Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing NodeJS Security

jmortegac
November 18, 2016
Programming
1
310

Testing NodeJS Security

Testing NodeJS Security

jmortegac

November 18, 2016
Tweet

More Decks by jmortegac

See All by jmortegac
Evolution of security strategies in K8s environments
jmortega
0
5
Implementing Observability for Kubernetes
jmortega
0
9
Computación distribuida usando Python
jmortega
0
36
Seguridad_en_arquitecturas_serverless_y_entornos_cloud.pdf
jmortega
0
60
Construyendo arquitecturas zero trust sobre entornos cloud
jmortega
0
33
Tips and tricks for data science projects with Python
jmortega
0
36
Sharing secret keys in Docker containers and K8s
jmortega
0
84
Implementing cert-manager in K8s
jmortega
0
120
Python para equipos de ciberseguridad(pycones)
jmortega
0
88

Other Decks in Programming

See All in Programming
(iOSDC Japan 2023) ActorでCoreDataをスレッドから解放しよう
teamhimeh
2
500
身に覚えのないDeveloper Program License違反を通告されてアプリの検索順位を下げられた時の闘い方 / iosdc2023-rookies-lt
ski
0
340
iOSのKeyboard Extensionで日本語入力できるキーボードアプリを作ろう! - iOSDC2023
miwa_keita
0
400
Build Backwards-Compatible REST APIs with Rolling Versions
subomi
0
130
なぜ自社ではスクラムがうまくいかないのか アジャイルコーチと考える、スクラムのアンチパターン / Why Scrum doesn't work in my company?
daipresents
1
290
第3回 AWSとGitHub勉強会 - GitHub Actionsを使ったCI環境の構築 -
ogiwarat
0
110
Iintroduction of how big tech runs tech projects
kazamori
1
410
neovimで作る最新Ruby開発環境2023
joker1007
2
1k
締切とはなにか、どういう効果があるのか #scrummikawa
murabayashi
0
260
PHP8.2にバージョンアップして もっと型表現を豊かにしよう
akitotsukahara
0
150
作って学ぶadbプロトコル / Create and learn adb protocols
ntsk
0
800
KustoクエリのChatGPT Plugin!
tomokusaba
0
260

Featured

See All Featured
Mobile First: as difficult as doing things right
swwweet
214
8.2k
GraphQLとの向き合い方2022年版
quramy
24
11k
The Brand Is Dead. Long Live the Brand.
mthomps
48
5.1k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.2k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
18k
Being A Developer After 40
akosma
52
580k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
Infographics Made Easy
chrislema
236
17k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
The Language of Interfaces
destraynor
149
22k

Transcript

  1. Testing Node
    Security
    by @jmortegac
    NOV 18-19 · 2016

    View Slide

  2. Agenda
     Introduction nodejS security
     Npm security packages
     Node Goat project
     Tools

    View Slide

  3. nodeJS introduction
     JavaScript in the backend
     Built on Chrome´s Javascript runtime(V8)
     NodeJs is based on event loop
     Designed to be asynchronous
     Single Thread
     Concurrent requests.

    View Slide

  4. Security updates

    View Slide

  5. Security updates

    View Slide

  6. Find nodeJS vulnerabilities
     http://cve.mitre.org/find/

    View Slide

  7. Last vulnerabilities
     https://nodesecurity.io/advisories

    View Slide

  8. NPM modules install

    View Slide

  9. Npm security packages
     Helmet
     express-session / cookie-session
     csurf
     express-validator
     bcrypt-node
     express-enforces-ssl

    View Slide

  10. Security HTTP Headers
     Strict-Transport-Security
     X-Frame-Options
     X-XSS-Protection
     X-Content-Type-Options
     Content-Security-Policy

    View Slide

  11. Helmet module
     https://www.npmjs.com/package/helmet

    View Slide

  12. Helmet module
     https://github.com/helmetjs/helmet

    View Slide

  13. Helmet module
     CSPContent-Security-Policy header
     hidePoweredBydeletes X-Powered-by header
     Hpkpprotection MITM
     Hstsforces https connections
     noCachedesactive client cache
     Frameguardprotection clickjacking
     xssFilterprotection XSS

    View Slide

  14. Helmet module

    View Slide

  15. Check headers security
     http://cyh.herokuapp.com/cyh
     https://securityheaders.io/

    View Slide

  16. Express versions
     https://www.shodan.io/search?query=express

    View Slide

  17. Disable x-powered-by
     Avoid framework fingerprinting

    View Slide

  18. Disable x-powered-by
     Use Helmet and use “hide-powered-by” plugin

    View Slide

  19. Sessions management
     https://www.npmjs.com/package/cookie-session
     secure
     httpOnly
     domain
     path
     expires

    View Slide

  20. httpOnly & secure:true

    View Slide

  21. Delete cookies from cache browser
    // Set cache control header to eliminate cookies from cache
    app.use(function (req, res, next) {
    res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"');
    next();
    });

    View Slide

  22. XSS attacks
     An attacker can exploit XSS vulnerability to:
     Steal session cookies/Sesion hijacking
     Redirect user to malicious sites
     Defacing and content manipulation
     Cross Site Request forgery

    View Slide

  23. https://www.npmjs.com/package/csurf

    View Slide

  24. CSRF


    Submit

    app.use(function (request, response, next) {
    response.locals.csrftoken = request.csrfToken();
    next();
    });

    View Slide

  25. CSRF

    View Slide

  26. Filter/sanitize user input
     Avoid XSS attacks
     https://www.npmjs.com/package/sanitizer
     Module express-validator
     https://www.npmjs.com/package/express-validator

    View Slide

  27. Validator

    View Slide

  28. Validator

    View Slide

  29. Validator

    View Slide

  30. Validator with reg exp

    View Slide

  31. Regular expressions
     https://www.npmjs.com/package/safe-regex
     Detect vulnerable regular
    expressions that can cause DoS

    View Slide

  32. NodeJS Crypto
     http://nodejs.org/api/crypto.html
     Use require(‘crypto’) to access this module
     The crypto module requires OpenSSL
    require("crypto")
    .createHash("sha1") //algorithm
    .update(“cOdEmOtiOn") //text
    .digest("hex"); //hexadecimal result

    View Slide

  33. Bcrypt-node
     https://github.com/kelektiv/node.bcrypt.js

    View Slide

  34. Bcrypt-node

    View Slide

  35. Bcrypt-node

    View Slide

  36. Bcrypt-node

    View Slide

  37. Building a secure HTTPS server

    View Slide

  38. Building a secure HTTPS server
     https://www.npmjs.com/package/https-redirect-server
     https://www.npmjs.com/package/express-enforces-ssl
     Redirect all traffic to https and a
    secure port

    View Slide

  39. Building a secure HTTPS server

    View Slide

  40. Building a secure HTTPS server
    var helmet = require("helmet");
    var ms = require("ms");
    app.use(helmet.hsts({
    maxAge: ms("1 year"),
    includeSubdomains: true
    }));
     Send hsts header for all requests

    View Slide

  41. Node Goat
     http://nodegoat.herokuapp.com/tutorial

    View Slide

  42. Node Goat
     https://github.com/OWASP/NodeGoat

    View Slide

  43. EVAL()

    View Slide

  44. EVAL() on github

    View Slide

  45. EVAL() ATTACKS
    res.end(require('fs').readdirSync('.').toString())
    res.end(require('fs').readdirSync('..').toString())

    View Slide

  46. Insecure Direct Object References
     Use session instead of request param
     var userId = req.session.userId;

    View Slide

  47. Tools
     NSP
     Require Safe
     David
     KrakenJS / Lusca middleware
     Retire
     snyk.io

    View Slide

  48. NSP
     https://github.com/nodesecurity/nsp
     npm install -g nsp
     Analyze package.json
     nsp check --output summary

    View Slide

  49. NSP with Grunt
     npm install –g grunt-nsp-package

    View Slide

  50. Nsp execution

    View Slide

  51. Nsp execution

    View Slide

  52. Project dependences
     https://david-dm.org/

    View Slide

  53. Project dependences

    View Slide

  54. Project dependences
     npm install –g david

    View Slide

  55. https://snyk.io

    View Slide

  56. http://krakenjs.com/

    View Slide

  57. https://github.com/krakenjs/lusca

    View Slide

  58. Retire.js
     http://retirejs.github.io/retire.js
     Detecting components and js libraries
    with known vulnerabilities

    View Slide

  59. Retire.js

    View Slide

  60. Retire.js

    View Slide

  61. Retire.js

    View Slide

  62. Retire.js
     https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json

    View Slide

  63. Retire.js execution

    View Slide

  64. NodeJsScan
     https://github.com/ajinabraham/NodeJsScan
    python NodeJsScan.py -d

    View Slide

  65. NodeJsScan
    https://github.com/jmortega/NodeJsScan/blob/master/rules.xml

    View Slide

  66. NodeJsScan

    View Slide

  67. Passport

    View Slide

  68. Passport

    View Slide

  69. https://github.com/jmortega/testing_nodejs_security

    View Slide

  70. GitHub repositories
     https://github.com/cr0hn/vulnerable-node
     https://github.com/rdegges/svcc-auth
     https://github.com/strongloop/loopback-getting-started-
    intermediate

    View Slide

  71. References
     https://blog.risingstack.com/node-js-security-checklist/
     https://blog.risingstack.com/node-js-security-tips/
     https://groups.google.com/forum/#!forum/nodejs-sec
     https://nodejs.org/en/blog/vulnerability/september-2016-
    security-releases/
     https://expressjs.com/en/advanced/security-updates.html
     http://opensecurity.in/nodejsscan/
     http://stackabuse.com/securing-your-node-js-app/

    View Slide

  72. Node security learning
     https://www.udemy.com/nodejs-security-pentesting-and-exploitation/

    View Slide

  73. Books

    View Slide