An overview of the Node.JS platform from a security perspective. Offers guidance on how to secure node apps, as well as ways to test them as an infosec professional. Presented at Rochester Security Summit 2015.

1. Node.js
Security
…trolololol

2. about.me
• break things for fun and
profit
• sometimes I talk about stuff
• involved in various groups
• <3 ROC hacker community

3. most importantly

4. node.js
• a JavaScript runtime built
on Google’s V8
JavaScript engine
• uses an event-driven,
non-blocking I/O model
• npm package repo
claims to be the largest
ecosystem of open
source libraries in the
world

5. V8 engine runtime
• written in C++
• implements ECMA
script standard
ECMA-262
• same engine the
chrome browser
uses for JavaScript
processing

6. installation
• don’t apt-get install
• download the tarball
• untar it $someplace
• add
$someplace/<nodedir>/bin
to your path

7. starting a project
• npm init
<demo>
• or don’t

8. things to know
• node.js is NOT a web framework.
• It’s an application server
• think Tomcat or Zend
• not rails or Django
• you know that, devops don’t care

9. express.js web framework
• modeled after the ruby ‘Sinatra’
project
• most widely used node framework
• easy to work with, lots of examples
• creating servers is easy

10. sample hello
var express = require('express');
var app = express();
app.get('/', function (req, res) {
res.send('Hello World!');
});
var server = app.listen(3000,
function () {
console.log('app listening on port
3000’);
});

11. other frameworks?
• koa
only framework that embraces ES6 fully
less robust than express, and not as tested
• hapi
built for complex apps, has big.corp support
(walmart)
less mature than express, heavier dev
investment requirements

12. what about $myFavorite.js?
• express / koa / hapi
server side
designed to manage the
application engine
• angular / ember /
backbone /
omgsomany
client-side JavaScript
frameworks
implement MVC or PAC
methods

13. moar demo

14. security risks
• npm makes it easy to add things
tough to track dependencies
repo is open, anyone can add modules
vulns in vendor libs == app.pwnd
• package.json may get stale
as libs are updated, version info may not change
lib patches that you ignore == app.pwnd

15. OMG! XSS! ONTHASERVER!
• we can inject commands & stuff
right?
• not really a concern, because this is
server-side
• client input isn’t parsed in the server code
• not shelling out to command line
• options that get parsed come from:
• env vars
• config files
• sometimes eval() but that’s very uncommon

16. node security tools
• helmet.js
framework makes it easy to remove common
vectors like XSS, CSRF, cache snarfing, and
clickjacking
helmet = require(‘helmet’);
app.use(helmet.xssFilter());
app.use(helmet.noCache());
app.use(helmet.xssnoSniff());
app.use(helmet.xssframeguard());
app.use(helmet.xsshidePoweredBy());

17. helmet makes us safer

18. nodesecurity.io
• flags included packages with known vulnerabilities
• can be used automagically with grunt
grunt.loadNpmTasks('grunt-nsp-package');
grunt.loadNpmTasks('grunt-nsp-shrinkwrap');
grunt.registerTask('nsp-package',
'Validates package.json with nodesecurity.io',
'validate-package');
grunt.registerTask('nsp-shrinkwrap',
'Validates shrinkwrap.json with nodesecurity.io',
'validate-shrinkwrap');

19. nsp-package example

20. NodeJs Scan
• python tool to scan node.js static
code
• problem: node is JavaScript, and is
dynamic
• that makes it tough to analyze code
• still does a decent job of trying

21. demo++;

22. preso.quit();