Threat modelling node.js applications

Transcript

1. Threat modelling Node.js applications Gergely Nemeth | @nthgergo

2. What’s civil engineering has to do with software security?

3. 1977

4. None
5. None

6. The most influential work for software design patterns

7. 1994

8. In 1988, Robert Barnard applied it for an IT attacker

9. • Threat modelling methodologies ◦ Attack trees ◦ STRIDE ◦

   DREAD • Building more secure Node.js applications ◦ HTTP Headers ◦ Regex DDOS ◦ XSS / CSRF attacks Agenda

10. Attack trees

11. Attack trees “A formal, methodical way of describing the security

    of systems, based on varying attacks.” Bruce Schneier

12. Attack trees Get Access Modify Credentials Learn Password Bypass Access

    Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies

13. Attack trees Get Access Modify Credentials Learn Password Bypass Access

    Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies Get Access Learn Password Guessing

14. STRIDE

15. Classification scheme for characterizing known threats: • Spoofing of user

    identity • Tampering • Repudiation • Information disclosure (privacy breach or data leak) • Denial of service • Elevation of privilege STRIDE

16. Users impersonating other users STRIDE: Spoofing of user identity

17. An attacker sending modified information, which the application may use

    and store without checking. STRIDE: Tampering

18. Applications should have web access logs, audit trails at each

    tier. STRIDE: Repudiation

19. Apps / browsers / content delivery networks leaking private data

    STRIDE: Information disclosure

20. Make the service unavailable for other users. STRIDE: Denial of

    service

21. Users getting rights that they should not have (like admin

    rights) STRIDE: Elevation of privilege

22. DREAD

23. Classification scheme for quantifying, comparing and prioritizing the amount of

    risk presented by each evaluated threat. DREAD

24. ( DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS +

    DISCOVERABILITY ) / 5 Calculating Risk:

25. The DREAD calculation always produces a number between 0 and

    10; the higher the number, the more serious the risk.

26. DAMAGE: If a threat exploit occurs, how much damage will

    be caused? 0 = None 5 = Individual user data is compromised or affected. 10 = Complete system or data destruction

27. REPRODUCIBILITY: How easy is it to reproduce the exploit? 0

    = Very hard or impossible, even for administrators. 5 = One or two steps required, may need to be an authorized user. 10 = Even a web browser is sufficient, without authentication.

28. EXPLOITABILITY: What is needed to exploit this threat? 0 =

    Advanced programming and networking knowledge, with custom or advanced tool. 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. 10 = Just a web browser

29. AFFECTED USERS: How many users will be affected? 0 =

    None 5 = Some users, but not all 10 = All users

30. DISCOVERABILITY: How easy is it to discover this threat? 10

    - Just assume it is always discoverable

31. DREAD Example: SQL injection Damage: 10 (DROP TableName) Reproducibility: 5

    (logged in state is needed) Exploitability: 10 (using forms) Affected users: 10 (everyone) Score: (10 + 5 + 10 + 10 + 10) / 5 = 9

32. DREAD Example: XSS attack Damage: 5 (Individual user data is

    affected) Reproducibility: 5 Exploitability: 10 (using forms) Affected users: 10 (everyone) Score: (5 + 5 + 10 + 10 + 10) / 5 = 8

33. Securing Node.js Applications

34. Securing HTTP

35. Strict-Transport-Security enforces secure (HTTP over SSL/TLS) connections to the server

    X-Frame-Options provides clickjacking protection X-XSS-Protection enables the Cross-site scripting (XSS) filter built into most recent web browsers Content-Security-Policy prevents a wide range of attacks, including Cross-site scripting and other cross-site injections Security HTTP headers

36. Use the helmet npm package - It automatically adds security

    headers. If you are building an express application, start the project with adding helmet. Security HTTP headers

37. Security HTTP headers

38. Side-channel attacks

39. An attack based on information gained from the physical implementation

    of a cryptosystem Side-channel attacks

40. - Power-monitoring attack - Data remanence - Acoustic cryptanalysis -

    Timing attack Side-channel attacks

41. TIMING ATTACKS

42. WRONG! TIMING ATTACKS

43. T R A C E T R A C E

    1st iteration TIMING ATTACKS

44. T R A C E T R A C E

    2nd iteration TIMING ATTACKS

45. T R A C E T R A C E

    5th iteration TIMING ATTACKS

46. T R A C E T R I C K

    1th iteration TIMING ATTACKS

47. T R A C E T R I C K

    2nd iteration TIMING ATTACKS

48. T R A C E T R I C K

    3rd iteration mismatch - no more iterations TIMING ATTACKS

49. The more letters match from the password, the more time

    the comparison takes.

50. Always use fixed-time comparison to avoid timing attacks.

51. TIMING ATTACKS

52. Denial of Service attacks

53. DoS attackers seek to make a machine or network unavailable

    to its intended users. Denial of Service attacks

54. Regex Denial of Service 1 ^(a+)+$ 2 3 4 5

    a a a a a a a a Nondeterministic finite automaton

55. ^(a+)+$ for the input “aaaaX” 16 possible paths Regex Denial

    of Service

56. ^(a+)+$ for the input “aaaaaaaaaaaaaaaaX” 65536 possible paths Regex Denial

    of Service

57. Regular Expression implementations may reach extreme situations that cause them

    to work very slowly. Regex Denial of Service

58. - Grouping with repetition (a+)+ - Inside the repeated group:

    - Repetition (a+)+ - Alternation with overlapping (a|aa)+ Evil Regexes

59. WE HAVE A SINGLE THREAD

60. Regex Denial of Service

61. Insecure dependencies

62. YOU ARE WHAT YOU REQUIRE

63. Insecure Dependencies

64. Us

65. 95% of all security incidents involve human error.

66. We are the weakest link.

67. Security is part of your job!

68. - Node.js Security Checklist - https://blog.risingstack.com/node-js-security-checklist - Advisories of NSP

    - on nodesecurity.io - OWASP TOP 10 - on owasp.org WHAT’S NEXT?
69. None