Dinis Cruz, profile picture
Uploaded byDinis Cruz
1,160 views

NodeJS security - still unsafe at most speeds - v1.0

This document discusses NodeJS security. It begins by providing background on the author and their experience. It then outlines what is good about NodeJS, including its native JSON support, asynchronous pattern, developer friendliness, and large community. However, it also notes weaknesses, such as the lack of strong typing, risks associated with the NPM ecosystem and JavaScript interpretation, and challenges of static analysis and access control. It recommends following the OWASP Top 10 and references tools/projects for securing NodeJS like OWASP NodeGoat and the NodeJS Security book. The document advocates understanding application risks and issues and viewing them as features to fix through a risk workflow.

Embed presentation

Downloaded 19 times
NodeJS Security Still unsafe at most speeds London, 29th Sep 2016 @DinisCruz
Me • Developer for 25 years • AppSec for 13 years • Day jobs: • Leader OWASP O2 Platform project • Application Security Training for JBI Training • Part of AppSec team of: • The Hut Group • BBC • AppSec Consultant and Mentor • “I build AppSec teams….” • https://twitter.com/DinisCruz • http://blog.diniscruz.com • http://leanpub.com/u/DinisCruz
• @Leanpub (get for 0$ ) • http://leanpub.com/u/DinisCruz – 
 Contact
Recent Presentations (you might find interesting) http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html http://blog.diniscruz.com/2016/05/appsec-and-software-quality.html http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html
AppSec and Quality
Key to AppSec - The AppSec Risk Workflow http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html
When creating tests on the ‘Fix’ stage, the focus (& time allocated) is on 
 fixing the bug (not on testing it) When creating tests on the ‘Issue Creation’ stage, the focus (& time allocated) is on 
 how to test it and what is its root cause http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html Start with Passing tests, because:
NODEJS SECURITY
• Just as good and bad as Java or .NET • We are still in the same place • Not many lessons learned • But at least we are building bigger and faster websites (with more house-power and assets) Basically….
• native JSON • super fast – V8 Engine executed some javascript code 
 faster than (equivalent) C++ • async pattern – one event loop thread – highly scalable • developer friendly – fast development – REPL (Read, Eval, Print, Loop) – enables CI and CD (easy integration with GitHub, Travis, etc…) • Other languages – ECMAScript 6 – CoffeeScript (my favourite language) – Jade (Html template engine) – Typescript What is good 1/3
• community Innovation – pure Open Source child (with strong corporate support) – equivalent io.js fork should had happened to Java and .NET – crazy innovation speed and technologies like JsDOM – NodeJS Security Project • ssl is easy • enterprise ready – used by massive sites with great success – amazing live monitoring and instrumentation tools (and SAAS solution) – container friendly (i.e. docker) • promotes Microservices • great test culture (TDD) • growing security maturity – null checks on file paths What is good 2/3
• WallabyJS – real time unit test execution – real time code coverage What is good 3/3
Just to be clear….
 nodeJS + CoffeeScript + wallaby
 is my most productive
 and enjoyable dev environment
 where I easily write 
 secure code with 100% code coverage
• Same old OWASP Top 10 • Have to work hard to write secure apps – not out of the box – CSRF protection for example • REST Injection – can be as bad as SQL Injection • Model Binding is alive What is bad 1/5
• It’s Javascript – not strongly typed • with crazy type conversions and equals • decimal conversion problems – ability to overwrite (via prototypes) other API’s methods – interpreted code (strings can become code) • Eval, file save or ‘dynamic requires’ can lead to RCE • Strings everywhere (we have to ‘ban strings’) • Pattern: Proxy to internal Systems (with no data validation checks for more data) What is bad 2/5
• NPM – just as bad and crazy as Maven, NuGet, CocoaPods – very little security checks performed in new modules • few security eyeballs • dependency checks via https://nodesecurity.io/ via nsp – just look at what is inside some npm packages • See I Peeked Into My Node_Modules Directory And You Won’t Believe What Happened Next https://medium.com/friendship- dot-js/i-peeked-into-my-node-modules-directory-and-you-wont- believe-what-happened-next-b89f63d21558 What is bad 3/5
• Unhanded errors will crash server (can be a good thing) • Server side HTML and Javascript generation – source of tons of XSS • Secure configuration is hard • Weak code visualisation for – Attack surface – AST – Code Paths • Limited support for sandboxing code and CAS (Code Access Security) What is bad 4/5
• Hard to do SAST (Static Analysis) • NoSQL databases vulnerable to Injection attacks • Express support for ..%2f in url segments • … I’m sure there are many more … What is bad 5/5
OWASP AND NODEJS
• A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards OWASP Top 10 (for 2013) is all there
OWASP Juice Shop Tool Project
OWASP NodeGoat Project
NodeJS Security Book https://secureyournodejs.com
KNOW THE RISK OF YOUR APPLICATION
• You need to have them mapped and accept the risk • Here are the risks currently accepted for the OWASP/Maturity-Models project (NodeJS app)
 
 
 – https://github.com/OWASP/Maturity-Models View security issues as features
…using GitHub Labels to create Risk Workflow
CASE STUDY: WHEN I CREATED A VULNERABILITY
• Here is the code I wrote (at the Data Layer)
 
 
 
 
 • This method is designed to be called by the controller (i.e. rest api endpoint): Feature request: Allow data editing on UI
Feature request: Allow data editing on UI
Regression test that passes on issue
Fix for Path transversal
Regression test
LET’S SEE HOW IT LOOKED IN THE CODE
…before the vuln is created
…when the vuln is created
… adding comments
…after issues are created
…improving comments
…updating issues after 1st fix
… after final fix
… more issues where found later
Thanks, any questions @diniscruz dinis.cruz@owasp.org

More Related Content

PDF
Surrogate dependencies (in node js) v1.0
byDinis Cruz
 
PDF
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
byDinis Cruz
 
PDF
Security in a Continuous Delivery World
byDinis Cruz
 
PDF
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
byDinis Cruz
 
PDF
SecDevOps Risk Workflow - v0.6
byDinis Cruz
 
PDF
Get Ready for JIRA 5 - AtlasCamp 2011
byAtlassian
 
PDF
App sec and quality london - may 2016 - v0.5
byDinis Cruz
 
PDF
Merging Security with DevOps - An AppSec Perspective
byAbhay Bhargav
 
Surrogate dependencies (in node js) v1.0
byDinis Cruz
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
byDinis Cruz
 
Security in a Continuous Delivery World
byDinis Cruz
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
byDinis Cruz
 
SecDevOps Risk Workflow - v0.6
byDinis Cruz
 
Get Ready for JIRA 5 - AtlasCamp 2011
byAtlassian
 
App sec and quality london - may 2016 - v0.5
byDinis Cruz
 
Merging Security with DevOps - An AppSec Perspective
byAbhay Bhargav
 

What's hot

PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
PDF
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
byAbhay Bhargav
 
PDF
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
PPTX
Owasp glue
bySoluto
 
PDF
Security champions v1.0
byDinis Cruz
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
byAbhay Bhargav
 
PDF
OWASP DefectDojo - Open Source Security Sanity
byMatt Tesauro
 
PPTX
we45 SecDevOps Presentation - ISACA Chennai
byAbhay Bhargav
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
PDF
SecDevOps - The Operationalisation of Security
byDinis Cruz
 
PDF
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
byMatt Tesauro
 
PDF
Intro to DefectDojo at OWASP Switzerland
byMatt Tesauro
 
PDF
Security as Code: DOES15
byEd Bellis
 
PDF
A Secure DevOps Journey
bySonatype
 
PDF
Continuous Security: Using Automation to Expand Security's Reach
byMatt Tesauro
 
PDF
Ast in CI/CD by Ofer Maor
byDevSecCon
 
PDF
Legacy-SecDevOps (AppSec Management Debrief)
byDinis Cruz
 
ODP
OWASP WTE - Now in the Cloud!
byMatt Tesauro
 
SecDevOps: The New Black of IT
byCloudPassage
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
byAbhay Bhargav
 
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
Owasp glue
bySoluto
 
Security champions v1.0
byDinis Cruz
 
we45 DEFCON Workshop - Building AppSec Automation with Python
byAbhay Bhargav
 
OWASP DefectDojo - Open Source Security Sanity
byMatt Tesauro
 
we45 SecDevOps Presentation - ISACA Chennai
byAbhay Bhargav
 
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
SecDevOps - The Operationalisation of Security
byDinis Cruz
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
byMatt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
byMatt Tesauro
 
Security as Code: DOES15
byEd Bellis
 
A Secure DevOps Journey
bySonatype
 
Continuous Security: Using Automation to Expand Security's Reach
byMatt Tesauro
 
Ast in CI/CD by Ofer Maor
byDevSecCon
 
Legacy-SecDevOps (AppSec Management Debrief)
byDinis Cruz
 
OWASP WTE - Now in the Cloud!
byMatt Tesauro
 

Viewers also liked

PDF
Hacking Portugal , C-days 2016 , v1.0
byDinis Cruz
 
PPTX
Making threat modeling so easy
byDinis Cruz
 
PDF
Owasp summit 2017
byDinis Cruz
 
PDF
Nodejs in Production
byWilliam Bruno Moraes
 
PDF
SC conference - Building AppSec Teams
byDinis Cruz
 
PPTX
Building Web Apps & APIs With Node JS
byLohith Goudagere Nagaraj
 
PDF
Veracode Automation CLI (using Jenkins for SDL integration)
byDinis Cruz
 
PDF
Testing NodeJS Security
byJose Manuel Ortega Candel
 
PDF
Asec r01-resting-on-your-laurels-will-get-you-pwned
byDinis Cruz
 
PPTX
NodeMN: Building AI into your Node.js apps
byDavid Washington
 
PPTX
Web Development with Node.js
byAndrew Lively
 
PDF
GPG Signing Git Commits
byDinis Cruz
 
ODP
Introduction to OWASP & Web Application Security
byOWASPKerala
 
PDF
Microservices and Seneca at RomaJS group
byLuca Lanziani
 
PDF
The Seneca Pattern at EngineYard Distill 2013 Conference
byRichard Rodger
 
PPTX
Node Interactive : 7 years, 7 design patterns, will node continue to outshine
byShubhra Kar
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
KEY
Introducing the Seneca MVP framework for Node.js
byRichard Rodger
 
PPTX
Writing Test Cases with PHPUnit
byShouvik Chatterjee
 
PDF
NodeJS Microservices, Built it Now, Scale it Later!
byLalit Shandilya
 
Hacking Portugal , C-days 2016 , v1.0
byDinis Cruz
 
Making threat modeling so easy
byDinis Cruz
 
Owasp summit 2017
byDinis Cruz
 
Nodejs in Production
byWilliam Bruno Moraes
 
SC conference - Building AppSec Teams
byDinis Cruz
 
Building Web Apps & APIs With Node JS
byLohith Goudagere Nagaraj
 
Veracode Automation CLI (using Jenkins for SDL integration)
byDinis Cruz
 
Testing NodeJS Security
byJose Manuel Ortega Candel
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
byDinis Cruz
 
NodeMN: Building AI into your Node.js apps
byDavid Washington
 
Web Development with Node.js
byAndrew Lively
 
GPG Signing Git Commits
byDinis Cruz
 
Introduction to OWASP & Web Application Security
byOWASPKerala
 
Microservices and Seneca at RomaJS group
byLuca Lanziani
 
The Seneca Pattern at EngineYard Distill 2013 Conference
byRichard Rodger
 
Node Interactive : 7 years, 7 design patterns, will node continue to outshine
byShubhra Kar
 
OWASP Top Ten in Practice
bySecurity Innovation
 
Introducing the Seneca MVP framework for Node.js
byRichard Rodger
 
Writing Test Cases with PHPUnit
byShouvik Chatterjee
 
NodeJS Microservices, Built it Now, Scale it Later!
byLalit Shandilya
 

Similar to NodeJS security - still unsafe at most speeds - v1.0

PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PDF
Node.js security tour
byGiacomo De Liberali
 
PDF
ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven V...
byCyber Security Alliance
 
PDF
How npm is making JavaScript safe for everyone
byDaniel Sauble
 
PDF
Serverless Security Guy Podjarny Liran Tal
byxenikwit30
 
PDF
Platform as reflection of values: Joyent, node.js, and beyond
bybcantrill
 
PPTX
Using Node.js to Build for the Enterprise
byMicrosoft Tech Community
 
PDF
OWASP SF - Reviewing Modern JavaScript Applications
byLewis Ardern
 
PDF
Node Security: The Good, Bad & Ugly
byBishan Singh
 
ODP
Scaling and securing node.js apps
byMaciej Lasyk
 
PDF
Node.js Enterprise Middleware
byBehrad Zari
 
PDF
How to Enterprise Node
byJulián David Duque
 
KEY
Dcjq node.js presentation
byasync_io
 
PDF
Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk
byPROIDEA
 
PDF
Node JS reverse shell
byMadhu Akula
 
PPTX
Take the Fastest Path to Node.Js Application Development with Bitnami & AWS L...
byBitnami
 
PDF
Node.js Web Development SEO Expert Bangladesh LTD.pdf
byTasnim Jahan
 
PPTX
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
byAndrew Freeborn
 
PDF
How to Make Your NodeJS Application Secure (24 Best Security Tips )
byKaty Slemon
 
PDF
Node.js Web Development.pdf
bySonia Simi
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
Node.js security tour
byGiacomo De Liberali
 
ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven V...
byCyber Security Alliance
 
How npm is making JavaScript safe for everyone
byDaniel Sauble
 
Serverless Security Guy Podjarny Liran Tal
byxenikwit30
 
Platform as reflection of values: Joyent, node.js, and beyond
bybcantrill
 
Using Node.js to Build for the Enterprise
byMicrosoft Tech Community
 
OWASP SF - Reviewing Modern JavaScript Applications
byLewis Ardern
 
Node Security: The Good, Bad & Ugly
byBishan Singh
 
Scaling and securing node.js apps
byMaciej Lasyk
 
Node.js Enterprise Middleware
byBehrad Zari
 
How to Enterprise Node
byJulián David Duque
 
Dcjq node.js presentation
byasync_io
 
Atmosphere 2014: Scaling and securing node.js apps - Maciej Lasyk
byPROIDEA
 
Node JS reverse shell
byMadhu Akula
 
Take the Fastest Path to Node.Js Application Development with Bitnami & AWS L...
byBitnami
 
Node.js Web Development SEO Expert Bangladesh LTD.pdf
byTasnim Jahan
 
BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
byAndrew Freeborn
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
byKaty Slemon
 
Node.js Web Development.pdf
bySonia Simi
 

More from Dinis Cruz

PDF
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
byDinis Cruz
 
PDF
Glasswall - Safety and Integrity Through Trusted Files
byDinis Cruz
 
PDF
Glasswall - How to Prevent, Detect and React to Ransomware incidents
byDinis Cruz
 
PDF
The benefits of police and industry investigation - NPCC Conference
byDinis Cruz
 
PDF
Serverless Security Workflows - cyber talks - 19th nov 2019
byDinis Cruz
 
PDF
Modern security using graphs, automation and data science
byDinis Cruz
 
PDF
Using Wardley Maps to Understand Security's Landscape and Strategy
byDinis Cruz
 
PDF
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
byDinis Cruz
 
PDF
Making fact based decisions and 4 board decisions (Oct 2019)
byDinis Cruz
 
PDF
CISO Application presentation - Babylon health security
byDinis Cruz
 
PDF
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
byDinis Cruz
 
PDF
GSBot Commands (Slack Bot used to access Jira data)
byDinis Cruz
 
PDF
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
byDinis Cruz
 
PDF
OSBot - Data transformation workflow (from GSheet to Jupyter)
byDinis Cruz
 
PDF
Jira schemas - Open Security Summit (Working Session 21th May 2019)
byDinis Cruz
 
PDF
Template for "Sharing anonymised risk theme dashboards v0.8"
byDinis Cruz
 
PDF
Owasp and summits (may 2019)
byDinis Cruz
 
PDF
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
byDinis Cruz
 
PDF
Open security summit 2019 owasp london 25th feb
byDinis Cruz
 
PDF
Owasp summit 2019 - OWASP London 25th feb
byDinis Cruz
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
byDinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
byDinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
byDinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
byDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
byDinis Cruz
 
Modern security using graphs, automation and data science
byDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
byDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
byDinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
byDinis Cruz
 
CISO Application presentation - Babylon health security
byDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
byDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
byDinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
byDinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
byDinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
byDinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
byDinis Cruz
 
Owasp and summits (may 2019)
byDinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
byDinis Cruz
 
Open security summit 2019 owasp london 25th feb
byDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
byDinis Cruz
 

Recently uploaded

DOCX
A Comprehensive Guide To Buy Verified PayPal Accounts_.docx
bysmartusapva.com
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
The Modern Architect's Codex: Design Patterns in .NET 9
byVineet Sharma
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PDF
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PPTX
Topic: Introduction to Storage Elements Flip-Flops.pptx
byhn486916
 
A Comprehensive Guide To Buy Verified PayPal Accounts_.docx
bysmartusapva.com
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
The Modern Architect's Codex: Design Patterns in .NET 9
byVineet Sharma
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
Topic: Introduction to Storage Elements Flip-Flops.pptx
byhn486916
 

NodeJS security - still unsafe at most speeds - v1.0

  • 1.
    NodeJS Security Still unsafeat most speeds London, 29th Sep 2016 @DinisCruz
  • 2.
    Me • Developer for25 years • AppSec for 13 years • Day jobs: • Leader OWASP O2 Platform project • Application Security Training for JBI Training • Part of AppSec team of: • The Hut Group • BBC • AppSec Consultant and Mentor • “I build AppSec teams….” • https://twitter.com/DinisCruz • http://blog.diniscruz.com • http://leanpub.com/u/DinisCruz
  • 3.
    • @Leanpub (getfor 0$ ) • http://leanpub.com/u/DinisCruz – 
 Contact
  • 4.
    Recent Presentations (youmight find interesting) http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html http://blog.diniscruz.com/2016/05/appsec-and-software-quality.html http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html
  • 5.
  • 6.
    Key to AppSec- The AppSec Risk Workflow http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html
  • 7.
    When creating testson the ‘Fix’ stage, the focus (& time allocated) is on 
 fixing the bug (not on testing it) When creating tests on the ‘Issue Creation’ stage, the focus (& time allocated) is on 
 how to test it and what is its root cause http://blog.diniscruz.com/2016/09/presentation-turning-tdd-upside-down.html Start with Passing tests, because:
  • 8.
  • 9.
    • Just asgood and bad as Java or .NET • We are still in the same place • Not many lessons learned • But at least we are building bigger and faster websites (with more house-power and assets) Basically….
  • 10.
    • native JSON •super fast – V8 Engine executed some javascript code 
 faster than (equivalent) C++ • async pattern – one event loop thread – highly scalable • developer friendly – fast development – REPL (Read, Eval, Print, Loop) – enables CI and CD (easy integration with GitHub, Travis, etc…) • Other languages – ECMAScript 6 – CoffeeScript (my favourite language) – Jade (Html template engine) – Typescript What is good 1/3
  • 11.
    • community Innovation –pure Open Source child (with strong corporate support) – equivalent io.js fork should had happened to Java and .NET – crazy innovation speed and technologies like JsDOM – NodeJS Security Project • ssl is easy • enterprise ready – used by massive sites with great success – amazing live monitoring and instrumentation tools (and SAAS solution) – container friendly (i.e. docker) • promotes Microservices • great test culture (TDD) • growing security maturity – null checks on file paths What is good 2/3
  • 12.
    • WallabyJS – realtime unit test execution – real time code coverage What is good 3/3
  • 13.
    Just to beclear….
 nodeJS + CoffeeScript + wallaby
 is my most productive
 and enjoyable dev environment
 where I easily write 
 secure code with 100% code coverage
  • 14.
    • Same oldOWASP Top 10 • Have to work hard to write secure apps – not out of the box – CSRF protection for example • REST Injection – can be as bad as SQL Injection • Model Binding is alive What is bad 1/5
  • 15.
    • It’s Javascript –not strongly typed • with crazy type conversions and equals • decimal conversion problems – ability to overwrite (via prototypes) other API’s methods – interpreted code (strings can become code) • Eval, file save or ‘dynamic requires’ can lead to RCE • Strings everywhere (we have to ‘ban strings’) • Pattern: Proxy to internal Systems (with no data validation checks for more data) What is bad 2/5
  • 16.
    • NPM – justas bad and crazy as Maven, NuGet, CocoaPods – very little security checks performed in new modules • few security eyeballs • dependency checks via https://nodesecurity.io/ via nsp – just look at what is inside some npm packages • See I Peeked Into My Node_Modules Directory And You Won’t Believe What Happened Next https://medium.com/friendship- dot-js/i-peeked-into-my-node-modules-directory-and-you-wont- believe-what-happened-next-b89f63d21558 What is bad 3/5
  • 17.
    • Unhanded errorswill crash server (can be a good thing) • Server side HTML and Javascript generation – source of tons of XSS • Secure configuration is hard • Weak code visualisation for – Attack surface – AST – Code Paths • Limited support for sandboxing code and CAS (Code Access Security) What is bad 4/5
  • 18.
    • Hard todo SAST (Static Analysis) • NoSQL databases vulnerable to Injection attacks • Express support for ..%2f in url segments • … I’m sure there are many more … What is bad 5/5
  • 19.
  • 20.
    • A1 Injection •A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards OWASP Top 10 (for 2013) is all there
  • 21.
    OWASP Juice ShopTool Project
  • 22.
  • 23.
  • 24.
    KNOW THE RISKOF YOUR APPLICATION
  • 25.
    • You needto have them mapped and accept the risk • Here are the risks currently accepted for the OWASP/Maturity-Models project (NodeJS app)
 
 
 – https://github.com/OWASP/Maturity-Models View security issues as features
  • 26.
    …using GitHub Labelsto create Risk Workflow
  • 30.
    CASE STUDY: WHENI CREATED A VULNERABILITY
  • 31.
    • Here isthe code I wrote (at the Data Layer)
 
 
 
 
 • This method is designed to be called by the controller (i.e. rest api endpoint): Feature request: Allow data editing on UI
  • 32.
    Feature request: Allowdata editing on UI
  • 33.
    Regression test thatpasses on issue
  • 38.
    Fix for Pathtransversal
  • 39.
  • 40.
    LET’S SEE HOWIT LOOKED IN THE CODE
  • 41.
  • 42.
    …when the vulnis created
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
    … more issueswhere found later
  • 49.