Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking NodeJS applications for fun and profit

7c4b1ae16723b56facc7a8a8f95aa6ce?s=47 jmortegac
February 03, 2019

Hacking NodeJS applications for fun and profit

NodeJS is one of the fastest growing platforms nowdays and from a security point of view is necessary to know all posibilities that the platform offers to developers.This is a talk that explains some of the most common problems in NodeJS applications and how using frequently used tools it is possible to exploit such vulnerabilities.Also I will show what are the main vulnerabilities we can found and how we can fix them in our applications.

These could be the talking points:

-Node.js security packages

I will comment how to protect express applications in terms of authentication, logging ,middleware and security best practices before put applications in production

-How to prevent OWASP TOP 10 in a NodeJS application In this point I will comment the OWASP NodeGoat project that provides an environment to learn OWASP Top 10 security risks. I will comment the main risks we can find in nodejs applications from a attacker perspective.

https://github.com/OWASP/NodeGoat

-Tools which will help to protect our node applications like NodeJSScan allow detecting vulnerabilities following some predefined rules

7c4b1ae16723b56facc7a8a8f95aa6ce?s=128

jmortegac

February 03, 2019
Tweet

Transcript

  1. Hacking NodeJS applications for fun and profit Testing NodeJS Security

    by @jmortegac
  2. Agenda ▪ Introduction nodejS security ▪ Npm security packages ▪

    Node Goat project ▪ Tools
  3. Node JS ▪ JavaScript in the backend ▪ Built on

    Chrome´s Javascript runtime(V8) ▪ NodeJs is based on event loop ▪ Designed to be asynchronous ▪ Single Thread ▪ Node.js is resilient to flooding attacks since there’s no limit on the number of concurrent requests.
  4. Security updates https://expressjs.com/en/advance d/security-updates.html

  5. Package vulnerabilities https://www.npmjs.com/advisories

  6. None
  7. Npm security packages ▪ Helmet ▪ express-session ▪ cookie-session ▪

    csurf ▪ express-validator ▪ bcrypt-node ▪ express-enforces-ssl
  8. Security HTTP Headers ▪ Strict-Transport-Security ▪ X-Frame-Options ▪ X-XSS-Protection ▪

    X-Content-Type-Options ▪ Content-Security-Policy
  9. Helmet module ▪ https://www.npmjs.com/package /helmet

  10. Helmet module ▪ https://github.com/helmetjs/helmet

  11. Helmet module ▪ hidePoweredBy ▪ Hpkp→protection MITM ▪ Hsts→forces https

    connections ▪ noCache→desactive client cache ▪ Frameguard→protection clickjacking ▪ xssFilter→protection XSS
  12. Helmet CSP

  13. Check headers security ▪ http://cyh.herokuapp.com/cyh ▪ https://securityheaders.io/

  14. Express versions ▪ https://www.shodan.io/ search?query=express

  15. Disable x-powered-by

  16. Disable x-powered-by ▪ Avoid framework fingerprinting

  17. Disable x-powered-by ▪ Use Helmet and use “hide-powered-by” plugin

  18. Sessions management ▪ secure ▪ httpOnly ▪ domain ▪ path

    ▪ expires ▪ https://www.npmjs.com/pack age/cookie-session
  19. httpOnly & secure:true

  20. XSS attacks ▪ An attacker can exploit XSS vulnerability to:

    ▪ Steal session cookies/Sesion hijacking ▪ Redirect user to malicious sites ▪ Defacing and content manipulation ▪ Cross Site Request forgery
  21. CSRF attacks

  22. https://www.npmjs.com/package/csurf

  23. CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button>

    </form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });
  24. CSRF

  25. Filter/sanitize user input ▪ Fixing XSS attacks ▪ https://www.npmjs.com/package/sanitizer ▪

    Module express-validator ▪ https://www.npmjs.com/package/express-validator
  26. Express Validator

  27. None
  28. Bcrypt-node ▪ https://github.com/kelektiv/node.bcrypt.js

  29. None
  30. None
  31. Node Goat ▪ http://nodegoat.herokuapp.com /tutorial

  32. Node Goat ▪ https://github.com/OWASP/Node Goat

  33. EVAL() ATTACKS res.end(require('fs').read dirSync('.').toString())

  34. Insecure Direct Object References ▪ Use session instead of request

    param ▪ var userId = req.session.userId;
  35. Tools ▪ KrakenJS ▪ Lusca middleware ▪ NodeJsScan

  36. http://krakenjs.com/

  37. https://github.com/krakenjs/lusca

  38. NodeJsScan ▪ https://github.com/ajinabra ham/NodeJsScan

  39. NodeJsScan https://github.com/jmorteg a/NodeJsScan/blob/maste r/rules.xml

  40. NodeJsScan

  41. GitHub repositories ▪ https://github.com/jmortega/testing_nodejs_security ▪ https://github.com/cr0hn/vulnerable-node ▪ https://github.com/rdegges/svcc-auth ▪ https://github.com/strongloop/loopback-getting-start

    ed-intermediate ▪ https://github.com/Feeld/strong-node
  42. Node security learning ▪ https://www.udemy.com/nodejs-security- pentesting-and-exploitation/

  43. Books

  44. References ▪ https://blog.risingstack.com/node-js-security-checklist/ ▪ https://blog.risingstack.com/node-js-security-tips/ ▪ https://www.npmjs.com/package/helmet ▪ https://expressjs.com/en/advanced/best-practice-security.html ▪

    https://expressjs.com/en/advanced/security-updates.html ▪ http://nodegoat.herokuapp.com/tutorial ▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa t_Project