Threat modelling node.js applications

Threat modelling node.js applications

Threat modelling is the process of identifying potential threats in a prioritized way. When it comes to Node.js and JavaScript there are lots of specific security issues that can arise.

Presented at FullStack London, 2017

29955e7f5ba4bd072e7c0e98e4a788fb?s=128

Gergely Nemeth

July 14, 2017
Tweet

Transcript

  1. Threat modelling Node.js applications Gergely Nemeth | @nthgergo

  2. What’s civil engineering has to do with software security?

  3. 1977

  4. None
  5. None
  6. The most influential work for software design patterns

  7. 1994

  8. In 1988, Robert Barnard applied it for an IT attacker

  9. • Threat modelling methodologies ◦ Attack trees ◦ STRIDE ◦

    DREAD • Building more secure Node.js applications ◦ HTTP Headers ◦ Regex DDOS ◦ XSS / CSRF attacks Agenda
  10. Attack trees

  11. Attack trees “A formal, methodical way of describing the security

    of systems, based on varying attacks.” Bruce Schneier
  12. Attack trees Get Access Modify Credentials Learn Password Bypass Access

    Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies
  13. Attack trees Get Access Modify Credentials Learn Password Bypass Access

    Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies Get Access Learn Password Guessing
  14. STRIDE

  15. Classification scheme for characterizing known threats: • Spoofing of user

    identity • Tampering • Repudiation • Information disclosure (privacy breach or data leak) • Denial of service • Elevation of privilege STRIDE
  16. Users impersonating other users STRIDE: Spoofing of user identity

  17. An attacker sending modified information, which the application may use

    and store without checking. STRIDE: Tampering
  18. Applications should have web access logs, audit trails at each

    tier. STRIDE: Repudiation
  19. Apps / browsers / content delivery networks leaking private data

    STRIDE: Information disclosure
  20. Make the service unavailable for other users. STRIDE: Denial of

    service
  21. Users getting rights that they should not have (like admin

    rights) STRIDE: Elevation of privilege
  22. DREAD

  23. Classification scheme for quantifying, comparing and prioritizing the amount of

    risk presented by each evaluated threat. DREAD
  24. ( DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS +

    DISCOVERABILITY ) / 5 Calculating Risk:
  25. The DREAD calculation always produces a number between 0 and

    10; the higher the number, the more serious the risk.
  26. DAMAGE: If a threat exploit occurs, how much damage will

    be caused? 0 = None 5 = Individual user data is compromised or affected. 10 = Complete system or data destruction
  27. REPRODUCIBILITY: How easy is it to reproduce the exploit? 0

    = Very hard or impossible, even for administrators. 5 = One or two steps required, may need to be an authorized user. 10 = Even a web browser is sufficient, without authentication.
  28. EXPLOITABILITY: What is needed to exploit this threat? 0 =

    Advanced programming and networking knowledge, with custom or advanced tool. 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. 10 = Just a web browser
  29. AFFECTED USERS: How many users will be affected? 0 =

    None 5 = Some users, but not all 10 = All users
  30. DISCOVERABILITY: How easy is it to discover this threat? 10

    - Just assume it is always discoverable
  31. DREAD Example: SQL injection Damage: 10 (DROP TableName) Reproducibility: 5

    (logged in state is needed) Exploitability: 10 (using forms) Affected users: 10 (everyone) Score: (10 + 5 + 10 + 10 + 10) / 5 = 9
  32. DREAD Example: XSS attack Damage: 5 (Individual user data is

    affected) Reproducibility: 5 Exploitability: 10 (using forms) Affected users: 10 (everyone) Score: (5 + 5 + 10 + 10 + 10) / 5 = 8
  33. Securing Node.js Applications

  34. Securing HTTP

  35. Strict-Transport-Security enforces secure (HTTP over SSL/TLS) connections to the server

    X-Frame-Options provides clickjacking protection X-XSS-Protection enables the Cross-site scripting (XSS) filter built into most recent web browsers Content-Security-Policy prevents a wide range of attacks, including Cross-site scripting and other cross-site injections Security HTTP headers
  36. Use the helmet npm package - It automatically adds security

    headers. If you are building an express application, start the project with adding helmet. Security HTTP headers
  37. Security HTTP headers

  38. Side-channel attacks

  39. An attack based on information gained from the physical implementation

    of a cryptosystem Side-channel attacks
  40. - Power-monitoring attack - Data remanence - Acoustic cryptanalysis -

    Timing attack Side-channel attacks
  41. TIMING ATTACKS

  42. WRONG! TIMING ATTACKS

  43. T R A C E T R A C E

    1st iteration TIMING ATTACKS
  44. T R A C E T R A C E

    2nd iteration TIMING ATTACKS
  45. T R A C E T R A C E

    5th iteration TIMING ATTACKS
  46. T R A C E T R I C K

    1th iteration TIMING ATTACKS
  47. T R A C E T R I C K

    2nd iteration TIMING ATTACKS
  48. T R A C E T R I C K

    3rd iteration mismatch - no more iterations TIMING ATTACKS
  49. The more letters match from the password, the more time

    the comparison takes.
  50. Always use fixed-time comparison to avoid timing attacks.

  51. TIMING ATTACKS

  52. Denial of Service attacks

  53. DoS attackers seek to make a machine or network unavailable

    to its intended users. Denial of Service attacks
  54. Regex Denial of Service 1 ^(a+)+$ 2 3 4 5

    a a a a a a a a Nondeterministic finite automaton
  55. ^(a+)+$ for the input “aaaaX” 16 possible paths Regex Denial

    of Service
  56. ^(a+)+$ for the input “aaaaaaaaaaaaaaaaX” 65536 possible paths Regex Denial

    of Service
  57. Regular Expression implementations may reach extreme situations that cause them

    to work very slowly. Regex Denial of Service
  58. - Grouping with repetition (a+)+ - Inside the repeated group:

    - Repetition (a+)+ - Alternation with overlapping (a|aa)+ Evil Regexes
  59. WE HAVE A SINGLE THREAD

  60. Regex Denial of Service

  61. Insecure dependencies

  62. YOU ARE WHAT YOU REQUIRE

  63. Insecure Dependencies

  64. Us

  65. 95% of all security incidents involve human error.

  66. We are the weakest link.

  67. Security is part of your job!

  68. - Node.js Security Checklist - https://blog.risingstack.com/node-js-security-checklist - Advisories of NSP

    - on nodesecurity.io - OWASP TOP 10 - on owasp.org WHAT’S NEXT?
  69. None