Cluj JSHeroes 2017 - Liran Tal on Node.js Security

•

3 likes•451 views

This document discusses security issues with Node.js and best practices to address them. It describes security horror stories from malicious npm packages deleting files ("rimrafall") and packages with similar names to popular ones downloading instead. Other issues covered include NoSQL injections, regular expression denial of service attacks, and insecure dependencies. The document recommends using Helmet to set secure HTTP headers, avoiding writing your own regular expressions, using libraries like validator.js for validation, and integrating Snyk to check for vulnerabilities in dependencies. The key takeaway is the importance of secure development practices like input validation, output encoding, and dependency management for Node.js applications.

Software

Node.js Security:
Breaking The Loop
Liran Tal
Engineering Manager @ Nielsen Marketing Cloud
March 2017

The Magical 2010
Backbone.js
Underscore.js
AngularJS
Knockout.js
Node.js
npm

Node.JS is JavaScript 
JavaScript is Everywhere

By January 2015
◇ rimrafall package published to npm

rimrafall
◇ npm pre-install script
$ rm –rf /*

validator.js
◇ helps validate and sanitize strings

3,500,000 socket.io
2,000 socketio
malicious modules of similar names

seemingly innocent tutorial to learn from

Essential Node.js Security
https://leanpub.com/nodejssecurity/c/jsheroes

1. Strict-Transport-Security
2. X-Frame-Options
3. Content-Security-Policy
The Big 3

1. Strict-Transport-Security
The Big 3
Browsers enforce secure
(HTTPS) connections to the
server
Security by HTTP Headers

1. Strict-Transport-Security
The Big 3
http://www.bank.com
<a href=“https://bank.com/login">
http://www.bank.com/login
Security by HTTP Headers

1. Strict-Transport-Security
The Big 3
http://www.bank.com
https://www.bank.com
Security by HTTP Headers

2. X-Frame-Options
The Big 3
Clickjacking (User Interface redress attack,
UI redress attack, UI redressing) is a
malicious technique of tricking a Web user
into clicking on something different from
what the user perceives they are clicking on
Security by HTTP Headers

2. X-Frame-Options
The Big 3
Security by HTTP Headers

3. Content-Security-Policy
The Big 3
Whitelist Trusted Content
Security by HTTP Headers

1. Strict-Transport-Security
2. X-Frame-Options
3. Content-Security-Policy
The Big 3
Security by HTTP Headers

Putting it all
together 
with Helmet and
ExpressJS

No HTTP body in ExpressJS
it relies on bodyParser
lib

ExpressJS uses
bodyParser
library to
access HTTP
body payload

Validate Input
◇ Validate Length and Type
◇ Validate & Sanitize input to expected
type
◇ Parameters Binding
◇ Security in Depth

• ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d
d?|2[0-4]d|25[0-5]).([01]?dd?|
2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d|
25[0-5])$

Matching an IP address
• ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d
d?|2[0-4]d|25[0-5]).([01]?dd?|
2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d|
25[0-5])$

Let’s Match Song Titles
Can you help with the regex?

^([a-zA-Z0-9])$
• Match words and numbers

^([a-zA-Z0-9]+s?)$
• Match words and numbers
• Allow spaces in between (duh)

^([a-zA-Z0-9]+s?)+$
• Match words and numbers
• Allow spaces in between (duh)
• Repeat

ReDoS Attacks
◇ Catastrophic Backtracking
◇ Exploits greedy quantifiers
◇ Simple regex are vulnerable too: 
/^(a+)+$/

Regex DoS is a Real Problem
◇2017 - ms
◇2016 - Hawk
◇2016 - Tough Cookie
◇2016 - Moment
◇2015 - Uglify
◇2014 - Marked
◇2013 - Validator.js

University of Birmingham UK
http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf

Best Practice #1
◇ DO NOT WRITE YOUR OWN REGEX

Best Practice #2
◇ DO NOT WRITE YOUR OWN REGEX

Best Practice #3
◇Validator Node.js Module

Best Practice #4
◇ safe-regex node.js module
◇ checks regex complexity/backtracking
vulnerability

Are my dependencies
vulnerable?
ask yourself

snyk
◇ check cve db for known issues
◇ check installed node_modules dir
◇ provides patch-level fix
◇ provides interactive patch wizard

SecurityOps
Integrated Security into your 
build pipeline

1
2
3
Employ Secure HTTP headers with Helmet
Be mindful to NoSQL Injections
Summary
4 Snyk to secure Your npm
dependencies
Avoid writing your own RegEx

Thank you!
liran.tal@nielsen.com
@liran_tal
https://leanpub.com/nodejssecurity/c/jsheroes

Jarrod Overson presented on a supply chain attack that occurred in 2018 through the compromise of the event-stream Node.js package. An unauthorized developer gained commit access and introduced malicious code through new dependencies that was then installed by millions of users. The malware harvested cryptocurrency private keys from the Copay wallet app. While the community responded quickly, such attacks demonstrate vulnerabilities in open source software supply chains and dependency management that will continue to be exploited if not properly addressed through changes to practices and tooling.

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

SBA Research

Target Group: SysAdmins, Developer, DevOps Focus: technical Talk language: English Abstract ********** What are Containers and what makes them secure to use? Which different types of Containers are out there and how can I best use them securely? What container types are there beyond Docker? About the Speaker: ********************* Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.

My Bro The ELK

Tripwire

The document discusses using the ELK stack (Elasticsearch, Logstash, Kibana) to analyze security logs and events. It describes how to ingest logs into Logstash, normalize the data through filtering and parsing, enrich it with threat intelligence and geolocation data, and visualize the results in Kibana. The TARDIS framework is introduced as a way to perform threat analysis, detection, and data intelligence on historical security logs processed through the ELK stack.

Openssl

Adam Moravcik

The document contains information about cryptography tools and commands for OpenSSL including: - Links to documentation pages for OpenSSL, SHA-2, RSA, and AES algorithms. - Examples of OpenSSL commands to generate keys, sign and verify files, encrypt and decrypt files, create certificates, and export certificates to PKCS#12 format. - Information on generating root CAs, client certificates signed by the CA, and exporting certificates.

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

Nahidul Kibria

Threat hunting involves proactively searching networks to detect advanced threats that evade existing security solutions. It is not a reactive process like alerting, but instead involves repeated searches through networks using various approaches like data-centric hunting, endpoint hunting, and deception techniques. The document provides examples of hunting techniques for lateral movement, command and control, data exfiltration, and malware on networks. It emphasizes that threat hunting is an ongoing process of iterative searches to continuously identify security threats.

Tools & techniques, building a dev secops culture at mozilla sba live a...

SBA Research

"Tools & Techniques from building a DevSecOps culture at Mozilla" For the past decade, security teams at Mozilla have sharpened their tools and improved their techniques to mature the security culture of the organization, and dramatically reduce vulnerabilities and risks. In this talk, Julien shows how Mozilla approaches DevSecOps and shares lessons learned from that journey. Speaker: Julien Vehent, Firefox Operations Security Talk language: English About the Speaker: ********************* Julien Vehent is a French computer security engineer who leads the Firefox Operations Security team at Mozilla. He specializes in web applications security, cloud infrastructure, cryptography and risk management. He is the author of “Security DevOps”, published at Manning in 2018.

Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...

Mail.ru Group

Continuous Monitoring Deck

Brian Fennimore

While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...

CODE BLUE

The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.

Open source security tools for Kubernetes.

Michael Ducy

Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important. In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.

Moby and kubernetes entitlements

Moby Project

The document proposes a new system called "entitlements" for defining high-level permissions and security profiles for containers. It aims to provide a better user experience than the current options like --cap-add and --privileged, by defining standardized permission profiles like "network.admin" that are attached securely to container images. The proposal outlines examples of how entitlement profiles would configure security settings and capabilities. It discusses next steps to implement entitlements in Moby and Kubernetes and opportunities for the community to provide feedback and contribute.

Securing your Rails application

clucasKrof

The document discusses securing Ruby on Rails applications. It covers topics like transport layer security (TLS and SSL), session hijacking, content security policy, cross-site scripting protection, and static code analysis tools. Gems like secure_headers, Brakeman, codesake-dawn and gauntlt can help audit code and build attacks to test vulnerabilities. Maintaining TLS is important to protect against man-in-the-middle attacks and securely transmit sensitive data like passwords.

ModSecurity and NGINX: Tuning the OWASP Core Rule Set

NGINX, Inc.

On demand recording: nginx.com/watch-on-demand/?id=modsecurity-and-nginx-tuning-the-owasp-core-rule-set In this webinar we discuss how to install the OWASP Core Rule Set (CRS) with NGINX and ModSecurity, as well as how to tune it. The CRS protects against many types of attack, including SQL Injection (SQLi), Local File Inclusion (LFI), and Remote Code Execution (RCE). Watch this webinar to learn: - How to install the OWASP Core Rule Set (CRS) with ModSecurity - About the types of attacks the CRS blocks, such SQLi, RFI, and LFI - How to tune the CRS to minimize false positives - What it looks like when ModSecurity blocks an attack (in a live demo), and how to interpret the audit log

JWT: jku x5u

snyff

The document discusses vulnerabilities in JSON Web Tokens (JWT). It begins by introducing JWTs and their typical uses. It then covers the JWT format and components like the header, payload, and signature. Various signing algorithms are presented. Attacks like open redirects, header injection, and algorithm downgrades are demonstrated through abusing the "jku" and "x5u" parameters. Recommendations are provided like using strong keys, reviewing libraries, enforcing algorithms, and testing for vulnerabilities. In conclusion, JWTs are complex and insecure by design, so careful implementation and testing is needed.

Adaptive Defense - Understanding Cyber Attacks

Jermund Ottermo

Intrigue Core: Scaling Assessment Automation

Jonathan Cran

Node.js security - JS Day Italy 2018

Liran Tal

Node.js and JavaScript adoption is high and application security plays a big part in shipping your products in the midst of cyber security threats. We will deep-dive into practical Node.js security measures which you can easily implement in your current projects. Covering topics such as OWASP Top 10 vulnerabilities, Secure Code Guidelines, Leveraging recommended npm libraries, Hardening ExpressJS, and Secure Dependencies Management with CI/CD integration.

Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP

Liran Tal

Liran is leading the core team for the MEAN.js JavaScript framework. He recently published Essential Node.js Security. Passionate about Open Source since an early age, he is continuously contributing to many projects on GitHub around Node.js, JavaScript, Docker, and Security. Being an avid supporter and contributor to the open source movement, in 2007 Liran has redefined network RADIUS management by establishing daloRADIUS, a world-recognized and industry-leading open source project (http://www.daloradius.com).

Node.js Security Done Right - Tips and Tricks They Won't Teach You In School

Liran Tal

NodeJS, and JavaScript at large are quickly taking over software whether it is GitHub’s statistics for projects growth, the IoT industry, ChatOps projects written in JavaScript and Enterprises adoption is growing as well. With this trend, it is imperative to review OWASP security practices and learn how to harden NodeJS Web Applications. We will begin with a quick NodeJS intro and a few fail stories of how things can go wrong. We will quickly dive into hands-on practical implementation of security measures to adopt in your current or future NodeJS project. Next I will show how to leverage widely adopted security tools for integration in the build and CI/CD process to audit and test for security vulnerabilities, as well as leveraging successful enterprise-level open source npm libraries to enhance your web application’s security. In summary: in this session I will demonstrate: * Securing ExpressJS by adopting mature and commonly used npm libraries * Secure code guidelines for JavaScript software developers * Integrating NodeJS security measures as part of your build CI/CD DevOps process

"Black Clouds and Silver Linings in Node.js Security" Liran Tal

Julia Cherniak

Remember eslint-scope and event-stream incidents? As an energetic member of the Node.js Foundation's Security Working Group, Liran will provide a 360 perspective of some black clouds of security horror stories in the JavaScript & Node.js ecosystem and educate on mitigating and building secure applications. We will deep-dive into practical Node.js vulnerabilities and how to protect against them, and cover some of OWASP Top 10. Liran will also introduce initiatives the Node.js Security WG have been undertaking to secure the ecosystem and recent security updates in npm.

Fosdem10

wremes

This document provides an overview and agenda for a presentation on OSSEC. It includes sections on log management, OSSEC features, architecture, log analysis with OSSEC, integrity checking, and management commands. The agenda covers topics like log sources, standards, decoding, analysis, and advanced rule building. It also discusses configuring OSSEC for integrity monitoring and includes example OSSEC rules and commands.

Kicking off with Zend Expressive and Doctrine ORM (ConFoo YVR 2017)

James Titcumb

Config Management Camp 2017 - If it moves, give it a pipeline

Mark Rendell

A talk dedicated to improving the quality of infrastructure code using free open source software. We used to say "if it moves, lock it down in version control" and then the concept of a Continuous Delivery pipeline came along and the advice progressed to "if it moves, lock it down in version control and build a Continuous Delivery pipeline to test and release every change continuously". This advice is still more commonly followed in application code than infrastructure and platform code. I will talk about how we have seasoned this dogfood by making CD of infrastructure code easier. The solution “ADOP” is free and open source and currently makes building a pipeline for a Chef Cookbook, Ansible Playbook or Docker image almost trivial. I will describe and demo the solution including how to adopt it, where I think it is going next, and how valuable we have found it. http://cfgmgmtcamp.eu/schedule/testing/mark-rendell.html

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...

Fedir RYKHTIK

Secure WordPress Development Practices

Brandon Dove

PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC

PROIDEA

This document discusses DNSSEC (Domain Name System Security Extensions) and its importance for securing the Domain Name System (DNS) infrastructure. It provides an overview of vulnerabilities like cache poisoning attacks that DNSSEC aims to address. It highlights how attitudes towards DNSSEC deployment have changed rapidly in recent years. The document outlines several cache poisoning attacks like Kaminsky's 2008 attack that exploited vulnerabilities in DNS resolvers and spurred improved security. It provides resources for learning about and testing DNSSEC implementations to help secure domains. Overall, the document makes a case for DNSSEC as a critical long-term solution to DNS security issues.

It's a Dangerous World

MongoDB

Speaker: Tom Spitzer, Vice President, Engineering, EC Wise, Inc. Session Type: 40 minute main track session Level: 200 (Intermediate) Track: Security MongoDB Community Server provides a wide range of capabilities for securing your MongoDB installation. In this session, we will focus on access control features, including authentication and authorization mechanisms, that enable you to enforce a least privilege model on user accounts. We will also discuss strategies for enabling and maintaining service and application accounts. Next we will present the encryption capabilities that are available in the community edition and discuss their benefits and possible shortcomings. Finally, we will talk about application level protections your developers can implement to keep risky code from getting to your MongoDB instance. What You Will Learn: - The workings of the MongoDB User Management Interface, the Authentication Database, basic Authentication mechanisms (SCRAM-SHA-1 and certificates), Roles, and Role Based Access controls – plus best practices for using these features to improve the security of your database. - How to use TLS/SSL for transport encryption, application encryption options, and field level redaction. - How injection attacks work and how to minimize the risk of injection attacks.

Application Security around OWASP Top 10

Sastry Tumuluri

Swift Install Workshop - OpenStack Conference Spring 2012

Joe Arnold

OpenStack Swift is a highly-available distributed object storage system which supports highly concurrent workloads. Swift is the backbone behind Cloud Files, Rackspace's storage-as-a-service offering. In this workshop, which will be hosted by members of SwiftStack, Inc., we'll walk you through deployment and use of OpenStack Swift. We'll begin by showing you how to install Swift from the ground up. You'll learn: - what you should know about Swift's architecture - how to bootstrap a basic Swift installation After that, we'll cover how to use Swift, including information on: - creating accounts and users - adding, removing, and managing data - building applications on top of Swift Bring your laptop (with virutalization extensions enabled in the BIOS) and we will walk through setting up Swift in a virtual machine. We'll also build an entire application on top of Swift to illustrate how to use Swift as a storage service. This is a workshop you won't want to miss!

What's hot

Detection index learning based on cyber threat intelligence and its applicati...

CODE BLUE

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...

CODE BLUE

Open source security tools for Kubernetes.

Michael Ducy

Moby and kubernetes entitlements

Moby Project

Securing your Rails application

clucasKrof

ModSecurity and NGINX: Tuning the OWASP Core Rule Set

NGINX, Inc.

JWT: jku x5u

snyff

Adaptive Defense - Understanding Cyber Attacks

Jermund Ottermo

Intrigue Core: Scaling Assessment Automation

Jonathan Cran

What's hot (9)

Detection index learning based on cyber threat intelligence and its applicati...

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...

Open source security tools for Kubernetes.

Moby and kubernetes entitlements

Securing your Rails application

ModSecurity and NGINX: Tuning the OWASP Core Rule Set

JWT: jku x5u

Adaptive Defense - Understanding Cyber Attacks

Intrigue Core: Scaling Assessment Automation

Similar to Cluj JSHeroes 2017 - Liran Tal on Node.js Security

Node.js security - JS Day Italy 2018

Liran Tal

Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP

Liran Tal

Node.js Security Done Right - Tips and Tricks They Won't Teach You In School

Liran Tal

"Black Clouds and Silver Linings in Node.js Security" Liran Tal

Julia Cherniak

Fosdem10

wremes

Kicking off with Zend Expressive and Doctrine ORM (ConFoo YVR 2017)

James Titcumb

Config Management Camp 2017 - If it moves, give it a pipeline

Mark Rendell

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...

Fedir RYKHTIK

Secure WordPress Development Practices

Brandon Dove

PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC

PROIDEA

It's a Dangerous World

MongoDB

Application Security around OWASP Top 10

Sastry Tumuluri

Swift Install Workshop - OpenStack Conference Spring 2012

Joe Arnold

Gartner Security & Risk Management Summit 2018

Paula Januszkiewicz

Best Practices for IoT Security in the Cloud

Amazon Web Services

This document provides best practices for security in IoT applications using AWS services. It discusses using mutual TLS for secure communication between devices and AWS IoT, generating and provisioning device certificates, revoking certificates, and implementing fine-grained authorization policies for devices, applications, and users. It also describes using Cognito for authenticating mobile users and associating them with IoT devices and policies.

Atelier Technique CISCO ACSS 2018

African Cyber Security Summit

The document discusses various techniques used in ransomware attacks and defenses against them. It covers topics like email security appliances, command and control (CnC) detection using DNS, the evolution of ransomware variants, and tools like Umbrella that can be used to block malicious domains. It also discusses how the Next Generation IPS/NGFW from Cisco called Firepower can help discover vulnerabilities, detect malware, and tune signatures based on network context.

[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...

OWASP Russia

This document summarizes techniques for detecting XXE and SSRF vulnerabilities using DNS records. It describes how an attacker can configure their own DNS server to return their IP address instead of the actual domain, allowing them to detect if the application makes external requests. It also discusses challenges of detecting these vulnerabilities, and provides examples of how to test for them including checking web server access logs for requests to domains controlled by the attacker. The document then covers additional techniques like bypassing content security policies, detecting real users behind Cloudflare, and exploiting URL encoding to bypass input filtering.

Best Practices of IoT in the Cloud

Amazon Web Services

SSRF For Bug Bounties

OWASP Nagpur

The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.

Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design

jonmccoy

Similar to Cluj JSHeroes 2017 - Liran Tal on Node.js Security (20)

Node.js security - JS Day Italy 2018

Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP

Node.js Security Done Right - Tips and Tricks They Won't Teach You In School

"Black Clouds and Silver Linings in Node.js Security" Liran Tal

Fosdem10

Kicking off with Zend Expressive and Doctrine ORM (ConFoo YVR 2017)

Config Management Camp 2017 - If it moves, give it a pipeline

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...

Secure WordPress Development Practices

PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC

It's a Dangerous World

Application Security around OWASP Top 10

Swift Install Workshop - OpenStack Conference Spring 2012

Gartner Security & Risk Management Summit 2018

Best Practices for IoT Security in the Cloud

Atelier Technique CISCO ACSS 2018

[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...

Best Practices of IoT in the Cloud

SSRF For Bug Bounties

Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design

Recently uploaded

Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...

Paul Brebner

Closing talk for the Performance Engineering track at Community Over Code EU (Bratislava, Slovakia, June 5 2024) https://eu.communityovercode.org/sessions/2024/why-apache-kafka-clusters-are-like-galaxies-and-other-cosmic-kafka-quandaries-explored/ Instaclustr (now part of NetApp) manages 100s of Apache Kafka clusters of many different sizes, for a variety of use cases and customers. For the last 7 years I’ve been focused outwardly on exploring Kafka application development challenges, but recently I decided to look inward and see what I could discover about the performance, scalability and resource characteristics of the Kafka clusters themselves. Using a suite of Performance Engineering techniques, I will reveal some surprising discoveries about cosmic Kafka mysteries in our data centres, related to: cluster sizes and distribution (using Zipf’s Law), horizontal vs. vertical scalability, and predicting Kafka performance using metrics, modelling and regression techniques. These insights are relevant to Kafka developers and operators.

ppt on the brain chip neuralink.pptx

Reetu63

Modelling Up - DDDEurope 2024 - Amsterdam

Alberto Brandolini

UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem

Peter Muessig

The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...

kalichargn70th171

Using Query Store in Azure PostgreSQL to Understand Query Performance

Grant Fritchey

Project Management: The Role of Project Dashboards.pdf

Karya Keeper

Project management is a crucial aspect of any organization, ensuring that projects are completed efficiently and effectively. One of the key tools used in project management is the project dashboard, which provides a comprehensive view of project progress and performance. In this article, we will explore the role of project dashboards in project management, highlighting their key features and benefits.

Unveiling the Advantages of Agile Software Development.pdf

brainerhub1

8 Best Automated Android App Testing Tool and Framework in 2024.pdf

kalichargn70th171

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

Peter Muessig

The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.

Oracle 23c New Features For DBAs and Developers.pptx

Remote DBA Services

Oracle Database 19c New Features for DBAs and Developers.pptx

Remote DBA Services

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

rodomar2

一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理

kgyxske

原版一模一样【微信：741003700 】【(sdsu毕业证书)圣地亚哥州立大学毕业证成绩单】【微信：741003700 】学位证，留信认证（真实可查，永久存档）原件一模一样纸张工艺/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本，帮您解决无法毕业带来的各种难题！外壳，原版制作，诚信可靠，可直接看成品样本。行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题，包您满意。本公司拥有海外各大学样板无数，能完美还原。 1:1完美还原海外各大学毕业材料上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700 【主营项目】一.毕业证【q微741003700】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等！二.真实使馆公证(即留学回国人员证明,不成功不收费) 三.真实教育部学历学位认证（教育部存档！教育部留服网站永久可查）四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度) 如果您处于以下几种情况： ◇在校期间，因各种原因未能顺利毕业……拿不到官方毕业证【q/微741003700】 ◇面对父母的压力，希望尽快拿到； ◇不清楚认证流程以及材料该如何准备； ◇回国时间很长，忘记办理； ◇回国马上就要找工作，办给用人单位看； ◇企事业单位必须要求办理的 ◇需要报考公务员、购买免税车、落转户口 ◇申请留学生创业基金留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才办理(sdsu毕业证书)圣地亚哥州立大学毕业证【微信：741003700 】外观非常简单，由纸质材料制成，上面印有校徽、校名、毕业生姓名、专业等信息。办理(sdsu毕业证书)圣地亚哥州立大学毕业证【微信：741003700 】格式相对统一，各专业都有相应的模板。通常包括以下部分：校徽：象征着学校的荣誉和传承。校名:学校英文全称授予学位：本部分将注明获得的具体学位名称。毕业生姓名：这是最重要的信息之一，标志着该证书是由特定人员获得的。颁发日期：这是毕业正式生效的时间，也代表着毕业生学业的结束。其他信息：根据不同的专业和学位，可能会有一些特定的信息或章节。办理(sdsu毕业证书)圣地亚哥州立大学毕业证【微信：741003700 】价值很高，需要妥善保管。一般来说，应放置在安全、干燥、防潮的地方，避免长时间暴露在阳光下。如需使用，最好使用复印件而不是原件，以免丢失。综上所述，办理(sdsu毕业证书)圣地亚哥州立大学毕业证【微信：741003700 】是证明身份和学历的高价值文件。外观简单庄重，格式统一，包括重要的个人信息和发布日期。对持有人来说，妥善保管是非常重要的。

WWDC 2024 Keynote Review: For CocoaCoders Austin

Patrick Weigel

Energy consumption of Database Management - Florina Jonuzi

Green Software Development

DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS

Tier1 app

Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!

Enhanced Screen Flows UI/UX using SLDS with Tom Kitt

Peter Caitens

Microservice Teams - How the cloud changes the way we work

Sven Peters

A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams? Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.

All you need to know about Spring Boot and GraalVM

Alina Yurenko

Recently uploaded (20)

Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...

ppt on the brain chip neuralink.pptx

Modelling Up - DDDEurope 2024 - Amsterdam

UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem

The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...

Using Query Store in Azure PostgreSQL to Understand Query Performance

Project Management: The Role of Project Dashboards.pdf

Unveiling the Advantages of Agile Software Development.pdf

8 Best Automated Android App Testing Tool and Framework in 2024.pdf

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

Oracle 23c New Features For DBAs and Developers.pptx

Oracle Database 19c New Features for DBAs and Developers.pptx

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理

WWDC 2024 Keynote Review: For CocoaCoders Austin

Energy consumption of Database Management - Florina Jonuzi

DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS

Enhanced Screen Flows UI/UX using SLDS with Tom Kitt

Microservice Teams - How the cloud changes the way we work

All you need to know about Spring Boot and GraalVM

Cluj JSHeroes 2017 - Liran Tal on Node.js Security

1. Node.js Security: Breaking The Loop Liran Tal Engineering Manager @ Nielsen Marketing Cloud March 2017

6. The Magical 2010

7. The Magical 2010 Backbone.js Underscore.js AngularJS Knockout.js Node.js npm

9. Node.JS is JavaScript  JavaScript is Everywhere

10. Security Horror Stories  in Node.JS

11. Fail #1

12. By January 2015 ◇ rimrafall package published to npm

13. rimrafall ◇ npm pre-install script $ rm –rf /*

14.

15. Fail #2

16. validator.js ◇ helps validate and sanitize strings

17.

18. $ npm install validator.js --save

19. validator.js  !=  validator

20. malicious modules of similar names

21. 3,500,000 socket.io 2,000 socketio malicious modules of similar names

22. Fail #3

23.

24. seemingly innocent tutorial to learn from

25.

26.

27.

28.

29. Node.js  Security Mindset

30. Essential Node.js Security https://leanpub.com/nodejssecurity/c/jsheroes

31. Security by HTTP Headers1

32. The Big 3

33. The Big 3

34. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3

35. 1. Strict-Transport-Security The Big 3 Browsers enforce secure (HTTPS) connections to the server Security by HTTP Headers

36. 1. Strict-Transport-Security The Big 3 http://www.bank.com <a href=“https://bank.com/login"> http://www.bank.com/login Security by HTTP Headers

37. 1. Strict-Transport-Security The Big 3 http://www.bank.com https://www.bank.com Security by HTTP Headers

38. 2. X-Frame-Options The Big 3 Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on Security by HTTP Headers

39. 2. X-Frame-Options The Big 3 Security by HTTP Headers

40. 2. X-Frame-Options The Big 3 Security by HTTP Headers

41. 3. Content-Security-Policy The Big 3 Whitelist Trusted Content Security by HTTP Headers

42. 3. Content-Security-Policy The Big 3 Whitelist Trusted Content Security by HTTP Headers

43. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3 Security by HTTP Headers

44. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3 Security by HTTP Headers

45. Helmet Securing ExpressJS

46. Putting it all together  with Helmet and ExpressJS

47. 2 noSQL Injections

48.

49.

50. What is going on here?

51. No HTTP body in ExpressJS it relies on bodyParser lib

52. ExpressJS uses bodyParser library to access HTTP body payload

53. ExpressJS uses bodyParser library to access HTTP body payload

54.

55.

56. Validate Input ◇ Validate Length and Type ◇ Validate & Sanitize input to expected type ◇ Parameters Binding ◇ Security in Depth

57.

58. ReDoS 3 Regular Expressions DoS

59. Regular Expressions

60. • ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d d?|2[0-4]d|25[0-5]).([01]?dd?| 2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d| 25[0-5])$

61. Matching an IP address • ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d d?|2[0-4]d|25[0-5]).([01]?dd?| 2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d| 25[0-5])$

62. Let’s Match Song Titles Can you help with the regex?

63. ^([a-zA-Z0-9])$ • Match words and numbers

64. ^([a-zA-Z0-9]+s?)$ • Match words and numbers • Allow spaces in between (duh)

65. ^([a-zA-Z0-9]+s?)+$ • Match words and numbers • Allow spaces in between (duh) • Repeat

66.

67. ReDoS Attacks ◇ Catastrophic Backtracking ◇ Exploits greedy quantifiers ◇ Simple regex are vulnerable too:  /^(a+)+$/

68. Regex DoS is a Real Problem ◇2017 - ms ◇2016 - Hawk ◇2016 - Tough Cookie ◇2016 - Moment ◇2015 - Uglify ◇2014 - Marked ◇2013 - Validator.js

69. Regex Best Practices?

70. University of Birmingham UK http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf

71. Best Practice #1 ◇ DO NOT WRITE YOUR OWN REGEX

72. Best Practice #2 ◇ DO NOT WRITE YOUR OWN REGEX

73. Best Practice #3 ◇Validator Node.js Module

74.

75. Best Practice #4 ◇ safe-regex node.js module ◇ checks regex complexity/backtracking vulnerability

76.

77. Secure Dependencies Management 4

78.

79. Are my dependencies vulnerable? ask yourself

80. Secure Dependencies Management Snyk

81.

82. snyk ◇ check cve db for known issues ◇ check installed node_modules dir ◇ provides patch-level fix ◇ provides interactive patch wizard

83. SecurityOps Integrated Security into your  build pipeline

84. 1 2 3 Employ Secure HTTP headers with Helmet Be mindful to NoSQL Injections Summary 4 Snyk to secure Your npm dependencies Avoid writing your own RegEx

85. Thank you! liran.tal@nielsen.com @liran_tal https://leanpub.com/nodejssecurity/c/jsheroes

Cluj JSHeroes 2017 - Liran Tal on Node.js Security

Recommended

Recommended

More Related Content

What's hot

What's hot (9)

Similar to Cluj JSHeroes 2017 - Liran Tal on Node.js Security

Similar to Cluj JSHeroes 2017 - Liran Tal on Node.js Security (20)

Recently uploaded

Recently uploaded (20)

Cluj JSHeroes 2017 - Liran Tal on Node.js Security