Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking NodeJS applications for fun and profit

jmortegac
February 03, 2019

Hacking NodeJS applications for fun and profit

NodeJS is one of the fastest growing platforms nowdays and from a security point of view is necessary to know all posibilities that the platform offers to developers.This is a talk that explains some of the most common problems in NodeJS applications and how using frequently used tools it is possible to exploit such vulnerabilities.Also I will show what are the main vulnerabilities we can found and how we can fix them in our applications.

These could be the talking points:

-Node.js security packages

I will comment how to protect express applications in terms of authentication, logging ,middleware and security best practices before put applications in production

-How to prevent OWASP TOP 10 in a NodeJS application In this point I will comment the OWASP NodeGoat project that provides an environment to learn OWASP Top 10 security risks. I will comment the main risks we can find in nodejs applications from a attacker perspective.

https://github.com/OWASP/NodeGoat

-Tools which will help to protect our node applications like NodeJSScan allow detecting vulnerabilities following some predefined rules

jmortegac

February 03, 2019
Tweet

More Decks by jmortegac

Other Decks in Programming

Transcript

  1. Node JS ▪ JavaScript in the backend ▪ Built on

    Chrome´s Javascript runtime(V8) ▪ NodeJs is based on event loop ▪ Designed to be asynchronous ▪ Single Thread ▪ Node.js is resilient to flooding attacks since there’s no limit on the number of concurrent requests.
  2. Npm security packages ▪ Helmet ▪ express-session ▪ cookie-session ▪

    csurf ▪ express-validator ▪ bcrypt-node ▪ express-enforces-ssl
  3. Helmet module ▪ hidePoweredBy ▪ Hpkp→protection MITM ▪ Hsts→forces https

    connections ▪ noCache→desactive client cache ▪ Frameguard→protection clickjacking ▪ xssFilter→protection XSS
  4. Sessions management ▪ secure ▪ httpOnly ▪ domain ▪ path

    ▪ expires ▪ https://www.npmjs.com/pack age/cookie-session
  5. XSS attacks ▪ An attacker can exploit XSS vulnerability to:

    ▪ Steal session cookies/Sesion hijacking ▪ Redirect user to malicious sites ▪ Defacing and content manipulation ▪ Cross Site Request forgery
  6. CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button>

    </form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });
  7. Filter/sanitize user input ▪ Fixing XSS attacks ▪ https://www.npmjs.com/package/sanitizer ▪

    Module express-validator ▪ https://www.npmjs.com/package/express-validator
  8. References ▪ https://blog.risingstack.com/node-js-security-checklist/ ▪ https://blog.risingstack.com/node-js-security-tips/ ▪ https://www.npmjs.com/package/helmet ▪ https://expressjs.com/en/advanced/best-practice-security.html ▪

    https://expressjs.com/en/advanced/security-updates.html ▪ http://nodegoat.herokuapp.com/tutorial ▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa t_Project