The document discusses best practices for Node.js security, emphasizing the importance of secure HTTP headers, session cookies, and protection against various vulnerabilities like NoSQL injection and regex denial of service attacks. It highlights real-world security incidents and provides tips for dependency vulnerability scanning and integrating security into development pipelines. Key tools mentioned include Helmet, Lusca, Snyk, and Bithound.io for enhancing Node.js application security.

1. NODE.JS SECURITY
DONE RIGHT Tips and Tricks
They Won’t Teach
You in SchoolLiran Tal
R&D Team Lead for a Full-Stack Technology
Web Marketplace

2. Hello!
I am Liran Tal
R&D Team Lead for a Full-Stack Technology
Web Marketplace

3. Open Source Evangelist

4. 1. Node.js background
2. Security Horror Stories in Node.js
3. Tips & Recipes
Agenda
• Security by HTTP Headers
• Secure Session Cookies
• NoSQL Injection
• Regular Expressions DOS attack
• Dependencies Vuln’ Scanning
• Security as a Service

5. The Big Bang of JavaScript
💣

6. Node.js Born in 2009
◇ Open Source
◇ Cross-Platform
◇ Asynchronous JavaScript Runtime

7. “
Ryan Dahl was inspired to create Node.js
after seeing a file upload progress
bar on Flickr.
source: https://en.wikipedia.org/wiki/Node.js

8. By 2011
◇ Node.JS 0.1.14
◇ Package Management (npm)

9. Node.JS Rapid Adoption

10. Node.JS is JavaScript
JavaScript is Everywhere

11. 2015 GitHub
Developer Survey
50,000 World Wide
Software Engineers
👨👩

12. JavaScript wins
Backend and Frontend
popularity

14. JavaScript wins
most open source
projects

16. Security
Horror
Stories
in Node.JS

17. By January 2015
◇ rimrafall package published to npm

18. rimrafall ?

19. rimrafall
◇ npm pre-install script
$ rm –rf /*

21. Fishing Attacks,
npm Style

22. validator.js
◇ helps validate and sanitize strings

24. $ npm install validator.js --save

25. validator.js
!=
validator

26. malicious modules
of similar names

27. malicious modules
of similar names
3,500,000 socket.io
2,000 socketio

28. malicious modules
of similar names
11,000,000 uglify-js
50,000 uglifyjs

29. Failing to educate
the younger
generation

31. seemingly innocent
tutorial to learn from

34. Tips &
Recipes to
Secure
Node.js

35. Security by HTTP
Headers1

36. STRICT-TRANSPORT-
SECURITY
Browsers enforce secure
connections to the server
(HTTPS)

37. X-FRAME-OPTIONS
Clickjacking protection
by not rendering content
in iframes

38. CONTENT-SECURITY-
POLICY
Whitelist trusted content,
and services

39. X-XSS-PROTECTION
enables *browser XSS
filtering
* IE8 | IE9

40. X-CONTENT-TYPE-
OPTIONS
*browsers do not sniff
MIME responses
*IE8 | Chrome | Safari

41. Helmet
Securing ExpressJS

42. Putting it all
together
with Helmet and
ExpressJS

43. Lusca
Securing ExpressJS

44. Putting it all
together
with Lusca and
ExpressJS

45. Securing the Cookies
2

46. SECURE
cookies sent over HTTPS
connections only

47. httpOnly
cookies are not
accessible from
JavaScript

49. Fingerprinting Node.JS

52. Fun with Headers

55. noSQL Injections
3

56. Creating TRUE
SQL statements

57. Creating TRUE
SQL statements

58. Live Demo!
show me the code…

59. No HTTP body in
ExpressJS
it relies on bodyParser lib

60. ExpressJS uses
bodyParser
library to access
HTTP body
payload

61. ExpressJS uses
bodyParser
library to access
HTTP body
payload

62. Creating TRUE
SQL statements

63. Creating TRUE
SQL statements

64. Validate Input
◇ Validate Length and Type
◇ Validate & Sanitize input to expected
type
◇ Parameters Binding
◇ Security in Depth

65. ExpressJS uses
bodyParser
library to access
HTTP body
payload

66. ReDoS
4 Regular Expressions DoS

67. Requirement:
◇ Validate the input has at least one ‘a’
character and allow unlimited
occurences

69. 3 Months Later…

70. More work on the
feature:
◇ Different Engineer gets the job
◇ Requirement changes: Validate the
input has exactly 10 characters of ‘a’

71. Live Demo!
show me the code…

73. Attacker sends
◇ Array(100).join(‘a’) + ‘!’

74. BOOM

75. ExpressJS uses
neogitator
◇ parsing the Accept-Language header
Parameters Binding

77. 10,000,000
negotiator

79. Best Practices
◇ Validator.js node.js module

81. Best Practices
◇ safe-regex node.js module
◇ checks regex complexity/backtracking
vulnerability

83. Best Practices
◇ OWASP Validation RegEx Repo

84. Vulnerability Scan
5

85. Are my dependencies
vulnerable?
ask yourself

86. snyk
◇ check cve db for known issues
◇ check installed node_modules dir
◇ provides patch-level fix
◇ provides interactive patch wizard

89. nsp
◇ check cve db for known issues
◇ check installed node_modules dir

91. shrinkwrap
◇ pin-down dependencies
◇ pin-down devDependencies
◇ ship with tested packages
◇ avoid surprises in production build

93. SecurityOps
Integrated Security into your
build pipeline

94. Security as a Service
6

95. david-dm
◇ monitor nodejs dependencies
◇ check installed node_modules dir

97. Bithound.io
◇ monitor nodejs dependencies
◇ lint / static code analysis

99. 1
2
3
Helmet or Lusca for secure HTTP
headers
Obsecure the session name
Validate and Sanitize req.body params
to NoSQL
Summary:

100. 4
5
6
Use validator.js for regex
Dependencies check with snyk, and
nsp
SaaS Security with bithound.io and
david-dm
Summary:

101. Thanks!
Any questions?
◇ liran.tal@hpe.com
◇ GitHub