Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Top Overlooked Security Threats to Node.js Web Applications

E8604f367ad1a419de765743d22c4601?s=47 Chetan Karande
November 20, 2014
Programming
91
38k

Top Overlooked Security Threats to Node.js Web Applications

JavaScript Summit 2014 (http://environmentsforhumans.com/2014/javascript-summit/)
Fluent Conference 2014 (http://fluentconf.com/fluent2014/public/schedule/detail/32664)

E8604f367ad1a419de765743d22c4601?s=128

Chetan Karande

November 20, 2014
Tweet

More Decks by Chetan Karande

See All by Chetan Karande
Patterns in Node Package Vulnerabilities
E8604f367ad1a419de765743d22c4601?s=48 ckarande
0
370

Other Decks in Programming

See All in Programming
Pluggable Storage in PostgreSQL
62f5ee39e37ba4f8a22acc714781c879?s=48 sira
1
190
Carp言語さわってみた 〜鯉を取り戻せ編〜
Ced5def68f1a6bcd0736018bc64b116d?s=48 tsin45
0
100
테라폼으로 ECR 관리하기 (How to Manage ECR with Terraform)
330c5e37fb238d6b319ae6e18770f44b?s=48 posquit0
0
530
Babylon.jsで作ったsceneをレイトレーシングで映えさせる
C54e383f9597a63832fcc1c2547c7540?s=48 turamy
1
210
AWS Config Custom Rule、ノーコードでできるかな?
822eaa655305fe3cffb0b034913f0cd2?s=48 watany
0
250
FutureCon 2022 FlutterアプリのPerformance測定
4affdb6a9878e509da7ca41a87051352?s=48 harukafujita
0
140
Now in Android Overview
62384887995a0ce07ec4f86b89f5ec9e?s=48 aosa4054
0
400
閱讀原始碼 - 再戰十年的 jQuery
Dbfa12cd7e1ff8b06a588609369d6e49?s=48 eddie
1
300
Windows コンテナ Dojo 第5回 OpenShift で学ぶ Kubernetes 入門
E5eb221d34d4ffbe973f8542b4c3a00e?s=48 oniak3ibm
PRO
0
190
ストア評価「2.4」だったCOCOARアプリを1年で「4.4」になんとかした方法@Cloud CIRCUS Meetup #2
3518f5ec9ebb241abc3569eb5cfc7d2a?s=48 1901drama
0
180
Dagger, la CI, autrement
27021de2df79d619a3ebf52ab6392e82?s=48 guikingone
1
110
Amazon Lookout for Visionで 筆跡鑑定してみた
B3cc0e7ba8e6c941f08a2e6f69d3e4c2?s=48 cmnakamurashogo
0
170

Featured

See All Featured
Adopting Sorbet at Scale
2bb923c57a1fdc3a2eb484bb8d565fd2?s=48 ufuk
63
7.6k
Creatively Recalculating Your Daily Design Routine
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
207
10k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
173
8.6k
How to Ace a Technical Interview
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
266
21k
GitHub's CSS Performance
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1020
420k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
29
4.4k
Imperfection Machines: The Place of Print at Facebook
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
253
12k
XXLCSS - How to scale CSS and keep your sanity
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
236
1.1M
The Power of CSS Pseudo Elements
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
47
4k
What the flash - Photography Introduction
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
62
10k
In The Pink: A Labor of Love
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
131
21k
Automating Front-end Workflow
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1351
200k

Transcript

  1. JavaScript Summit 2014 November 20, 2014 Battling Top Overlooked Security

    Threats to Node.js Web Applications Chetan Karande, Omgeo, OWASP Twitter: karande_c GitHub: ckarande

  2. Overview 1.  Fortify Our Defenses Addressing Overlooked Environment Configuration Issues

    2.  Engage in Warfare Mitigating Overlooked Security Attacks PAGE 2 of 70

  3. PAGE 3 of 70 Know thy self, know thy enemy.

    A thousand battles, a thousand victories. - Sun Tzu, The Art of War

  4. Quiz Identify the weakest area in a web application, where

    an attacker is most likely to find vulnerabilities? A.  Data Encryption B.  Environment Configuration C.  Input Validation D.  Error Handling PAGE 4 of 70

  5. PAGE 5 of 70 Source: HP 2013 cyber risk report

    Year 2013 Vulnerabilities Sampling by Category

  6. PAGE 6 of 70 1.  Fortify Our Defenses Addressing Overlooked

    Environment Configuration Issues

  7. PAGE 7 of 70 FORTIFY OUR DEFENSES Addressing Overlooked Environment

    Configuration Issues Preventing Internal Implementation Disclosure

  8.   The X-Powered-By header can be extremely useful to an

    attacker for building site’s risk profile. PAGE 8 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE HTTP Response Headers

  9.   X-Powered-By header has no functional value. It can be

    removed safely. var express = require("express"); var app = express(); … app.disable("x-powered-by"); PAGE 9 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE server.js

  10.   Other ways to remove X-Powered-By – … app.use(helmet.hidePoweredBy()); PAGE

    10 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE server.js

  11.   Other ways to remove X-Powered-By – … app.use(helmet.hidePoweredBy({ setTo:

    "PHP 4.2.0" })); PAGE 11 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE server.js

  12.   Another source of implementation disclosure - default session cookie

    name PAGE 12 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE HTTP Response Headers

  13.   Use generic cookie names var session = require("express-session"); app.use(session({

    secret: "s3Cur3", key: "sessionId", … })); PAGE 13 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE server.js

  14. PAGE 14 of 70 Configuring Protection against CSRF FORTIFY OUR

    DEFENSES Addressing Overlooked Environment Configuration Issues

  15. var csrf= require("csurf"); app.use(csrf()); PAGE 15 of 70 CONFIGURING CSRF

    PROTECTION   Enable CSRF Protection server.js

  16. var csrf= require("csurf"); app.use(csrf()); … app.use(function(req, res, next) { res.locals.csrftoken

    = req.csrfToken(); next(); }); PAGE 16 of 70   Enable CSRF Protection server.js CONFIGURING CSRF PROTECTION

  17. var csrf= require("csurf"); app.use(csrf()); … app.use(function(req, res, next) { res.locals.csrftoken

    = req.csrfToken(); next(); }); PAGE 17 of 70   Enable CSRF Protection server.js … <input type="hidden" name="_csrf" value="{{csrftoken}}"> Form Template CONFIGURING CSRF PROTECTION

  18.   Express CSRF middleware ignores verifying tokens on HTTP GET,

    OPTIONS, and HEAD requests (which is a correct behavior)   Ensure GET APIs are coded not to mutate states. PAGE 18 of 70 CONFIGURING CSRF PROTECTION

  19. var methodOverride = require("method-override"); var csrf= require("csurf"); app.use(methodOverride("X-HTTP-Method-Override")); app.use(csrf()); PAGE

    19 of 70   Use method-override module before CSRF server.js CONFIGURING CSRF PROTECTION

  20. PAGE 20 of 70 Using Secure Version of Software Dependencies

    FORTIFY OUR DEFENSES Addressing Overlooked Environment Configuration Issues

  21.   Use the latest stable version of Node.js and frameworks.

    Node.js security vulnerabilities Express security updates PAGE 21 of 70 USING SECURE DEPENDENCIES

  22.   Stay up to date on npm module versions and

    known vulnerbailities   Useful tools: npm outdated Node Security Project Retire.js PAGE 22 of 70 USING SECURE DEPENDENCIES

  23. PAGE 23 of 70 2. Engaging in Warfare Mitigating Overlooked

    Security Attacks

  24. Cross Site Scripting (XSS) Attack PAGE 24 of 70 ENGAGE

    IN WARFARE Mitigating Overlooked Security Attacks

  25. An attacker can exploit XSS vulnerability to -   Steal

    session cookies, and then impersonate the user.   Redirect user to malicious sites. PAGE 25 of 70 XSS

  26.   Myth: Template libraries handle output encoding by default, making

    application safe against XSS attacks XSS PAGE 26 of 70 XSS

  27.   Myth: Template libraries handle output encoding by default, making

    application safe against XSS attacks XSS PAGE 27 of 70   Encode untrusted data for correct context depending on where it will be placed XSS

  28. <div> </div>   Encode for HTML Body Untrusted Data &

    à &amp; < à &lt; > à &gt; " à &quot; ' à &#x27; / à &#x2F; PAGE 28 of 70 XSS

  29. <input type="text" name="firstname" value=" ">   Encode for HTML Attributes

    Untrusted Data Non-alphanumeric characters à &#xHH; format Enclose attribute value in quotes PAGE 29 of 70 XSS

  30. <div style="width= ;">contents</div>   Encode for CSS Untrusted Data Untrusted

    data à CSS Hex Encoding (\HH or \HHHHHH) XSS PAGE 30 of 70 XSS

  31. <script> var firstName=" "; </script>   Encode for JavaScript Untrusted

    Data Non-alphanumeric characters à \uXXXX; unicode format PAGE 31 of 70 XSS

  32.   Encode for URL Untrusted data à encodeURI() <a href="

    ">Show Details</a> Untrusted Data PAGE 32 of 70 XSS

  33. PAGE 33 of 70   Encode for URL Parameter Untrusted

    data à encodeURIComponent() <a href="/account?id= ">Show Details</a> Untrusted Data XSS

  34. PAGE 34 of 70 <a href="/reviews# ">Movie Reviews</a> Untrusted Data

    <script> document.write("<h1>"+ document.location.hash +"</h1>"); </script>   DOM Based XSS: Encode on both server and client XSS

  35. PAGE 35 of 70   Use proven utilities for encoding

    (e.g. OWASP ESAPI) XSS

  36.   Add HTTPOnly, Secure attributes on Session Cookie var session

    = require("express-session"); app.use(session({ secret: "s3Cur3", key: "sessionId", cookie: { httpOnly: true, secure: true } })); server.js PAGE 36 of 70 XSS

  37.   Add Content Security Policy header var policy = {

    defaultPolicy: { "default-src": ["'self'"], "img-src": ["static.example.com"] } } helmet.csp.policy(policy); server.js PAGE 37 of 70 XSS

  38. Regular Expression Denial of Service (ReDoS) Attack PAGE 38 of

    70 ENGAGE IN WARFARE Mitigating Overlooked Security Attacks

  39.   Evil regex can take exponential execution time when applied

    to certain non-matching inputs. PAGE 39 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

  40.   Evil regex can take exponential execution time when applied

    to certain non-matching inputs.   By default, regex gets executed in event loop thread, so could be exploited for DoS attack. PAGE 40 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

  41.   Evil regex pattern requirements: ( )+ 1.  Grouping with

    repetition, and 2.  Inside repeated group, repeatation or alternation with operlapping PAGE 41 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

  42.   Evil regex pattern requirements: ( a+ )+ 1.  Grouping

    with repetition, and 2.  Inside repeated group, repeatation or alternation with operlapping PAGE 42 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

  43.   Evil regex pattern requirements: ( a|aa )+ 1.  Grouping

    with repetition, and 2.  Inside repeated group, repeatation or alternation with overlapping PAGE 43 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

  44. PAGE 44 of 70   Example: Commonly used URL validator

    regex /^(?!mailto:)(?:(?:https?|ftp):\/\/)?(?:\S+(?::\S*)?@)?(?:(?:(?:[1-9]\d?|1\d \d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?: [0-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1- \uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1- \uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,})))| localhost)(?::\d{2,5})?(?:\/[^\s]*)?$/i Input pattern: aaaaaaaaaaaaaaaa! REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

  45. PAGE 45 of 70   Example: Commonly used URL validator

    regex # of Input Characters Execution Time 30 6 sec 35 3min 36 6 min 37 13 min 38 25 min 39 1hr 28 min 40 3 hr 46 min REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

  46.   Review regex in our own or external code for

    evil pattern Tools: RXRR, SDL Regex Fuzzer PAGE 46 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

  47.   Review regex in our own or external code for

    evil pattern Tools: RXRR, SDL Regex Fuzzer   Do not use user supplied inputs as regex PAGE 47 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

  48. HTTP Parameter Pollution (HPP) PAGE 48 of 70 ENGAGE IN

    WARFARE Mitigating Overlooked Security Attacks

  49. // GET /search?firstname=John&firstname=John req.query.firstname //=> PAGE 49 of 70 HTTP

    PARAMETER POLLUTION Quiz

  50. PAGE 50 of 70 HTTP PARAMETER POLLUTION // GET /search?firstname=John&firstname=John

    req.query.firstname //=> [“John”, “John”]

  51. PAGE 51 of 70 HTTP PARAMETER POLLUTION // POST firstname=John&firstname=John

  52. PAGE 52 of 70 HTTP PARAMETER POLLUTION // POST firstname=John&firstname=John

    req.body.firstname //=> [“John”, “John”]

  53. PAGE 53 of 70 HTTP PARAMETER POLLUTION Express populates HTTP

    request parameters with same name in an array

  54. PAGE 54 of 70 HTTP PARAMETER POLLUTION Express populates HTTP

    request parameters with same name in an array Attacker can intentionally pollute request parameters to exploit this mechanism

  55. An attacker can exploit HPP to:   Trigger Type Errors

    in application PAGE 55 of 70 HTTP PARAMETER POLLUTION Server Console

  56.   Any uncaught errors in async code could crash the

    HTTP server causing DoS. PAGE 56 of 70 HTTP PARAMETER POLLUTION

  57. An attacker can exploit HPP to:   Modify application behavior

    PAGE 57 of 70 HTTP PARAMETER POLLUTION DB Shell

  58. PAGE 58 of 70 An attacker can exploit HPP to:

      Bypass input validations applied on strings in our own code, WAF, browser filters. HTTP PARAMETER POLLUTION

  59. PAGE 59 of 70 An attacker can exploit HPP to:

      Bypass input validations applied on strings in our own code, WAF, browser filters. HTTP PARAMETER POLLUTION

  60.   Check expected type as part of the input validation

    PAGE 60 of 70 HTTP PARAMETER POLLUTION

  61.   Check expected type as part of the input validation

      Implement robust error handling mechanism using try/catch, domain, and cluster. PAGE 61 of 70 HTTP PARAMETER POLLUTION

  62. OWASP Top 10 PAGE 62 of 70 ENGAGE IN WARFARE

    Mitigating Overlooked Security Attacks

  63. PAGE 63 of 70   Educate developers about OWASP Top

    10 Risks OWASP NODEGOAT

  64. PAGE 64 of 70   Educate developers about OWASP Top

    10 risks OWASP Node Goat Project OWASP NODEGOAT

  65. PAGE 65 of 70 Quick Recap

  66.   Remove X-Powered-By response header and use generic session cookie

    names   Keep watch on security vulnerabilities in dependencies PAGE 66 of 70 QUICK RECAP

  67.   Ensure HTTP GET requests are idempotent   Include method-override

    module before any module that depends on method of the request PAGE 67 of 70 QUICK RECAP

  68.   Encode for all contexts on both server and client

    to protect against XSS attack.   Use HTTPOnly and Secure attributes on session cookie, include CSP headers. PAGE 68 of 70 QUICK RECAP

  69.   Review regex for evil pattern to mitigate ReDoS attack.

      Verify input types as part of the validation PAGE 69 of 70 QUICK RECAP

  70. May Victory Be Yours. Twitter:@ karande_c

  71. Links HP 2013 cyber risk report (http://www8.hp.com/h20195/v2/GetPDF.aspx/4AA5-0858ENW.pdf) Node.js security vulnerabilities

    (http://blog.nodejs.org/vulnerability/) Express security updates (http://expressjs.com/advanced/security-updates.html) npm outdated (https://www.npmjs.org/doc/cli/npm-outdated.html) Node Security Project (https://nodesecurity.io/advisories) Retire.js(http://open.bekk.no/retire-js-what-you-require-you-must-also-retire) RXRR (http://www.cs.bham.ac.uk/~hxt/research/rxxr-download.shtml) SDL Regex Fuzzer (http://www.microsoft.com/en-us/download/details.aspx?id=20095) OWASP ESAPI (https://www.owasp.org/index.php/Category:OWASP _Enterprise_Security_API) OWASP Node Goat Project (https://www.owasp.org/index.php/Projects/OWASP _Node_js_Goat_Project)

  72. Image Credits http://www.shutterstock.com/pic.mhtml?id=93406768 http://www.shutterstock.com/pic.mhtml?id=67916401 http://www.shutterstock.com/pic.mhtml?id=97398575 http://www.bigstockphoto.com/image-36498607 http://openclipart.org/detail/169260/medieval-cannon-by-helm42