$30 off During Our Annual Pro Sale. View Details »

Testing NodeJS Security

jmortegac
November 18, 2016

Testing NodeJS Security

Testing NodeJS Security

jmortegac

November 18, 2016
Tweet

More Decks by jmortegac

Other Decks in Programming

Transcript

  1. Testing Node Security by @jmortegac NOV 18-19 · 2016

  2. Agenda  Introduction nodejS security  Npm security packages 

    Node Goat project  Tools
  3. nodeJS introduction  JavaScript in the backend  Built on

    Chrome´s Javascript runtime(V8)  NodeJs is based on event loop  Designed to be asynchronous  Single Thread  Concurrent requests.
  4. Security updates

  5. Security updates

  6. Find nodeJS vulnerabilities  http://cve.mitre.org/find/

  7. Last vulnerabilities  https://nodesecurity.io/advisories

  8. NPM modules install

  9. Npm security packages  Helmet  express-session / cookie-session 

    csurf  express-validator  bcrypt-node  express-enforces-ssl
  10. Security HTTP Headers  Strict-Transport-Security  X-Frame-Options  X-XSS-Protection 

    X-Content-Type-Options  Content-Security-Policy
  11. Helmet module  https://www.npmjs.com/package/helmet

  12. Helmet module  https://github.com/helmetjs/helmet

  13. Helmet module  CSPContent-Security-Policy header  hidePoweredBydeletes X-Powered-by header 

    Hpkpprotection MITM  Hstsforces https connections  noCachedesactive client cache  Frameguardprotection clickjacking  xssFilterprotection XSS
  14. Helmet module

  15. Check headers security  http://cyh.herokuapp.com/cyh  https://securityheaders.io/

  16. Express versions  https://www.shodan.io/search?query=express

  17. Disable x-powered-by  Avoid framework fingerprinting

  18. Disable x-powered-by  Use Helmet and use “hide-powered-by” plugin

  19. Sessions management  https://www.npmjs.com/package/cookie-session  secure  httpOnly  domain

     path  expires
  20. httpOnly & secure:true

  21. Delete cookies from cache browser // Set cache control header

    to eliminate cookies from cache app.use(function (req, res, next) { res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"'); next(); });
  22. XSS attacks  An attacker can exploit XSS vulnerability to:

     Steal session cookies/Sesion hijacking  Redirect user to malicious sites  Defacing and content manipulation  Cross Site Request forgery
  23. https://www.npmjs.com/package/csurf

  24. CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button>

    </form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });
  25. CSRF

  26. Filter/sanitize user input  Avoid XSS attacks  https://www.npmjs.com/package/sanitizer 

    Module express-validator  https://www.npmjs.com/package/express-validator
  27. Validator

  28. Validator

  29. Validator

  30. Validator with reg exp

  31. Regular expressions  https://www.npmjs.com/package/safe-regex  Detect vulnerable regular expressions that

    can cause DoS
  32. NodeJS Crypto  http://nodejs.org/api/crypto.html  Use require(‘crypto’) to access this

    module  The crypto module requires OpenSSL require("crypto") .createHash("sha1") //algorithm .update(“cOdEmOtiOn") //text .digest("hex"); //hexadecimal result
  33. Bcrypt-node  https://github.com/kelektiv/node.bcrypt.js

  34. Bcrypt-node

  35. Bcrypt-node

  36. Bcrypt-node

  37. Building a secure HTTPS server

  38. Building a secure HTTPS server  https://www.npmjs.com/package/https-redirect-server  https://www.npmjs.com/package/express-enforces-ssl 

    Redirect all traffic to https and a secure port
  39. Building a secure HTTPS server

  40. Building a secure HTTPS server var helmet = require("helmet"); var

    ms = require("ms"); app.use(helmet.hsts({ maxAge: ms("1 year"), includeSubdomains: true }));  Send hsts header for all requests
  41. Node Goat  http://nodegoat.herokuapp.com/tutorial

  42. Node Goat  https://github.com/OWASP/NodeGoat

  43. EVAL()

  44. EVAL() on github

  45. EVAL() ATTACKS res.end(require('fs').readdirSync('.').toString()) res.end(require('fs').readdirSync('..').toString())

  46. Insecure Direct Object References  Use session instead of request

    param  var userId = req.session.userId;
  47. Tools  NSP  Require Safe  David  KrakenJS

    / Lusca middleware  Retire  snyk.io
  48. NSP  https://github.com/nodesecurity/nsp  npm install -g nsp  Analyze

    package.json  nsp check --output summary
  49. NSP with Grunt  npm install –g grunt-nsp-package

  50. Nsp execution

  51. Nsp execution

  52. Project dependences  https://david-dm.org/

  53. Project dependences

  54. Project dependences  npm install –g david

  55. https://snyk.io

  56. http://krakenjs.com/

  57. https://github.com/krakenjs/lusca

  58. Retire.js  http://retirejs.github.io/retire.js  Detecting components and js libraries with

    known vulnerabilities
  59. Retire.js

  60. Retire.js

  61. Retire.js

  62. Retire.js  https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json

  63. Retire.js execution

  64. NodeJsScan  https://github.com/ajinabraham/NodeJsScan python NodeJsScan.py -d <dir>

  65. NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml

  66. NodeJsScan

  67. Passport

  68. Passport

  69. https://github.com/jmortega/testing_nodejs_security

  70. GitHub repositories  https://github.com/cr0hn/vulnerable-node  https://github.com/rdegges/svcc-auth  https://github.com/strongloop/loopback-getting-started- intermediate

  71. References  https://blog.risingstack.com/node-js-security-checklist/  https://blog.risingstack.com/node-js-security-tips/  https://groups.google.com/forum/#!forum/nodejs-sec  https://nodejs.org/en/blog/vulnerability/september-2016- security-releases/

     https://expressjs.com/en/advanced/security-updates.html  http://opensecurity.in/nodejsscan/  http://stackabuse.com/securing-your-node-js-app/
  72. Node security learning  https://www.udemy.com/nodejs-security-pentesting-and-exploitation/

  73. Books