Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat modelling node.js applications

Threat modelling node.js applications

Threat modelling is the process of identifying potential threats in a prioritized way. When it comes to Node.js and JavaScript there are lots of specific security issues that can arise.

Presented at FullStack London, 2017

Gergely Nemeth

July 14, 2017
Tweet

More Decks by Gergely Nemeth

Other Decks in Programming

Transcript

  1. Threat modelling
    Node.js applications
    Gergely Nemeth | @nthgergo

    View full-size slide

  2. What’s civil engineering has
    to do with software security?

    View full-size slide

  3. The most influential work
    for software design patterns

    View full-size slide

  4. In 1988, Robert Barnard
    applied it for an IT attacker

    View full-size slide

  5. ● Threat modelling methodologies
    ○ Attack trees
    ○ STRIDE
    ○ DREAD
    ● Building more secure Node.js applications
    ○ HTTP Headers
    ○ Regex DDOS
    ○ XSS / CSRF attacks
    Agenda

    View full-size slide

  6. Attack trees

    View full-size slide

  7. Attack trees
    “A formal, methodical way of
    describing the security of systems,
    based on varying attacks.”
    Bruce Schneier

    View full-size slide

  8. Attack trees
    Get Access
    Modify
    Credentials
    Learn Password
    Bypass Access
    Control
    Get Access to
    Database
    Social
    Engineering
    Get Access to
    DMZ
    Listen on
    Transport Layer
    Guessing
    Insecure
    Dependencies

    View full-size slide

  9. Attack trees
    Get Access
    Modify
    Credentials
    Learn Password
    Bypass Access
    Control
    Get Access to
    Database
    Social
    Engineering
    Get Access to
    DMZ
    Listen on
    Transport Layer
    Guessing
    Insecure
    Dependencies
    Get Access
    Learn Password
    Guessing

    View full-size slide

  10. Classification scheme for characterizing known threats:
    ● Spoofing of user identity
    ● Tampering
    ● Repudiation
    ● Information disclosure (privacy breach or data leak)
    ● Denial of service
    ● Elevation of privilege
    STRIDE

    View full-size slide

  11. Users impersonating other users
    STRIDE: Spoofing of user identity

    View full-size slide

  12. An attacker sending modified
    information, which the application
    may use and store without checking.
    STRIDE: Tampering

    View full-size slide

  13. Applications should have web
    access logs, audit trails at each tier.
    STRIDE: Repudiation

    View full-size slide

  14. Apps / browsers / content delivery
    networks leaking private data
    STRIDE: Information disclosure

    View full-size slide

  15. Make the service unavailable
    for other users.
    STRIDE: Denial of service

    View full-size slide

  16. Users getting rights that they should
    not have (like admin rights)
    STRIDE: Elevation of privilege

    View full-size slide

  17. Classification scheme for
    quantifying, comparing and
    prioritizing the amount of risk
    presented by each evaluated threat.
    DREAD

    View full-size slide

  18. ( DAMAGE
    + REPRODUCIBILITY
    + EXPLOITABILITY
    + AFFECTED USERS
    + DISCOVERABILITY ) / 5
    Calculating Risk:

    View full-size slide

  19. The DREAD calculation
    always produces a number
    between 0 and 10;
    the higher the number, the
    more serious the risk.

    View full-size slide

  20. DAMAGE: If a threat exploit occurs,
    how much damage will be caused?
    0 = None
    5 = Individual user data
    is compromised or affected.
    10 = Complete system or data destruction

    View full-size slide

  21. REPRODUCIBILITY: How easy is it
    to reproduce the exploit?
    0 = Very hard or impossible,
    even for administrators.
    5 = One or two steps required,
    may need to be an authorized user.
    10 = Even a web browser is sufficient,
    without authentication.

    View full-size slide

  22. EXPLOITABILITY: What is needed to
    exploit this threat?
    0 = Advanced programming and networking
    knowledge, with custom or advanced tool.
    5 = Malware exists on the Internet, or an exploit
    is easily performed, using available attack tools.
    10 = Just a web browser

    View full-size slide

  23. AFFECTED USERS:
    How many users will be affected?
    0 = None
    5 = Some users, but not all
    10 = All users

    View full-size slide

  24. DISCOVERABILITY:
    How easy is it to discover this threat?
    10 - Just assume it is always discoverable

    View full-size slide

  25. DREAD Example: SQL injection
    Damage: 10 (DROP TableName)
    Reproducibility: 5 (logged in state is needed)
    Exploitability: 10 (using forms)
    Affected users: 10 (everyone)
    Score: (10 + 5 + 10 + 10 + 10) / 5 = 9

    View full-size slide

  26. DREAD Example: XSS attack
    Damage: 5 (Individual user data is affected)
    Reproducibility: 5
    Exploitability: 10 (using forms)
    Affected users: 10 (everyone)
    Score: (5 + 5 + 10 + 10 + 10) / 5 = 8

    View full-size slide

  27. Securing Node.js
    Applications

    View full-size slide

  28. Securing HTTP

    View full-size slide

  29. Strict-Transport-Security enforces secure
    (HTTP over SSL/TLS) connections to the server
    X-Frame-Options provides clickjacking protection
    X-XSS-Protection enables the Cross-site scripting (XSS)
    filter built into most recent web browsers
    Content-Security-Policy prevents a wide range of attacks,
    including Cross-site scripting and other cross-site injections
    Security HTTP headers

    View full-size slide

  30. Use the helmet npm package -
    It automatically adds security headers.
    If you are building an express application,
    start the project with adding helmet.
    Security HTTP headers

    View full-size slide

  31. Security HTTP headers

    View full-size slide

  32. Side-channel attacks

    View full-size slide

  33. An attack based on information
    gained from the physical
    implementation of a cryptosystem
    Side-channel attacks

    View full-size slide

  34. - Power-monitoring attack
    - Data remanence
    - Acoustic cryptanalysis
    - Timing attack
    Side-channel attacks

    View full-size slide

  35. TIMING ATTACKS

    View full-size slide

  36. WRONG!
    TIMING ATTACKS

    View full-size slide

  37. T R A C E T R A C E
    1st iteration
    TIMING ATTACKS

    View full-size slide

  38. T R A C E T R A C E
    2nd iteration
    TIMING ATTACKS

    View full-size slide

  39. T R A C E T R A C E
    5th iteration
    TIMING ATTACKS

    View full-size slide

  40. T R A C E T R I C K
    1th iteration
    TIMING ATTACKS

    View full-size slide

  41. T R A C E T R I C K
    2nd iteration
    TIMING ATTACKS

    View full-size slide

  42. T R A C E T R I C K
    3rd iteration
    mismatch - no more iterations
    TIMING ATTACKS

    View full-size slide

  43. The more letters match from the
    password, the more time the
    comparison takes.

    View full-size slide

  44. Always use fixed-time
    comparison to avoid timing
    attacks.

    View full-size slide

  45. TIMING ATTACKS

    View full-size slide

  46. Denial of Service attacks

    View full-size slide

  47. DoS attackers seek to make a
    machine or network unavailable
    to its intended users.
    Denial of Service attacks

    View full-size slide

  48. Regex Denial of Service
    1
    ^(a+)+$
    2
    3
    4 5
    a a a
    a
    a
    a a a
    Nondeterministic finite automaton

    View full-size slide

  49. ^(a+)+$
    for the input “aaaaX”
    16 possible paths
    Regex Denial of Service

    View full-size slide

  50. ^(a+)+$
    for the input “aaaaaaaaaaaaaaaaX”
    65536 possible paths
    Regex Denial of Service

    View full-size slide

  51. Regular Expression
    implementations may reach
    extreme situations that cause
    them to work very slowly.
    Regex Denial of Service

    View full-size slide

  52. - Grouping with repetition (a+)+
    - Inside the repeated group:
    - Repetition (a+)+
    - Alternation with overlapping (a|aa)+
    Evil Regexes

    View full-size slide

  53. WE HAVE A
    SINGLE THREAD

    View full-size slide

  54. Regex Denial of Service

    View full-size slide

  55. Insecure dependencies

    View full-size slide

  56. YOU ARE WHAT
    YOU REQUIRE

    View full-size slide

  57. Insecure Dependencies

    View full-size slide

  58. 95% of all security incidents
    involve human error.

    View full-size slide

  59. We are the weakest link.

    View full-size slide

  60. Security is part of your job!

    View full-size slide

  61. - Node.js Security Checklist -
    https://blog.risingstack.com/node-js-security-checklist
    - Advisories of NSP - on nodesecurity.io
    - OWASP TOP 10 - on owasp.org
    WHAT’S NEXT?

    View full-size slide