Testing NodeJS Security

Transcript

1. Testing Node Security by @jmortegac NOV 18-19 · 2016

2. Agenda  Introduction nodejS security  Npm security packages 

   Node Goat project  Tools

3. nodeJS introduction  JavaScript in the backend  Built on

   Chrome´s Javascript runtime(V8)  NodeJs is based on event loop  Designed to be asynchronous  Single Thread  Concurrent requests.

4. Security updates

5. Security updates

6. Find nodeJS vulnerabilities  http://cve.mitre.org/find/

7. Last vulnerabilities  https://nodesecurity.io/advisories

8. NPM modules install

9. Npm security packages  Helmet  express-session / cookie-session 

   csurf  express-validator  bcrypt-node  express-enforces-ssl

10. Security HTTP Headers  Strict-Transport-Security  X-Frame-Options  X-XSS-Protection 

    X-Content-Type-Options  Content-Security-Policy

11. Helmet module  https://www.npmjs.com/package/helmet

12. Helmet module  https://github.com/helmetjs/helmet

13. Helmet module  CSPContent-Security-Policy header  hidePoweredBydeletes X-Powered-by header 

    Hpkpprotection MITM  Hstsforces https connections  noCachedesactive client cache  Frameguardprotection clickjacking  xssFilterprotection XSS

14. Helmet module

15. Check headers security  http://cyh.herokuapp.com/cyh  https://securityheaders.io/

16. Express versions  https://www.shodan.io/search?query=express

17. Disable x-powered-by  Avoid framework fingerprinting

18. Disable x-powered-by  Use Helmet and use “hide-powered-by” plugin

19. Sessions management  https://www.npmjs.com/package/cookie-session  secure  httpOnly  domain

     path  expires

20. httpOnly & secure:true

21. Delete cookies from cache browser // Set cache control header

    to eliminate cookies from cache app.use(function (req, res, next) { res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"'); next(); });

22. XSS attacks  An attacker can exploit XSS vulnerability to:

     Steal session cookies/Sesion hijacking  Redirect user to malicious sites  Defacing and content manipulation  Cross Site Request forgery

23. https://www.npmjs.com/package/csurf

24. CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button>

    </form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });

25. CSRF

26. Filter/sanitize user input  Avoid XSS attacks  https://www.npmjs.com/package/sanitizer 

    Module express-validator  https://www.npmjs.com/package/express-validator

27. Validator

28. Validator

29. Validator

30. Validator with reg exp

31. Regular expressions  https://www.npmjs.com/package/safe-regex  Detect vulnerable regular expressions that

    can cause DoS

32. NodeJS Crypto  http://nodejs.org/api/crypto.html  Use require(‘crypto’) to access this

    module  The crypto module requires OpenSSL require("crypto") .createHash("sha1") //algorithm .update(“cOdEmOtiOn") //text .digest("hex"); //hexadecimal result

33. Bcrypt-node  https://github.com/kelektiv/node.bcrypt.js

34. Bcrypt-node

35. Bcrypt-node

36. Bcrypt-node

37. Building a secure HTTPS server

38. Building a secure HTTPS server  https://www.npmjs.com/package/https-redirect-server  https://www.npmjs.com/package/express-enforces-ssl 

    Redirect all traffic to https and a secure port

39. Building a secure HTTPS server

40. Building a secure HTTPS server var helmet = require("helmet"); var

    ms = require("ms"); app.use(helmet.hsts({ maxAge: ms("1 year"), includeSubdomains: true }));  Send hsts header for all requests

41. Node Goat  http://nodegoat.herokuapp.com/tutorial

42. Node Goat  https://github.com/OWASP/NodeGoat

43. EVAL()

44. EVAL() on github

45. EVAL() ATTACKS res.end(require('fs').readdirSync('.').toString()) res.end(require('fs').readdirSync('..').toString())

46. Insecure Direct Object References  Use session instead of request

    param  var userId = req.session.userId;

47. Tools  NSP  Require Safe  David  KrakenJS

    / Lusca middleware  Retire  snyk.io

48. NSP  https://github.com/nodesecurity/nsp  npm install -g nsp  Analyze

    package.json  nsp check --output summary

49. NSP with Grunt  npm install –g grunt-nsp-package

50. Nsp execution

51. Nsp execution

52. Project dependences  https://david-dm.org/

53. Project dependences

54. Project dependences  npm install –g david

55. https://snyk.io

56. http://krakenjs.com/

57. https://github.com/krakenjs/lusca

58. Retire.js  http://retirejs.github.io/retire.js  Detecting components and js libraries with

    known vulnerabilities

59. Retire.js

60. Retire.js

61. Retire.js

62. Retire.js  https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json

63. Retire.js execution

64. NodeJsScan  https://github.com/ajinabraham/NodeJsScan python NodeJsScan.py -d <dir>

65. NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml

66. NodeJsScan

67. Passport

68. Passport

69. https://github.com/jmortega/testing_nodejs_security

70. GitHub repositories  https://github.com/cr0hn/vulnerable-node  https://github.com/rdegges/svcc-auth  https://github.com/strongloop/loopback-getting-started- intermediate

71. References  https://blog.risingstack.com/node-js-security-checklist/  https://blog.risingstack.com/node-js-security-tips/  https://groups.google.com/forum/#!forum/nodejs-sec  https://nodejs.org/en/blog/vulnerability/september-2016- security-releases/

     https://expressjs.com/en/advanced/security-updates.html  http://opensecurity.in/nodejsscan/  http://stackabuse.com/securing-your-node-js-app/

72. Node security learning  https://www.udemy.com/nodejs-security-pentesting-and-exploitation/

73. Books