Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking NodeJS applications for fun and profit

jmortegac
February 03, 2019

Hacking NodeJS applications for fun and profit

NodeJS is one of the fastest growing platforms nowdays and from a security point of view is necessary to know all posibilities that the platform offers to developers.This is a talk that explains some of the most common problems in NodeJS applications and how using frequently used tools it is possible to exploit such vulnerabilities.Also I will show what are the main vulnerabilities we can found and how we can fix them in our applications.

These could be the talking points:

-Node.js security packages

I will comment how to protect express applications in terms of authentication, logging ,middleware and security best practices before put applications in production

-How to prevent OWASP TOP 10 in a NodeJS application In this point I will comment the OWASP NodeGoat project that provides an environment to learn OWASP Top 10 security risks. I will comment the main risks we can find in nodejs applications from a attacker perspective.

https://github.com/OWASP/NodeGoat

-Tools which will help to protect our node applications like NodeJSScan allow detecting vulnerabilities following some predefined rules

jmortegac

February 03, 2019
Tweet

More Decks by jmortegac

Other Decks in Programming

Transcript

  1. Hacking NodeJS applications for fun and profit Testing NodeJS Security

    by @jmortegac
  2. Agenda ▪ Introduction nodejS security ▪ Npm security packages ▪

    Node Goat project ▪ Tools
  3. Node JS ▪ JavaScript in the backend ▪ Built on

    Chrome´s Javascript runtime(V8) ▪ NodeJs is based on event loop ▪ Designed to be asynchronous ▪ Single Thread ▪ Node.js is resilient to flooding attacks since there’s no limit on the number of concurrent requests.
  4. Security updates https://expressjs.com/en/advance d/security-updates.html

  5. Package vulnerabilities https://www.npmjs.com/advisories

  6. None
  7. Npm security packages ▪ Helmet ▪ express-session ▪ cookie-session ▪

    csurf ▪ express-validator ▪ bcrypt-node ▪ express-enforces-ssl
  8. Security HTTP Headers ▪ Strict-Transport-Security ▪ X-Frame-Options ▪ X-XSS-Protection ▪

    X-Content-Type-Options ▪ Content-Security-Policy
  9. Helmet module ▪ https://www.npmjs.com/package /helmet

  10. Helmet module ▪ https://github.com/helmetjs/helmet

  11. Helmet module ▪ hidePoweredBy ▪ Hpkp→protection MITM ▪ Hsts→forces https

    connections ▪ noCache→desactive client cache ▪ Frameguard→protection clickjacking ▪ xssFilter→protection XSS
  12. Helmet CSP

  13. Check headers security ▪ http://cyh.herokuapp.com/cyh ▪ https://securityheaders.io/

  14. Express versions ▪ https://www.shodan.io/ search?query=express

  15. Disable x-powered-by

  16. Disable x-powered-by ▪ Avoid framework fingerprinting

  17. Disable x-powered-by ▪ Use Helmet and use “hide-powered-by” plugin

  18. Sessions management ▪ secure ▪ httpOnly ▪ domain ▪ path

    ▪ expires ▪ https://www.npmjs.com/pack age/cookie-session
  19. httpOnly & secure:true

  20. XSS attacks ▪ An attacker can exploit XSS vulnerability to:

    ▪ Steal session cookies/Sesion hijacking ▪ Redirect user to malicious sites ▪ Defacing and content manipulation ▪ Cross Site Request forgery
  21. CSRF attacks

  22. https://www.npmjs.com/package/csurf

  23. CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button>

    </form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });
  24. CSRF

  25. Filter/sanitize user input ▪ Fixing XSS attacks ▪ https://www.npmjs.com/package/sanitizer ▪

    Module express-validator ▪ https://www.npmjs.com/package/express-validator
  26. Express Validator

  27. None
  28. Bcrypt-node ▪ https://github.com/kelektiv/node.bcrypt.js

  29. None
  30. None
  31. Node Goat ▪ http://nodegoat.herokuapp.com /tutorial

  32. Node Goat ▪ https://github.com/OWASP/Node Goat

  33. EVAL() ATTACKS res.end(require('fs').read dirSync('.').toString())

  34. Insecure Direct Object References ▪ Use session instead of request

    param ▪ var userId = req.session.userId;
  35. Tools ▪ KrakenJS ▪ Lusca middleware ▪ NodeJsScan

  36. http://krakenjs.com/

  37. https://github.com/krakenjs/lusca

  38. NodeJsScan ▪ https://github.com/ajinabra ham/NodeJsScan

  39. NodeJsScan https://github.com/jmorteg a/NodeJsScan/blob/maste r/rules.xml

  40. NodeJsScan

  41. GitHub repositories ▪ https://github.com/jmortega/testing_nodejs_security ▪ https://github.com/cr0hn/vulnerable-node ▪ https://github.com/rdegges/svcc-auth ▪ https://github.com/strongloop/loopback-getting-start

    ed-intermediate ▪ https://github.com/Feeld/strong-node
  42. Node security learning ▪ https://www.udemy.com/nodejs-security- pentesting-and-exploitation/

  43. Books

  44. References ▪ https://blog.risingstack.com/node-js-security-checklist/ ▪ https://blog.risingstack.com/node-js-security-tips/ ▪ https://www.npmjs.com/package/helmet ▪ https://expressjs.com/en/advanced/best-practice-security.html ▪

    https://expressjs.com/en/advanced/security-updates.html ▪ http://nodegoat.herokuapp.com/tutorial ▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa t_Project