Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Top Overlooked Security Threats to Node.js Web Applications

Top Overlooked Security Threats to Node.js Web Applications

Chetan Karande

November 20, 2014
Tweet

More Decks by Chetan Karande

Other Decks in Programming

Transcript

  1. JavaScript Summit 2014
    November 20, 2014
    Battling
    Top Overlooked
    Security Threats to
    Node.js Web
    Applications
    Chetan Karande, Omgeo, OWASP
    Twitter: karande_c
    GitHub: ckarande

    View Slide

  2. Overview
    1.  Fortify Our Defenses
    Addressing Overlooked Environment Configuration Issues
    2.  Engage in Warfare
    Mitigating Overlooked Security Attacks
    PAGE
    2 of 70

    View Slide

  3. PAGE
    3 of 70
    Know thy self, know thy enemy.
    A thousand battles, a thousand victories.
    - Sun Tzu, The Art of War

    View Slide

  4. Quiz
    Identify the weakest area in a web application, where
    an attacker is most likely to find vulnerabilities?
    A.  Data Encryption
    B.  Environment Configuration
    C.  Input Validation
    D.  Error Handling
    PAGE
    4 of 70

    View Slide

  5. PAGE
    5 of 70
    Source: HP 2013 cyber risk report
    Year 2013 Vulnerabilities Sampling by Category

    View Slide

  6. PAGE
    6 of 70
    1.  Fortify Our Defenses
    Addressing Overlooked Environment
    Configuration Issues

    View Slide

  7. PAGE
    7 of 70
    FORTIFY OUR DEFENSES
    Addressing Overlooked Environment Configuration Issues
    Preventing Internal
    Implementation
    Disclosure

    View Slide

  8.   The X-Powered-By header can be extremely useful to
    an attacker for building site’s risk profile.
    PAGE
    8 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
    HTTP Response Headers

    View Slide

  9.   X-Powered-By header has no functional value. It can
    be removed safely.
    var express = require("express");
    var app = express();

    app.disable("x-powered-by");
    PAGE
    9 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
    server.js

    View Slide

  10.   Other ways to remove X-Powered-By –

    app.use(helmet.hidePoweredBy());
    PAGE
    10 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
    server.js

    View Slide

  11.   Other ways to remove X-Powered-By –

    app.use(helmet.hidePoweredBy({
    setTo: "PHP 4.2.0"
    }));
    PAGE
    11 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
    server.js

    View Slide

  12.   Another source of implementation disclosure - default
    session cookie name
    PAGE
    12 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
    HTTP Response Headers

    View Slide

  13.   Use generic cookie names
    var session = require("express-session");
    app.use(session({
    secret: "s3Cur3",
    key: "sessionId",

    }));
    PAGE
    13 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
    server.js

    View Slide

  14. PAGE
    14 of 70
    Configuring Protection
    against CSRF
    FORTIFY OUR DEFENSES
    Addressing Overlooked Environment Configuration Issues

    View Slide

  15. var csrf= require("csurf");
    app.use(csrf());
    PAGE
    15 of 70 CONFIGURING CSRF PROTECTION
      Enable CSRF Protection
    server.js

    View Slide

  16. var csrf= require("csurf");
    app.use(csrf());

    app.use(function(req, res, next) {
    res.locals.csrftoken = req.csrfToken();
    next();
    });
    PAGE
    16 of 70
      Enable CSRF Protection
    server.js
    CONFIGURING CSRF PROTECTION

    View Slide

  17. var csrf= require("csurf");
    app.use(csrf());

    app.use(function(req, res, next) {
    res.locals.csrftoken = req.csrfToken();
    next();
    });
    PAGE
    17 of 70
      Enable CSRF Protection server.js


    Form Template
    CONFIGURING CSRF PROTECTION

    View Slide

  18.   Express CSRF middleware ignores verifying tokens
    on HTTP GET, OPTIONS, and HEAD requests (which is
    a correct behavior)
      Ensure GET APIs are coded not to mutate states.
    PAGE
    18 of 70 CONFIGURING CSRF PROTECTION

    View Slide

  19. var methodOverride = require("method-override");
    var csrf= require("csurf");
    app.use(methodOverride("X-HTTP-Method-Override"));
    app.use(csrf());
    PAGE
    19 of 70
      Use method-override module before CSRF
    server.js
    CONFIGURING CSRF PROTECTION

    View Slide

  20. PAGE
    20 of 70
    Using Secure Version of
    Software Dependencies
    FORTIFY OUR DEFENSES
    Addressing Overlooked Environment Configuration Issues

    View Slide

  21.   Use the latest stable version of Node.js and
    frameworks.
    Node.js security vulnerabilities
    Express security updates
    PAGE
    21 of 70 USING SECURE DEPENDENCIES

    View Slide

  22.   Stay up to date on npm module versions and known
    vulnerbailities
      Useful tools:
    npm outdated
    Node Security Project
    Retire.js
    PAGE
    22 of 70 USING SECURE DEPENDENCIES

    View Slide

  23. PAGE
    23 of 70
    2. Engaging in Warfare
    Mitigating Overlooked Security Attacks

    View Slide

  24. Cross Site Scripting
    (XSS) Attack
    PAGE
    24 of 70
    ENGAGE IN WARFARE
    Mitigating Overlooked Security Attacks

    View Slide

  25. An attacker can exploit XSS vulnerability to -
      Steal session cookies, and then impersonate the user.
      Redirect user to malicious sites.
    PAGE
    25 of 70 XSS

    View Slide

  26.   Myth: Template libraries handle output encoding by
    default, making application safe against XSS attacks
    XSS
    PAGE
    26 of 70 XSS

    View Slide

  27.   Myth: Template libraries handle output encoding by
    default, making application safe against XSS attacks
    XSS
    PAGE
    27 of 70
      Encode untrusted data for correct context depending
    on where it will be placed
    XSS

    View Slide


  28.   Encode for HTML Body
    Untrusted Data
    & à &
    < à <
    > à >
    " à "
    ' à '
    / à /
    PAGE
    28 of 70 XSS

    View Slide


  29.   Encode for HTML Attributes
    Untrusted Data
    Non-alphanumeric characters à HH; format
    Enclose attribute value in quotes
    PAGE
    29 of 70 XSS

    View Slide

  30. contents
      Encode for CSS
    Untrusted Data
    Untrusted data à CSS Hex Encoding (\HH or \HHHHHH)
    XSS
    PAGE
    30 of 70 XSS

    View Slide

  31. var firstName=" ";
      Encode for JavaScript
    Untrusted Data
    Non-alphanumeric characters à \uXXXX; unicode format
    PAGE
    31 of 70 XSS

    View Slide

  32.   Encode for URL
    Untrusted data à encodeURI()
    Show Details
    Untrusted Data
    PAGE
    32 of 70 XSS

    View Slide

  33. PAGE
    33 of 70
      Encode for URL Parameter
    Untrusted data à encodeURIComponent()
    Show Details
    Untrusted Data
    XSS

    View Slide

  34. PAGE
    34 of 70
    Movie Reviews
    Untrusted Data
    <br/>document.write("<h1>"+ document.location.hash +"</h1>");<br/>
      DOM Based XSS: Encode on both server and client
    XSS

    View Slide

  35. PAGE
    35 of 70
      Use proven utilities for encoding (e.g. OWASP ESAPI)
    XSS

    View Slide

  36.   Add HTTPOnly, Secure attributes on Session Cookie
    var session = require("express-session");
    app.use(session({
    secret: "s3Cur3",
    key: "sessionId",
    cookie: {
    httpOnly: true,
    secure: true
    }
    }));
    server.js
    PAGE
    36 of 70 XSS

    View Slide

  37.   Add Content Security Policy header
    var policy = {
    defaultPolicy: {
    "default-src": ["'self'"],
    "img-src": ["static.example.com"]
    }
    }
    helmet.csp.policy(policy);
    server.js
    PAGE
    37 of 70 XSS

    View Slide

  38. Regular Expression
    Denial of Service
    (ReDoS) Attack
    PAGE
    38 of 70
    ENGAGE IN WARFARE
    Mitigating Overlooked Security Attacks

    View Slide

  39.   Evil regex can take exponential execution time when
    applied to certain non-matching inputs.
    PAGE
    39 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

    View Slide

  40.   Evil regex can take exponential execution time when
    applied to certain non-matching inputs.
      By default, regex gets executed in event loop thread,
    so could be exploited for DoS attack.
    PAGE
    40 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

    View Slide

  41.   Evil regex pattern requirements:
    ( )+
    1.  Grouping with repetition, and
    2.  Inside repeated group, repeatation or alternation
    with operlapping
    PAGE
    41 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

    View Slide

  42.   Evil regex pattern requirements:
    ( a+ )+
    1.  Grouping with repetition, and
    2.  Inside repeated group, repeatation or alternation
    with operlapping
    PAGE
    42 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

    View Slide

  43.   Evil regex pattern requirements:
    ( a|aa )+
    1.  Grouping with repetition, and
    2.  Inside repeated group, repeatation or alternation
    with overlapping
    PAGE
    43 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

    View Slide

  44. PAGE
    44 of 70
      Example: Commonly used URL validator regex
    /^(?!mailto:)(?:(?:https?|ftp):\/\/)?(?:\S+(?::\S*)[email protected])?(?:(?:(?:[1-9]\d?|1\d
    \d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:
    [0-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1-
    \uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-
    \uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,})))|
    localhost)(?::\d{2,5})?(?:\/[^\s]*)?$/i
    Input pattern: aaaaaaaaaaaaaaaa!
    REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

    View Slide

  45. PAGE
    45 of 70
      Example: Commonly used URL validator regex
    # of Input Characters Execution Time
    30 6 sec
    35 3min
    36 6 min
    37 13 min
    38 25 min
    39 1hr 28 min
    40 3 hr 46 min
    REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

    View Slide

  46.   Review regex in our own or external code for evil pattern
    Tools: RXRR, SDL Regex Fuzzer
    PAGE
    46 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

    View Slide

  47.   Review regex in our own or external code for evil pattern
    Tools: RXRR, SDL Regex Fuzzer
      Do not use user supplied inputs as regex
    PAGE
    47 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

    View Slide

  48. HTTP Parameter
    Pollution (HPP)
    PAGE
    48 of 70
    ENGAGE IN WARFARE
    Mitigating Overlooked Security Attacks

    View Slide

  49. // GET /search?firstname=John&firstname=John
    req.query.firstname
    //=>
    PAGE
    49 of 70 HTTP PARAMETER POLLUTION
    Quiz

    View Slide

  50. PAGE
    50 of 70 HTTP PARAMETER POLLUTION
    // GET /search?firstname=John&firstname=John
    req.query.firstname
    //=> [“John”, “John”]

    View Slide

  51. PAGE
    51 of 70 HTTP PARAMETER POLLUTION
    // POST firstname=John&firstname=John

    View Slide

  52. PAGE
    52 of 70 HTTP PARAMETER POLLUTION
    // POST firstname=John&firstname=John
    req.body.firstname
    //=> [“John”, “John”]

    View Slide

  53. PAGE
    53 of 70 HTTP PARAMETER POLLUTION
    Express populates HTTP request parameters with same
    name in an array

    View Slide

  54. PAGE
    54 of 70 HTTP PARAMETER POLLUTION
    Express populates HTTP request parameters with same
    name in an array
    Attacker can intentionally pollute request parameters to
    exploit this mechanism

    View Slide

  55. An attacker can exploit HPP to:
      Trigger Type Errors in application
    PAGE
    55 of 70 HTTP PARAMETER POLLUTION
    Server Console

    View Slide

  56.   Any uncaught errors in async code could crash the
    HTTP server causing DoS.
    PAGE
    56 of 70 HTTP PARAMETER POLLUTION

    View Slide

  57. An attacker can exploit HPP to:
      Modify application behavior
    PAGE
    57 of 70 HTTP PARAMETER POLLUTION
    DB Shell

    View Slide

  58. PAGE
    58 of 70
    An attacker can exploit HPP to:
      Bypass input validations applied on strings in our own
    code, WAF, browser filters.
    HTTP PARAMETER POLLUTION

    View Slide

  59. PAGE
    59 of 70
    An attacker can exploit HPP to:
      Bypass input validations applied on strings in our own
    code, WAF, browser filters.
    HTTP PARAMETER POLLUTION

    View Slide

  60.   Check expected type as part of the input validation
    PAGE
    60 of 70 HTTP PARAMETER POLLUTION

    View Slide

  61.   Check expected type as part of the input validation
      Implement robust error handling mechanism using
    try/catch, domain, and cluster.
    PAGE
    61 of 70 HTTP PARAMETER POLLUTION

    View Slide

  62. OWASP Top 10
    PAGE
    62 of 70
    ENGAGE IN WARFARE
    Mitigating Overlooked Security Attacks

    View Slide

  63. PAGE
    63 of 70
      Educate developers about OWASP Top 10 Risks
    OWASP NODEGOAT

    View Slide

  64. PAGE
    64 of 70
      Educate developers about OWASP Top 10 risks
    OWASP Node Goat Project
    OWASP NODEGOAT

    View Slide

  65. PAGE
    65 of 70
    Quick Recap

    View Slide

  66.   Remove X-Powered-By response header and use
    generic session cookie names
      Keep watch on security vulnerabilities in
    dependencies
    PAGE
    66 of 70 QUICK RECAP

    View Slide

  67.   Ensure HTTP GET requests are idempotent
      Include method-override module before any module
    that depends on method of the request
    PAGE
    67 of 70 QUICK RECAP

    View Slide

  68.   Encode for all contexts on both server and client to
    protect against XSS attack.
      Use HTTPOnly and Secure attributes on session
    cookie, include CSP headers.
    PAGE
    68 of 70 QUICK RECAP

    View Slide

  69.   Review regex for evil pattern to mitigate ReDoS
    attack.
      Verify input types as part of the validation
    PAGE
    69 of 70 QUICK RECAP

    View Slide

  70. May Victory Be Yours.
    Twitter:@ karande_c

    View Slide

  71. Links
    HP 2013 cyber risk report (http://www8.hp.com/h20195/v2/GetPDF.aspx/4AA5-0858ENW.pdf)
    Node.js security vulnerabilities (http://blog.nodejs.org/vulnerability/)
    Express security updates (http://expressjs.com/advanced/security-updates.html)
    npm outdated (https://www.npmjs.org/doc/cli/npm-outdated.html)
    Node Security Project (https://nodesecurity.io/advisories)
    Retire.js(http://open.bekk.no/retire-js-what-you-require-you-must-also-retire)
    RXRR (http://www.cs.bham.ac.uk/~hxt/research/rxxr-download.shtml)
    SDL Regex Fuzzer (http://www.microsoft.com/en-us/download/details.aspx?id=20095)
    OWASP ESAPI (https://www.owasp.org/index.php/Category:OWASP
    _Enterprise_Security_API)
    OWASP Node Goat Project (https://www.owasp.org/index.php/Projects/OWASP
    _Node_js_Goat_Project)

    View Slide

  72. Image Credits
    http://www.shutterstock.com/pic.mhtml?id=93406768
    http://www.shutterstock.com/pic.mhtml?id=67916401
    http://www.shutterstock.com/pic.mhtml?id=97398575
    http://www.bigstockphoto.com/image-36498607
    http://openclipart.org/detail/169260/medieval-cannon-by-helm42

    View Slide