Threat modelling node.js applications

Threat modelling
Node.js applications
Gergely Nemeth | @nthgergo

View Slide

What’s civil engineering has
to do with software security?

View Slide

1977

View Slide

View Slide

The most influential work
for software design patterns

View Slide

1994

View Slide

In 1988, Robert Barnard
applied it for an IT attacker

View Slide

● Threat modelling methodologies
○ Attack trees
○ STRIDE
○ DREAD
● Building more secure Node.js applications
○ HTTP Headers
○ Regex DDOS
○ XSS / CSRF attacks
Agenda

View Slide

Attack trees

View Slide

Attack trees
“A formal, methodical way of
describing the security of systems,
based on varying attacks.”
Bruce Schneier

View Slide

Attack trees
Get Access
Modify
Credentials
Learn Password
Bypass Access
Control
Get Access to
Database
Social
Engineering
Get Access to
DMZ
Listen on
Transport Layer
Guessing
Insecure
Dependencies

View Slide

Attack trees
Get Access
Modify
Credentials
Learn Password
Bypass Access
Control
Get Access to
Database
Social
Engineering
Get Access to
DMZ
Listen on
Transport Layer
Guessing
Insecure
Dependencies
Get Access
Learn Password
Guessing

View Slide

STRIDE

View Slide

Classification scheme for characterizing known threats:
● Spoofing of user identity
● Tampering
● Repudiation
● Information disclosure (privacy breach or data leak)
● Denial of service
● Elevation of privilege
STRIDE

View Slide

Users impersonating other users
STRIDE: Spoofing of user identity

View Slide

An attacker sending modified
information, which the application
may use and store without checking.
STRIDE: Tampering

View Slide

Applications should have web
access logs, audit trails at each tier.
STRIDE: Repudiation

View Slide

Apps / browsers / content delivery
networks leaking private data
STRIDE: Information disclosure

View Slide

Make the service unavailable
for other users.
STRIDE: Denial of service

View Slide

Users getting rights that they should
not have (like admin rights)
STRIDE: Elevation of privilege

View Slide

DREAD

View Slide

Classification scheme for
quantifying, comparing and
prioritizing the amount of risk
presented by each evaluated threat.
DREAD

View Slide

( DAMAGE
+ REPRODUCIBILITY
+ EXPLOITABILITY
+ AFFECTED USERS
+ DISCOVERABILITY ) / 5
Calculating Risk:

View Slide

The DREAD calculation
always produces a number
between 0 and 10;
the higher the number, the
more serious the risk.

View Slide

DAMAGE: If a threat exploit occurs,
how much damage will be caused?
0 = None
5 = Individual user data
is compromised or affected.
10 = Complete system or data destruction

View Slide

REPRODUCIBILITY: How easy is it
to reproduce the exploit?
0 = Very hard or impossible,
even for administrators.
5 = One or two steps required,
may need to be an authorized user.
10 = Even a web browser is sufficient,
without authentication.

View Slide

EXPLOITABILITY: What is needed to
exploit this threat?
0 = Advanced programming and networking
knowledge, with custom or advanced tool.
5 = Malware exists on the Internet, or an exploit
is easily performed, using available attack tools.
10 = Just a web browser

View Slide

AFFECTED USERS:
How many users will be affected?
0 = None
5 = Some users, but not all
10 = All users

View Slide

DISCOVERABILITY:
How easy is it to discover this threat?
10 - Just assume it is always discoverable

View Slide

DREAD Example: SQL injection
Damage: 10 (DROP TableName)
Reproducibility: 5 (logged in state is needed)
Exploitability: 10 (using forms)
Affected users: 10 (everyone)
Score: (10 + 5 + 10 + 10 + 10) / 5 = 9

View Slide

DREAD Example: XSS attack
Damage: 5 (Individual user data is affected)
Reproducibility: 5
Exploitability: 10 (using forms)
Affected users: 10 (everyone)
Score: (5 + 5 + 10 + 10 + 10) / 5 = 8

View Slide

Securing Node.js
Applications

View Slide

Securing HTTP

View Slide

Strict-Transport-Security enforces secure
(HTTP over SSL/TLS) connections to the server
X-Frame-Options provides clickjacking protection
X-XSS-Protection enables the Cross-site scripting (XSS)
filter built into most recent web browsers
Content-Security-Policy prevents a wide range of attacks,
including Cross-site scripting and other cross-site injections
Security HTTP headers

View Slide

Use the helmet npm package -
It automatically adds security headers.
If you are building an express application,
start the project with adding helmet.

View Slide


View Slide

Side-channel attacks

View Slide

An attack based on information
gained from the physical
implementation of a cryptosystem

View Slide

- Power-monitoring attack
- Data remanence
- Acoustic cryptanalysis
- Timing attack

View Slide

TIMING ATTACKS

View Slide

WRONG!
TIMING ATTACKS

View Slide

T R A C E T R A C E
1st iteration
TIMING ATTACKS

View Slide

T R A C E T R A C E
2nd iteration
TIMING ATTACKS

View Slide

T R A C E T R A C E
5th iteration
TIMING ATTACKS

View Slide

T R A C E T R I C K
1th iteration
TIMING ATTACKS

View Slide

T R A C E T R I C K
2nd iteration
TIMING ATTACKS

View Slide

T R A C E T R I C K
3rd iteration
mismatch - no more iterations
TIMING ATTACKS

View Slide

The more letters match from the
password, the more time the
comparison takes.

View Slide

Always use fixed-time
comparison to avoid timing
attacks.

View Slide

TIMING ATTACKS

View Slide

Denial of Service attacks

View Slide

DoS attackers seek to make a
machine or network unavailable
to its intended users.
Denial of Service attacks

View Slide

Regex Denial of Service
1
^(a+)+$
2
3
4 5
a a a
a
a
a a a
Nondeterministic finite automaton

View Slide

^(a+)+$
for the input “aaaaX”
16 possible paths

View Slide

^(a+)+$
for the input “aaaaaaaaaaaaaaaaX”
65536 possible paths

View Slide

Regular Expression
implementations may reach
extreme situations that cause
them to work very slowly.

View Slide

- Grouping with repetition (a+)+
- Inside the repeated group:
- Repetition (a+)+
- Alternation with overlapping (a|aa)+
Evil Regexes

View Slide

WE HAVE A
SINGLE THREAD

View Slide


View Slide

Insecure dependencies

View Slide

YOU ARE WHAT
YOU REQUIRE

View Slide

Insecure Dependencies

View Slide

Us

View Slide

95% of all security incidents
involve human error.

View Slide

We are the weakest link.

View Slide

Security is part of your job!

View Slide

- Node.js Security Checklist -
https://blog.risingstack.com/node-js-security-checklist
- Advisories of NSP - on nodesecurity.io
- OWASP TOP 10 - on owasp.org
WHAT’S NEXT?

View Slide

View Slide

Threat modelling node.js applications

Threat modelling node.js applications

Gergely Nemeth

More Decks by Gergely Nemeth

Other Decks in Programming

Featured

Transcript