Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing NodeJS Security

jmortegac
November 18, 2016

Testing NodeJS Security

Testing NodeJS Security

jmortegac

November 18, 2016
Tweet

More Decks by jmortegac

Other Decks in Programming

Transcript

  1. Testing Node
    Security
    by @jmortegac
    NOV 18-19 · 2016

    View Slide

  2. Agenda
     Introduction nodejS security
     Npm security packages
     Node Goat project
     Tools

    View Slide

  3. nodeJS introduction
     JavaScript in the backend
     Built on Chrome´s Javascript runtime(V8)
     NodeJs is based on event loop
     Designed to be asynchronous
     Single Thread
     Concurrent requests.

    View Slide

  4. Security updates

    View Slide

  5. Security updates

    View Slide

  6. Find nodeJS vulnerabilities
     http://cve.mitre.org/find/

    View Slide

  7. Last vulnerabilities
     https://nodesecurity.io/advisories

    View Slide

  8. NPM modules install

    View Slide

  9. Npm security packages
     Helmet
     express-session / cookie-session
     csurf
     express-validator
     bcrypt-node
     express-enforces-ssl

    View Slide

  10. Security HTTP Headers
     Strict-Transport-Security
     X-Frame-Options
     X-XSS-Protection
     X-Content-Type-Options
     Content-Security-Policy

    View Slide

  11. Helmet module
     https://www.npmjs.com/package/helmet

    View Slide

  12. Helmet module
     https://github.com/helmetjs/helmet

    View Slide

  13. Helmet module
     CSPContent-Security-Policy header
     hidePoweredBydeletes X-Powered-by header
     Hpkpprotection MITM
     Hstsforces https connections
     noCachedesactive client cache
     Frameguardprotection clickjacking
     xssFilterprotection XSS

    View Slide

  14. Helmet module

    View Slide

  15. Check headers security
     http://cyh.herokuapp.com/cyh
     https://securityheaders.io/

    View Slide

  16. Express versions
     https://www.shodan.io/search?query=express

    View Slide

  17. Disable x-powered-by
     Avoid framework fingerprinting

    View Slide

  18. Disable x-powered-by
     Use Helmet and use “hide-powered-by” plugin

    View Slide

  19. Sessions management
     https://www.npmjs.com/package/cookie-session
     secure
     httpOnly
     domain
     path
     expires

    View Slide

  20. httpOnly & secure:true

    View Slide

  21. Delete cookies from cache browser
    // Set cache control header to eliminate cookies from cache
    app.use(function (req, res, next) {
    res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"');
    next();
    });

    View Slide

  22. XSS attacks
     An attacker can exploit XSS vulnerability to:
     Steal session cookies/Sesion hijacking
     Redirect user to malicious sites
     Defacing and content manipulation
     Cross Site Request forgery

    View Slide

  23. https://www.npmjs.com/package/csurf

    View Slide

  24. CSRF


    Submit

    app.use(function (request, response, next) {
    response.locals.csrftoken = request.csrfToken();
    next();
    });

    View Slide

  25. CSRF

    View Slide

  26. Filter/sanitize user input
     Avoid XSS attacks
     https://www.npmjs.com/package/sanitizer
     Module express-validator
     https://www.npmjs.com/package/express-validator

    View Slide

  27. Validator

    View Slide

  28. Validator

    View Slide

  29. Validator

    View Slide

  30. Validator with reg exp

    View Slide

  31. Regular expressions
     https://www.npmjs.com/package/safe-regex
     Detect vulnerable regular
    expressions that can cause DoS

    View Slide

  32. NodeJS Crypto
     http://nodejs.org/api/crypto.html
     Use require(‘crypto’) to access this module
     The crypto module requires OpenSSL
    require("crypto")
    .createHash("sha1") //algorithm
    .update(“cOdEmOtiOn") //text
    .digest("hex"); //hexadecimal result

    View Slide

  33. Bcrypt-node
     https://github.com/kelektiv/node.bcrypt.js

    View Slide

  34. Bcrypt-node

    View Slide

  35. Bcrypt-node

    View Slide

  36. Bcrypt-node

    View Slide

  37. Building a secure HTTPS server

    View Slide

  38. Building a secure HTTPS server
     https://www.npmjs.com/package/https-redirect-server
     https://www.npmjs.com/package/express-enforces-ssl
     Redirect all traffic to https and a
    secure port

    View Slide

  39. Building a secure HTTPS server

    View Slide

  40. Building a secure HTTPS server
    var helmet = require("helmet");
    var ms = require("ms");
    app.use(helmet.hsts({
    maxAge: ms("1 year"),
    includeSubdomains: true
    }));
     Send hsts header for all requests

    View Slide

  41. Node Goat
     http://nodegoat.herokuapp.com/tutorial

    View Slide

  42. Node Goat
     https://github.com/OWASP/NodeGoat

    View Slide

  43. EVAL()

    View Slide

  44. EVAL() on github

    View Slide

  45. EVAL() ATTACKS
    res.end(require('fs').readdirSync('.').toString())
    res.end(require('fs').readdirSync('..').toString())

    View Slide

  46. Insecure Direct Object References
     Use session instead of request param
     var userId = req.session.userId;

    View Slide

  47. Tools
     NSP
     Require Safe
     David
     KrakenJS / Lusca middleware
     Retire
     snyk.io

    View Slide

  48. NSP
     https://github.com/nodesecurity/nsp
     npm install -g nsp
     Analyze package.json
     nsp check --output summary

    View Slide

  49. NSP with Grunt
     npm install –g grunt-nsp-package

    View Slide

  50. Nsp execution

    View Slide

  51. Nsp execution

    View Slide

  52. Project dependences
     https://david-dm.org/

    View Slide

  53. Project dependences

    View Slide

  54. Project dependences
     npm install –g david

    View Slide

  55. https://snyk.io

    View Slide

  56. http://krakenjs.com/

    View Slide

  57. https://github.com/krakenjs/lusca

    View Slide

  58. Retire.js
     http://retirejs.github.io/retire.js
     Detecting components and js libraries
    with known vulnerabilities

    View Slide

  59. Retire.js

    View Slide

  60. Retire.js

    View Slide

  61. Retire.js

    View Slide

  62. Retire.js
     https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json

    View Slide

  63. Retire.js execution

    View Slide

  64. NodeJsScan
     https://github.com/ajinabraham/NodeJsScan
    python NodeJsScan.py -d

    View Slide

  65. NodeJsScan
    https://github.com/jmortega/NodeJsScan/blob/master/rules.xml

    View Slide

  66. NodeJsScan

    View Slide

  67. Passport

    View Slide

  68. Passport

    View Slide

  69. https://github.com/jmortega/testing_nodejs_security

    View Slide

  70. GitHub repositories
     https://github.com/cr0hn/vulnerable-node
     https://github.com/rdegges/svcc-auth
     https://github.com/strongloop/loopback-getting-started-
    intermediate

    View Slide

  71. References
     https://blog.risingstack.com/node-js-security-checklist/
     https://blog.risingstack.com/node-js-security-tips/
     https://groups.google.com/forum/#!forum/nodejs-sec
     https://nodejs.org/en/blog/vulnerability/september-2016-
    security-releases/
     https://expressjs.com/en/advanced/security-updates.html
     http://opensecurity.in/nodejsscan/
     http://stackabuse.com/securing-your-node-js-app/

    View Slide

  72. Node security learning
     https://www.udemy.com/nodejs-security-pentesting-and-exploitation/

    View Slide

  73. Books

    View Slide