Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Testing NodeJS Security
Search
jmortegac
November 18, 2016
Programming
1
360
Testing NodeJS Security
Testing NodeJS Security
jmortegac
November 18, 2016
Tweet
Share
More Decks by jmortegac
See All by jmortegac
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
jmortega
0
34
Seguridad de APIs en Drupal: herramientas, mejores prácticas y estrategias para asegurar las APIs
jmortega
1
27
Security and auditing tools in Large Language Models (LLM)
jmortega
1
38
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaciones
jmortega
0
38
Asegurando tus APIs: Explorando el OWASP Top 10 de Seguridad en APIs
jmortega
1
80
PyGoat: Analizando la seguridad en aplicaciones Django
jmortega
1
170
Evolution of security strategies in K8s environments- All day devops
jmortega
1
56
Ciberseguridad en Blockchain y Smart Contracts: Explorando los desafíos y soluciones
jmortega
1
93
Evolution of security strategies in K8s environments
jmortega
1
46
Other Decks in Programming
See All in Programming
XStateを用いた堅牢なReact Components設計~複雑なClient Stateをシンプルに~ @React Tokyo ミートアップ #2
kfurusho
1
990
Datadog Workflow Automation で圧倒的価値提供
showwin
1
280
メンテが命: PHPフレームワークのコンテナ化とアップグレード戦略
shunta27
0
310
Rails 1.0 のコードで学ぶ find_by* と method_missing の仕組み / Learn how find_by_* and method_missing work in Rails 1.0 code
maimux2x
1
250
もう僕は OpenAPI を書きたくない
sgash708
6
1.9k
Rubyで始める関数型ドメインモデリング
shogo_tksk
0
140
kintone開発を効率化するためにチームで試した施策とその結果を大放出!
oguemon
0
170
『テスト書いた方が開発が早いじゃん』を解き明かす #phpcon_nagoya
o0h
PRO
9
2.5k
CloudNativePGを布教したい
nnaka2992
0
120
React 19アップデートのために必要なこと
uhyo
8
1.5k
第3回関東Kaggler会_AtCoderはKaggleの役に立つ
chettub
3
1.2k
15分で学ぶDuckDBの可愛い使い方 DuckDBの最近の更新
notrogue
3
750
Featured
See All Featured
Practical Orchestrator
shlominoach
186
10k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
21
2.5k
A better future with KSS
kneath
238
17k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
134
33k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Code Review Best Practice
trishagee
67
18k
How to train your dragon (web standard)
notwaldorf
91
5.9k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
30
4.6k
For a Future-Friendly Web
brad_frost
176
9.6k
Transcript
Testing Node Security by @jmortegac NOV 18-19 · 2016
Agenda Introduction nodejS security Npm security packages
Node Goat project Tools
nodeJS introduction JavaScript in the backend Built on
Chrome´s Javascript runtime(V8) NodeJs is based on event loop Designed to be asynchronous Single Thread Concurrent requests.
Security updates
Security updates
Find nodeJS vulnerabilities http://cve.mitre.org/find/
Last vulnerabilities https://nodesecurity.io/advisories
NPM modules install
Npm security packages Helmet express-session / cookie-session
csurf express-validator bcrypt-node express-enforces-ssl
Security HTTP Headers Strict-Transport-Security X-Frame-Options X-XSS-Protection
X-Content-Type-Options Content-Security-Policy
Helmet module https://www.npmjs.com/package/helmet
Helmet module https://github.com/helmetjs/helmet
Helmet module CSPContent-Security-Policy header hidePoweredBydeletes X-Powered-by header
Hpkpprotection MITM Hstsforces https connections noCachedesactive client cache Frameguardprotection clickjacking xssFilterprotection XSS
Helmet module
Check headers security http://cyh.herokuapp.com/cyh https://securityheaders.io/
Express versions https://www.shodan.io/search?query=express
Disable x-powered-by Avoid framework fingerprinting
Disable x-powered-by Use Helmet and use “hide-powered-by” plugin
Sessions management https://www.npmjs.com/package/cookie-session secure httpOnly domain
path expires
httpOnly & secure:true
Delete cookies from cache browser // Set cache control header
to eliminate cookies from cache app.use(function (req, res, next) { res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"'); next(); });
XSS attacks An attacker can exploit XSS vulnerability to:
Steal session cookies/Sesion hijacking Redirect user to malicious sites Defacing and content manipulation Cross Site Request forgery
https://www.npmjs.com/package/csurf
CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button>
</form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });
CSRF
Filter/sanitize user input Avoid XSS attacks https://www.npmjs.com/package/sanitizer
Module express-validator https://www.npmjs.com/package/express-validator
Validator
Validator
Validator
Validator with reg exp
Regular expressions https://www.npmjs.com/package/safe-regex Detect vulnerable regular expressions that
can cause DoS
NodeJS Crypto http://nodejs.org/api/crypto.html Use require(‘crypto’) to access this
module The crypto module requires OpenSSL require("crypto") .createHash("sha1") //algorithm .update(“cOdEmOtiOn") //text .digest("hex"); //hexadecimal result
Bcrypt-node https://github.com/kelektiv/node.bcrypt.js
Bcrypt-node
Bcrypt-node
Bcrypt-node
Building a secure HTTPS server
Building a secure HTTPS server https://www.npmjs.com/package/https-redirect-server https://www.npmjs.com/package/express-enforces-ssl
Redirect all traffic to https and a secure port
Building a secure HTTPS server
Building a secure HTTPS server var helmet = require("helmet"); var
ms = require("ms"); app.use(helmet.hsts({ maxAge: ms("1 year"), includeSubdomains: true })); Send hsts header for all requests
Node Goat http://nodegoat.herokuapp.com/tutorial
Node Goat https://github.com/OWASP/NodeGoat
EVAL()
EVAL() on github
EVAL() ATTACKS res.end(require('fs').readdirSync('.').toString()) res.end(require('fs').readdirSync('..').toString())
Insecure Direct Object References Use session instead of request
param var userId = req.session.userId;
Tools NSP Require Safe David KrakenJS
/ Lusca middleware Retire snyk.io
NSP https://github.com/nodesecurity/nsp npm install -g nsp Analyze
package.json nsp check --output summary
NSP with Grunt npm install –g grunt-nsp-package
Nsp execution
Nsp execution
Project dependences https://david-dm.org/
Project dependences
Project dependences npm install –g david
https://snyk.io
http://krakenjs.com/
https://github.com/krakenjs/lusca
Retire.js http://retirejs.github.io/retire.js Detecting components and js libraries with
known vulnerabilities
Retire.js
Retire.js
Retire.js
Retire.js https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json
Retire.js execution
NodeJsScan https://github.com/ajinabraham/NodeJsScan python NodeJsScan.py -d <dir>
NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml
NodeJsScan
Passport
Passport
https://github.com/jmortega/testing_nodejs_security
GitHub repositories https://github.com/cr0hn/vulnerable-node https://github.com/rdegges/svcc-auth https://github.com/strongloop/loopback-getting-started- intermediate
References https://blog.risingstack.com/node-js-security-checklist/ https://blog.risingstack.com/node-js-security-tips/ https://groups.google.com/forum/#!forum/nodejs-sec https://nodejs.org/en/blog/vulnerability/september-2016- security-releases/
https://expressjs.com/en/advanced/security-updates.html http://opensecurity.in/nodejsscan/ http://stackabuse.com/securing-your-node-js-app/
Node security learning https://www.udemy.com/nodejs-security-pentesting-and-exploitation/
Books