Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Testing NodeJS Security
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
jmortegac
November 18, 2016
Programming
420
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Testing NodeJS Security
Testing NodeJS Security
jmortegac
November 18, 2016
More Decks by jmortegac
See All by jmortegac
Security in Model Context Protocol: An Analysis of the OWASP MCP Top 10
jmortega
0
23
Simulando ataques adversarios con TextAttack: Vulnerabilidades y defensas en PLN
jmortega
0
33
Seguridad en la nube: defensa para activos digitales
jmortega
0
29
Simulando ataques adversarios con TextAttack: Vulnerabilidades y defensas en PLN
jmortega
1
52
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
jmortega
1
61
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
jmortega
1
130
Security and auditing tools in Large Language Models (LLM)
jmortega
1
97
Beyond the hype: The reality of AI security
jmortega
1
99
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
jmortega
1
140
Other Decks in Programming
See All in Programming
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
160
1B+ /day規模のログを管理する技術
broadleaf
0
130
気圧・高度・GPSを記録&可視化するアプリ「Koudo」を作った話
hjmkth
1
350
AIキャラアプリkaiwaの低遅延音声通話基盤をどう作ったか - AWS Gravitonで支える低遅延・低コストAI Agent基盤
mogamit
0
170
symfony/aiとlaravel/boost
77web
0
120
LLMによるContent Moderationの本番運用の裏側と品質担保への挑戦
suikabar
3
840
ローカルLLMでどこまでコードが書けるか -縮小版 / How much code can be written on a local LLM Shortened
kishida
2
190
Hatena Engineer Seminar #37「言語モデルの活用に関する研究」
slashnephy
0
510
ランチタイムLT会3周年!ランチタイムLT会を3年間続けられたお話
y0hgi
1
140
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
580
技術記事、 専門家としてのプログラマ、 言語化
mizchi
14
7.4k
才能?センス?知らん、 続けたもん勝ちだ。-- 結婚・出産・癌を越えてなお、私がプロダクトを創り続ける理由
16bitidol
2
840
Featured
See All Featured
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
320
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
minecr
1
310
Producing Creativity
orderedlist
PRO
348
40k
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
23k
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
410
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
55k
Git: the NoSQL Database
bkeepers
PRO
432
67k
Large-scale JavaScript Application Architecture
addyosmani
515
110k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
460
Fireside Chat
paigeccino
42
4k
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
1
350
Transcript
Testing Node Security by @jmortegac NOV 18-19 · 2016
Agenda Introduction nodejS security Npm security packages
Node Goat project Tools
nodeJS introduction JavaScript in the backend Built on
Chrome´s Javascript runtime(V8) NodeJs is based on event loop Designed to be asynchronous Single Thread Concurrent requests.
Security updates
Security updates
Find nodeJS vulnerabilities http://cve.mitre.org/find/
Last vulnerabilities https://nodesecurity.io/advisories
NPM modules install
Npm security packages Helmet express-session / cookie-session
csurf express-validator bcrypt-node express-enforces-ssl
Security HTTP Headers Strict-Transport-Security X-Frame-Options X-XSS-Protection
X-Content-Type-Options Content-Security-Policy
Helmet module https://www.npmjs.com/package/helmet
Helmet module https://github.com/helmetjs/helmet
Helmet module CSPContent-Security-Policy header hidePoweredBydeletes X-Powered-by header
Hpkpprotection MITM Hstsforces https connections noCachedesactive client cache Frameguardprotection clickjacking xssFilterprotection XSS
Helmet module
Check headers security http://cyh.herokuapp.com/cyh https://securityheaders.io/
Express versions https://www.shodan.io/search?query=express
Disable x-powered-by Avoid framework fingerprinting
Disable x-powered-by Use Helmet and use “hide-powered-by” plugin
Sessions management https://www.npmjs.com/package/cookie-session secure httpOnly domain
path expires
httpOnly & secure:true
Delete cookies from cache browser // Set cache control header
to eliminate cookies from cache app.use(function (req, res, next) { res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"'); next(); });
XSS attacks An attacker can exploit XSS vulnerability to:
Steal session cookies/Sesion hijacking Redirect user to malicious sites Defacing and content manipulation Cross Site Request forgery
https://www.npmjs.com/package/csurf
CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button>
</form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });
CSRF
Filter/sanitize user input Avoid XSS attacks https://www.npmjs.com/package/sanitizer
Module express-validator https://www.npmjs.com/package/express-validator
Validator
Validator
Validator
Validator with reg exp
Regular expressions https://www.npmjs.com/package/safe-regex Detect vulnerable regular expressions that
can cause DoS
NodeJS Crypto http://nodejs.org/api/crypto.html Use require(‘crypto’) to access this
module The crypto module requires OpenSSL require("crypto") .createHash("sha1") //algorithm .update(“cOdEmOtiOn") //text .digest("hex"); //hexadecimal result
Bcrypt-node https://github.com/kelektiv/node.bcrypt.js
Bcrypt-node
Bcrypt-node
Bcrypt-node
Building a secure HTTPS server
Building a secure HTTPS server https://www.npmjs.com/package/https-redirect-server https://www.npmjs.com/package/express-enforces-ssl
Redirect all traffic to https and a secure port
Building a secure HTTPS server
Building a secure HTTPS server var helmet = require("helmet"); var
ms = require("ms"); app.use(helmet.hsts({ maxAge: ms("1 year"), includeSubdomains: true })); Send hsts header for all requests
Node Goat http://nodegoat.herokuapp.com/tutorial
Node Goat https://github.com/OWASP/NodeGoat
EVAL()
EVAL() on github
EVAL() ATTACKS res.end(require('fs').readdirSync('.').toString()) res.end(require('fs').readdirSync('..').toString())
Insecure Direct Object References Use session instead of request
param var userId = req.session.userId;
Tools NSP Require Safe David KrakenJS
/ Lusca middleware Retire snyk.io
NSP https://github.com/nodesecurity/nsp npm install -g nsp Analyze
package.json nsp check --output summary
NSP with Grunt npm install –g grunt-nsp-package
Nsp execution
Nsp execution
Project dependences https://david-dm.org/
Project dependences
Project dependences npm install –g david
https://snyk.io
http://krakenjs.com/
https://github.com/krakenjs/lusca
Retire.js http://retirejs.github.io/retire.js Detecting components and js libraries with
known vulnerabilities
Retire.js
Retire.js
Retire.js
Retire.js https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json
Retire.js execution
NodeJsScan https://github.com/ajinabraham/NodeJsScan python NodeJsScan.py -d <dir>
NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml
NodeJsScan
Passport
Passport
https://github.com/jmortega/testing_nodejs_security
GitHub repositories https://github.com/cr0hn/vulnerable-node https://github.com/rdegges/svcc-auth https://github.com/strongloop/loopback-getting-started- intermediate
References https://blog.risingstack.com/node-js-security-checklist/ https://blog.risingstack.com/node-js-security-tips/ https://groups.google.com/forum/#!forum/nodejs-sec https://nodejs.org/en/blog/vulnerability/september-2016- security-releases/
https://expressjs.com/en/advanced/security-updates.html http://opensecurity.in/nodejsscan/ http://stackabuse.com/securing-your-node-js-app/
Node security learning https://www.udemy.com/nodejs-security-pentesting-and-exploitation/
Books