Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking NodeJS applications for fun and profit

jmortegac
February 03, 2019

Hacking NodeJS applications for fun and profit

NodeJS is one of the fastest growing platforms nowdays and from a security point of view is necessary to know all posibilities that the platform offers to developers.This is a talk that explains some of the most common problems in NodeJS applications and how using frequently used tools it is possible to exploit such vulnerabilities.Also I will show what are the main vulnerabilities we can found and how we can fix them in our applications.

These could be the talking points:

-Node.js security packages

I will comment how to protect express applications in terms of authentication, logging ,middleware and security best practices before put applications in production

-How to prevent OWASP TOP 10 in a NodeJS application In this point I will comment the OWASP NodeGoat project that provides an environment to learn OWASP Top 10 security risks. I will comment the main risks we can find in nodejs applications from a attacker perspective.

https://github.com/OWASP/NodeGoat

-Tools which will help to protect our node applications like NodeJSScan allow detecting vulnerabilities following some predefined rules

jmortegac

February 03, 2019
Tweet

More Decks by jmortegac

Other Decks in Programming

Transcript

  1. Hacking NodeJS
    applications for fun
    and profit
    Testing NodeJS Security
    by @jmortegac

    View Slide

  2. Agenda
    ▪ Introduction nodejS security
    ▪ Npm security packages
    ▪ Node Goat project
    ▪ Tools

    View Slide

  3. Node JS
    ▪ JavaScript in the backend
    ▪ Built on Chrome´s Javascript runtime(V8)
    ▪ NodeJs is based on event loop
    ▪ Designed to be asynchronous
    ▪ Single Thread
    ▪ Node.js is resilient to flooding attacks since
    there’s no limit on the number of concurrent requests.

    View Slide

  4. Security
    updates
    https://expressjs.com/en/advance
    d/security-updates.html

    View Slide

  5. Package
    vulnerabilities
    https://www.npmjs.com/advisories

    View Slide

  6. View Slide

  7. Npm
    security
    packages
    ▪ Helmet
    ▪ express-session
    ▪ cookie-session
    ▪ csurf
    ▪ express-validator
    ▪ bcrypt-node
    ▪ express-enforces-ssl

    View Slide

  8. Security HTTP
    Headers ▪ Strict-Transport-Security
    ▪ X-Frame-Options
    ▪ X-XSS-Protection
    ▪ X-Content-Type-Options
    ▪ Content-Security-Policy

    View Slide

  9. Helmet module
    ▪ https://www.npmjs.com/package
    /helmet

    View Slide

  10. Helmet module
    ▪ https://github.com/helmetjs/helmet

    View Slide

  11. Helmet module
    ▪ hidePoweredBy
    ▪ Hpkp→protection MITM
    ▪ Hsts→forces https
    connections
    ▪ noCache→desactive client
    cache
    ▪ Frameguard→protection
    clickjacking
    ▪ xssFilter→protection XSS

    View Slide

  12. Helmet CSP

    View Slide

  13. Check headers
    security
    ▪ http://cyh.herokuapp.com/cyh
    ▪ https://securityheaders.io/

    View Slide

  14. Express
    versions
    ▪ https://www.shodan.io/
    search?query=express

    View Slide

  15. Disable
    x-powered-by

    View Slide

  16. Disable
    x-powered-by
    ▪ Avoid framework
    fingerprinting

    View Slide

  17. Disable
    x-powered-by
    ▪ Use Helmet and use
    “hide-powered-by” plugin

    View Slide

  18. Sessions
    management
    ▪ secure
    ▪ httpOnly
    ▪ domain
    ▪ path
    ▪ expires
    ▪ https://www.npmjs.com/pack
    age/cookie-session

    View Slide

  19. httpOnly &
    secure:true

    View Slide

  20. XSS attacks
    ▪ An attacker can exploit XSS vulnerability to:
    ▪ Steal session cookies/Sesion hijacking
    ▪ Redirect user to malicious sites
    ▪ Defacing and content manipulation
    ▪ Cross Site Request forgery

    View Slide

  21. CSRF attacks

    View Slide

  22. https://www.npmjs.com/package/csurf

    View Slide

  23. CSRF

    value="{{csrfToken}}">
    Submit

    app.use(function (request, response, next) {
    response.locals.csrftoken =
    request.csrfToken();
    next();
    });

    View Slide

  24. CSRF

    View Slide

  25. Filter/sanitize user input
    ▪ Fixing XSS attacks
    ▪ https://www.npmjs.com/package/sanitizer
    ▪ Module express-validator
    ▪ https://www.npmjs.com/package/express-validator

    View Slide

  26. Express
    Validator

    View Slide

  27. View Slide

  28. Bcrypt-node
    ▪ https://github.com/kelektiv/node.bcrypt.js

    View Slide

  29. View Slide

  30. View Slide

  31. Node Goat ▪ http://nodegoat.herokuapp.com
    /tutorial

    View Slide

  32. Node Goat
    ▪ https://github.com/OWASP/Node
    Goat

    View Slide

  33. EVAL()
    ATTACKS
    res.end(require('fs').read
    dirSync('.').toString())

    View Slide

  34. Insecure Direct
    Object
    References
    ▪ Use session instead of
    request param
    ▪ var userId =
    req.session.userId;

    View Slide

  35. Tools
    ▪ KrakenJS
    ▪ Lusca
    middleware
    ▪ NodeJsScan

    View Slide

  36. http://krakenjs.com/

    View Slide

  37. https://github.com/krakenjs/lusca

    View Slide

  38. NodeJsScan
    ▪ https://github.com/ajinabra
    ham/NodeJsScan

    View Slide

  39. NodeJsScan https://github.com/jmorteg
    a/NodeJsScan/blob/maste
    r/rules.xml

    View Slide

  40. NodeJsScan

    View Slide

  41. GitHub repositories
    ▪ https://github.com/jmortega/testing_nodejs_security
    ▪ https://github.com/cr0hn/vulnerable-node
    ▪ https://github.com/rdegges/svcc-auth
    ▪ https://github.com/strongloop/loopback-getting-start
    ed-intermediate
    ▪ https://github.com/Feeld/strong-node

    View Slide

  42. Node security
    learning
    ▪ https://www.udemy.com/nodejs-security-
    pentesting-and-exploitation/

    View Slide

  43. Books

    View Slide

  44. References
    ▪ https://blog.risingstack.com/node-js-security-checklist/
    ▪ https://blog.risingstack.com/node-js-security-tips/
    ▪ https://www.npmjs.com/package/helmet
    ▪ https://expressjs.com/en/advanced/best-practice-security.html
    ▪ https://expressjs.com/en/advanced/security-updates.html
    ▪ http://nodegoat.herokuapp.com/tutorial
    ▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa
    t_Project

    View Slide