test,
penetration testing etc.)
Patch is
being issues
Ha...
YOU DON’T NEED TO BE A HACKER TO PROTECT
YOURSELF
• You don’t need to be a professional burglar in order to know how to lo...
XSS – CROSS SIDE SCRIPTING
XSS is very simple:
Attacker can
insert custom
JavaScript to the
site.
TWO MAIN WAYS TO HELL XSS
• By not validating the input before insertion to the DataBase.
• By not sanitizing the output b...
VALIDATE
Input validation on server side.
Making sure that the input is what you want.
Using node.js? Great! Use validate....
VALIDATE.JS EXAMPLE
var express = require("express");
var validation = require("validator");
var bodyParser = require("bod...
WHY HASSLE? USE EXPRESS.JS MIDDLEWARE
Express.js entry
point
express-
validator middle
ware
All your strings
are validated...
SANITIZATION
Simple: Do not allow running
JavaScript code in the output.
DOING SANITIZATION
• Using angular.js? It comes free without charge!
Even ngBindHtml is not allowing <script> tag.
• Using...
There are more ways to insert JavaScript to
elements!
Meet the wonderful world of HTML5
vulnerabilities!
Allowing users to...
CROSS SITE REQUEST FORGERY (CSRF)
• Every site operation is REST API request. For example:
• GET /users
• DELETE user/123
...
<a href="https://most-secured-site.com/delete-
all-users">
Click here to see the model naked!
<img src="hot_model_almost_n...
SOLUTION TO CSRF
Use tokens!
Server generated unique strings that is based on
some hash value + time and generated every t...
HOW TO IMPLEMENT CSRF?
In node.js Express.js just use csurf middleware!
https://github.com/expressjs/csurf
Make sure to im...
SQL INJECTION IN NOSQL DATABASENODE.JS
• SQL Injection can be performed on any database.
• The Database can be MongoDB, th...
NOSQL INJECTION IN MONGODB
db.users.find({username: username, password: password});
app.post('/', function (req, res) {
db...
SOLUTION TO SQL INJECTION
• Sanitize and validate, the same as XSS.
FINAL WORDS OF WISDOM
Upcoming SlideShare
Loading in …5
×

Javascript Security - Three main methods of defending your MEAN stack

1,668 views

Published on

How attacks works? Learn how XSS, CSRF and NoSQL injection are working and secure your app on MEAN (MongoDB, Express.js, Angular.js, Node,js) stack.

Published in: Technology
  • Be the first to comment

Javascript Security - Three main methods of defending your MEAN stack

  1. 1. JAVASCRIPT SECURITY RAN BAR-ZIK, HPE 2016
  2. 2. RAN BAR-ZIK Blogger an writer @ internet- Israel.com [Hebrew] Software developer at HPE Father of 4 children Marathoner Expert in PowerPoint :P Connect with me on LinkedIn
  3. 3. HACKERS - MYTH Source: https://commons.wikimedia.org/wiki/File:Hacker_-_Hacking_-_Symbol.jpg
  4. 4. HACKERS - REALITY Source: https://pixabay.com/static/uploads/photo/2014/04/03/11/55/robot-312566_960_720.png
  5. 5. HACKS CYCLE Security hole created Someone finds it (Vulnerability test, penetration testing etc.) Patch is being issues Hackers track the patch list and create bot Programmer create code
  6. 6. YOU DON’T NEED TO BE A HACKER TO PROTECT YOURSELF • You don’t need to be a professional burglar in order to know how to lock doors. • First know about the attack, and then learn how to deal with it. • Implementing security in JavaScript is easy, fun and can win you true love!
  7. 7. XSS – CROSS SIDE SCRIPTING XSS is very simple: Attacker can insert custom JavaScript to the site.
  8. 8. TWO MAIN WAYS TO HELL XSS • By not validating the input before insertion to the DataBase. • By not sanitizing the output before showing it to the user.
  9. 9. VALIDATE Input validation on server side. Making sure that the input is what you want. Using node.js? Great! Use validate.js module, this is what we do.
  10. 10. VALIDATE.JS EXAMPLE var express = require("express"); var validation = require("validator"); var bodyParser = require("body-parser"); var app = express(); app.use(bodyParser.urlencoded({ extended: false })); app.get('/',function(req,res){ res.sendFile(__dirname + '/form.html'); }); /* Form will redirect here with Input data */ app.post('/validateform',function(req,res){ if(!validation.isEmail(req.body.email)) { //True or false return by this function. res.send("Email is Bad"); } else if(!validation.isAlpha(req.body.user_name)) { res.send("Name is Bad"); } else { res.send("Form submitted"); } }); app.listen(4000);
  11. 11. WHY HASSLE? USE EXPRESS.JS MIDDLEWARE Express.js entry point express- validator middle ware All your strings are validated See for yourself! https://github.com/ctavan/express-validator
  12. 12. SANITIZATION Simple: Do not allow running JavaScript code in the output.
  13. 13. DOING SANITIZATION • Using angular.js? It comes free without charge! Even ngBindHtml is not allowing <script> tag. • Using another platform? Use the sanitization tools that come with it.
  14. 14. There are more ways to insert JavaScript to elements! Meet the wonderful world of HTML5 vulnerabilities! Allowing users to insert <videos> elements? <video><source onerror="alert(1)"> Will work on ChromeFirefox Check https://html5sec.org/
  15. 15. CROSS SITE REQUEST FORGERY (CSRF) • Every site operation is REST API request. For example: • GET /users • DELETE user/123 • PUT user/123 {role: admin}
  16. 16. <a href="https://most-secured-site.com/delete- all-users"> Click here to see the model naked! <img src="hot_model_almost_naked" /> </a>
  17. 17. SOLUTION TO CSRF Use tokens! Server generated unique strings that is based on some hash value + time and generated every time the form is outputted and submitted along the form. No valid token? Get out!
  18. 18. HOW TO IMPLEMENT CSRF? In node.js Express.js just use csurf middleware! https://github.com/expressjs/csurf Make sure to implement it both on client and server side!
  19. 19. SQL INJECTION IN NOSQL DATABASENODE.JS • SQL Injection can be performed on any database. • The Database can be MongoDB, the server can be Node.js, but the method is the same.
  20. 20. NOSQL INJECTION IN MONGODB db.users.find({username: username, password: password}); app.post('/', function (req, res) { db.users.find({username: req.body.username, password: req.body.password}, function (err, users) { // if it is True, run the following code. }); }); POST http://target/ HTTP/1.1 Content-Type: application/json { "username": {"$gt": ""}, "password": {"$gt": ""} }
  21. 21. SOLUTION TO SQL INJECTION • Sanitize and validate, the same as XSS.
  22. 22. FINAL WORDS OF WISDOM

×