Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Testing NodeJS Security
Search
jmortegac
November 18, 2016
Programming
1
350
Testing NodeJS Security
Testing NodeJS Security
jmortegac
November 18, 2016
Tweet
Share
More Decks by jmortegac
See All by jmortegac
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
jmortega
0
17
Seguridad de APIs en Drupal: herramientas, mejores prácticas y estrategias para asegurar las APIs
jmortega
1
17
Security and auditing tools in Large Language Models (LLM)
jmortega
1
23
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaciones
jmortega
0
31
Asegurando tus APIs: Explorando el OWASP Top 10 de Seguridad en APIs
jmortega
1
58
PyGoat: Analizando la seguridad en aplicaciones Django
jmortega
1
160
Evolution of security strategies in K8s environments- All day devops
jmortega
1
52
Ciberseguridad en Blockchain y Smart Contracts: Explorando los desafíos y soluciones
jmortega
1
84
Evolution of security strategies in K8s environments
jmortega
1
41
Other Decks in Programming
See All in Programming
CSC305 Lecture 25
javiergs
PRO
0
130
CSC509 Lecture 14
javiergs
PRO
0
130
【re:Growth 2024】 Aurora DSQL をちゃんと話します!
maroon1st
0
770
今年一番支援させていただいたのは認証系サービスでした
satoshi256kbyte
1
250
コンテナをたくさん詰め込んだシステムとランタイムの変化
makihiro
1
120
menu基盤チームによるGoogle Cloudの活用事例~Application Integration, Cloud Tasks編~
yoshifumi_ishikura
0
110
.NET 9アプリをCGIとして レンタルサーバーで動かす
mayuki
1
770
RWC 2024 DICOM & ISO/IEC 2022
m_seki
0
200
ゆるやかにgolangci-lintのルールを強くする / Kyoto.go #56
utgwkk
1
350
わたしの星のままで一番星になる ~ 出産を機にSIerからEC事業会社に転職した話 ~
kimura_m_29
0
180
useSyncExternalStoreを使いまくる
ssssota
6
1k
fs2-io を試してたらバグを見つけて直した話
chencmd
0
220
Featured
See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.9k
Building a Modern Day E-commerce SEO Strategy
aleyda
38
7k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
247
1.3M
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
1.2k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.4k
GraphQLとの向き合い方2022年版
quramy
44
13k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
KATA
mclloyd
29
14k
Six Lessons from altMBA
skipperchong
27
3.5k
We Have a Design System, Now What?
morganepeng
51
7.3k
Transcript
Testing Node Security by @jmortegac NOV 18-19 · 2016
Agenda Introduction nodejS security Npm security packages
Node Goat project Tools
nodeJS introduction JavaScript in the backend Built on
Chrome´s Javascript runtime(V8) NodeJs is based on event loop Designed to be asynchronous Single Thread Concurrent requests.
Security updates
Security updates
Find nodeJS vulnerabilities http://cve.mitre.org/find/
Last vulnerabilities https://nodesecurity.io/advisories
NPM modules install
Npm security packages Helmet express-session / cookie-session
csurf express-validator bcrypt-node express-enforces-ssl
Security HTTP Headers Strict-Transport-Security X-Frame-Options X-XSS-Protection
X-Content-Type-Options Content-Security-Policy
Helmet module https://www.npmjs.com/package/helmet
Helmet module https://github.com/helmetjs/helmet
Helmet module CSPContent-Security-Policy header hidePoweredBydeletes X-Powered-by header
Hpkpprotection MITM Hstsforces https connections noCachedesactive client cache Frameguardprotection clickjacking xssFilterprotection XSS
Helmet module
Check headers security http://cyh.herokuapp.com/cyh https://securityheaders.io/
Express versions https://www.shodan.io/search?query=express
Disable x-powered-by Avoid framework fingerprinting
Disable x-powered-by Use Helmet and use “hide-powered-by” plugin
Sessions management https://www.npmjs.com/package/cookie-session secure httpOnly domain
path expires
httpOnly & secure:true
Delete cookies from cache browser // Set cache control header
to eliminate cookies from cache app.use(function (req, res, next) { res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"'); next(); });
XSS attacks An attacker can exploit XSS vulnerability to:
Steal session cookies/Sesion hijacking Redirect user to malicious sites Defacing and content manipulation Cross Site Request forgery
https://www.npmjs.com/package/csurf
CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button>
</form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });
CSRF
Filter/sanitize user input Avoid XSS attacks https://www.npmjs.com/package/sanitizer
Module express-validator https://www.npmjs.com/package/express-validator
Validator
Validator
Validator
Validator with reg exp
Regular expressions https://www.npmjs.com/package/safe-regex Detect vulnerable regular expressions that
can cause DoS
NodeJS Crypto http://nodejs.org/api/crypto.html Use require(‘crypto’) to access this
module The crypto module requires OpenSSL require("crypto") .createHash("sha1") //algorithm .update(“cOdEmOtiOn") //text .digest("hex"); //hexadecimal result
Bcrypt-node https://github.com/kelektiv/node.bcrypt.js
Bcrypt-node
Bcrypt-node
Bcrypt-node
Building a secure HTTPS server
Building a secure HTTPS server https://www.npmjs.com/package/https-redirect-server https://www.npmjs.com/package/express-enforces-ssl
Redirect all traffic to https and a secure port
Building a secure HTTPS server
Building a secure HTTPS server var helmet = require("helmet"); var
ms = require("ms"); app.use(helmet.hsts({ maxAge: ms("1 year"), includeSubdomains: true })); Send hsts header for all requests
Node Goat http://nodegoat.herokuapp.com/tutorial
Node Goat https://github.com/OWASP/NodeGoat
EVAL()
EVAL() on github
EVAL() ATTACKS res.end(require('fs').readdirSync('.').toString()) res.end(require('fs').readdirSync('..').toString())
Insecure Direct Object References Use session instead of request
param var userId = req.session.userId;
Tools NSP Require Safe David KrakenJS
/ Lusca middleware Retire snyk.io
NSP https://github.com/nodesecurity/nsp npm install -g nsp Analyze
package.json nsp check --output summary
NSP with Grunt npm install –g grunt-nsp-package
Nsp execution
Nsp execution
Project dependences https://david-dm.org/
Project dependences
Project dependences npm install –g david
https://snyk.io
http://krakenjs.com/
https://github.com/krakenjs/lusca
Retire.js http://retirejs.github.io/retire.js Detecting components and js libraries with
known vulnerabilities
Retire.js
Retire.js
Retire.js
Retire.js https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json
Retire.js execution
NodeJsScan https://github.com/ajinabraham/NodeJsScan python NodeJsScan.py -d <dir>
NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml
NodeJsScan
Passport
Passport
https://github.com/jmortega/testing_nodejs_security
GitHub repositories https://github.com/cr0hn/vulnerable-node https://github.com/rdegges/svcc-auth https://github.com/strongloop/loopback-getting-started- intermediate
References https://blog.risingstack.com/node-js-security-checklist/ https://blog.risingstack.com/node-js-security-tips/ https://groups.google.com/forum/#!forum/nodejs-sec https://nodejs.org/en/blog/vulnerability/september-2016- security-releases/
https://expressjs.com/en/advanced/security-updates.html http://opensecurity.in/nodejsscan/ http://stackabuse.com/securing-your-node-js-app/
Node security learning https://www.udemy.com/nodejs-security-pentesting-and-exploitation/
Books