Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Testing NodeJS Security
Search
jmortegac
November 18, 2016
Programming
1
370
Testing NodeJS Security
Testing NodeJS Security
jmortegac
November 18, 2016
Tweet
Share
More Decks by jmortegac
See All by jmortegac
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
jmortega
0
44
Security and auditing tools in Large Language Models (LLM)
jmortega
0
23
Beyond the hype: The reality of AI security
jmortega
0
31
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
jmortega
0
55
Seguridad de APIs en Drupal: herramientas, mejores prácticas y estrategias para asegurar las APIs
jmortega
1
43
Security and auditing tools in Large Language Models (LLM)
jmortega
1
95
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaciones
jmortega
0
50
Asegurando tus APIs: Explorando el OWASP Top 10 de Seguridad en APIs
jmortega
1
110
PyGoat: Analizando la seguridad en aplicaciones Django
jmortega
1
200
Other Decks in Programming
See All in Programming
Is Xcode slowly dying out in 2025?
uetyo
1
280
今ならAmazon ECSのサービス間通信をどう選ぶか / Selection of ECS Interservice Communication 2025
tkikuc
21
4k
VS Code Update for GitHub Copilot
74th
2
650
Startups on Rails in Past, Present and Future–Irina Nazarova, RailsConf 2025
irinanazarova
0
130
Goで作る、開発・CI環境
sin392
0
240
PHP 8.4の新機能「プロパティフック」から学ぶオブジェクト指向設計とリスコフの置換原則
kentaroutakeda
2
930
システム成長を止めない!本番無停止テーブル移行の全貌
sakawe_ee
1
210
RailsGirls IZUMO スポンサーLT
16bitidol
0
190
効率的な開発手段として VRTを活用する
ishkawa
0
140
Flutterで備える!Accessibility Nutrition Labels完全ガイド
yuukiw00w
0
160
プロダクト志向なエンジニアがもう一歩先の価値を目指すために意識したこと
nealle
0
130
スタートアップの急成長を支えるプラットフォームエンジニアリングと組織戦略
sutochin26
1
6k
Featured
See All Featured
KATA
mclloyd
30
14k
Six Lessons from altMBA
skipperchong
28
3.9k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Code Reviewing Like a Champion
maltzj
524
40k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
48
2.9k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Transcript
Testing Node Security by @jmortegac NOV 18-19 · 2016
Agenda Introduction nodejS security Npm security packages
Node Goat project Tools
nodeJS introduction JavaScript in the backend Built on
Chrome´s Javascript runtime(V8) NodeJs is based on event loop Designed to be asynchronous Single Thread Concurrent requests.
Security updates
Security updates
Find nodeJS vulnerabilities http://cve.mitre.org/find/
Last vulnerabilities https://nodesecurity.io/advisories
NPM modules install
Npm security packages Helmet express-session / cookie-session
csurf express-validator bcrypt-node express-enforces-ssl
Security HTTP Headers Strict-Transport-Security X-Frame-Options X-XSS-Protection
X-Content-Type-Options Content-Security-Policy
Helmet module https://www.npmjs.com/package/helmet
Helmet module https://github.com/helmetjs/helmet
Helmet module CSPContent-Security-Policy header hidePoweredBydeletes X-Powered-by header
Hpkpprotection MITM Hstsforces https connections noCachedesactive client cache Frameguardprotection clickjacking xssFilterprotection XSS
Helmet module
Check headers security http://cyh.herokuapp.com/cyh https://securityheaders.io/
Express versions https://www.shodan.io/search?query=express
Disable x-powered-by Avoid framework fingerprinting
Disable x-powered-by Use Helmet and use “hide-powered-by” plugin
Sessions management https://www.npmjs.com/package/cookie-session secure httpOnly domain
path expires
httpOnly & secure:true
Delete cookies from cache browser // Set cache control header
to eliminate cookies from cache app.use(function (req, res, next) { res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"'); next(); });
XSS attacks An attacker can exploit XSS vulnerability to:
Steal session cookies/Sesion hijacking Redirect user to malicious sites Defacing and content manipulation Cross Site Request forgery
https://www.npmjs.com/package/csurf
CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button>
</form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });
CSRF
Filter/sanitize user input Avoid XSS attacks https://www.npmjs.com/package/sanitizer
Module express-validator https://www.npmjs.com/package/express-validator
Validator
Validator
Validator
Validator with reg exp
Regular expressions https://www.npmjs.com/package/safe-regex Detect vulnerable regular expressions that
can cause DoS
NodeJS Crypto http://nodejs.org/api/crypto.html Use require(‘crypto’) to access this
module The crypto module requires OpenSSL require("crypto") .createHash("sha1") //algorithm .update(“cOdEmOtiOn") //text .digest("hex"); //hexadecimal result
Bcrypt-node https://github.com/kelektiv/node.bcrypt.js
Bcrypt-node
Bcrypt-node
Bcrypt-node
Building a secure HTTPS server
Building a secure HTTPS server https://www.npmjs.com/package/https-redirect-server https://www.npmjs.com/package/express-enforces-ssl
Redirect all traffic to https and a secure port
Building a secure HTTPS server
Building a secure HTTPS server var helmet = require("helmet"); var
ms = require("ms"); app.use(helmet.hsts({ maxAge: ms("1 year"), includeSubdomains: true })); Send hsts header for all requests
Node Goat http://nodegoat.herokuapp.com/tutorial
Node Goat https://github.com/OWASP/NodeGoat
EVAL()
EVAL() on github
EVAL() ATTACKS res.end(require('fs').readdirSync('.').toString()) res.end(require('fs').readdirSync('..').toString())
Insecure Direct Object References Use session instead of request
param var userId = req.session.userId;
Tools NSP Require Safe David KrakenJS
/ Lusca middleware Retire snyk.io
NSP https://github.com/nodesecurity/nsp npm install -g nsp Analyze
package.json nsp check --output summary
NSP with Grunt npm install –g grunt-nsp-package
Nsp execution
Nsp execution
Project dependences https://david-dm.org/
Project dependences
Project dependences npm install –g david
https://snyk.io
http://krakenjs.com/
https://github.com/krakenjs/lusca
Retire.js http://retirejs.github.io/retire.js Detecting components and js libraries with
known vulnerabilities
Retire.js
Retire.js
Retire.js
Retire.js https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json
Retire.js execution
NodeJsScan https://github.com/ajinabraham/NodeJsScan python NodeJsScan.py -d <dir>
NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml
NodeJsScan
Passport
Passport
https://github.com/jmortega/testing_nodejs_security
GitHub repositories https://github.com/cr0hn/vulnerable-node https://github.com/rdegges/svcc-auth https://github.com/strongloop/loopback-getting-started- intermediate
References https://blog.risingstack.com/node-js-security-checklist/ https://blog.risingstack.com/node-js-security-tips/ https://groups.google.com/forum/#!forum/nodejs-sec https://nodejs.org/en/blog/vulnerability/september-2016- security-releases/
https://expressjs.com/en/advanced/security-updates.html http://opensecurity.in/nodejsscan/ http://stackabuse.com/securing-your-node-js-app/
Node security learning https://www.udemy.com/nodejs-security-pentesting-and-exploitation/
Books