Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Testing NodeJS Security
Search
jmortegac
November 18, 2016
Programming
1
360
Testing NodeJS Security
Testing NodeJS Security
jmortegac
November 18, 2016
Tweet
Share
More Decks by jmortegac
See All by jmortegac
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
jmortega
0
34
Seguridad de APIs en Drupal: herramientas, mejores prácticas y estrategias para asegurar las APIs
jmortega
1
28
Security and auditing tools in Large Language Models (LLM)
jmortega
1
38
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaciones
jmortega
0
38
Asegurando tus APIs: Explorando el OWASP Top 10 de Seguridad en APIs
jmortega
1
80
PyGoat: Analizando la seguridad en aplicaciones Django
jmortega
1
170
Evolution of security strategies in K8s environments- All day devops
jmortega
1
57
Ciberseguridad en Blockchain y Smart Contracts: Explorando los desafíos y soluciones
jmortega
1
93
Evolution of security strategies in K8s environments
jmortega
1
46
Other Decks in Programming
See All in Programming
CloudRun, Spanner に対する負荷試験の反省と オブザーバビリティによるアプローチ
oyasumipants
1
160
クックパッド検索システム統合/Cookpad Search System Consolidation
giga811
0
140
Serverless Rust: Your Low-Risk Entry Point to Rust in Production (and the benefits are huge)
lmammino
1
160
『テスト書いた方が開発が早いじゃん』を解き明かす #phpcon_nagoya
o0h
PRO
9
2.6k
Expoによるアプリ開発の現在地とReact Server Componentsが切り開く未来
yukukotani
1
220
Duke on CRaC with Jakarta EE
ivargrimstad
0
130
Rubyと自由とAIと
yotii23
6
1.9k
はじめての Go * WASM * OCR
sgash708
1
120
AIレビュー導入によるCIツールとの共存と最適化
kamo26sima
1
620
ABEMA iOS 大規模プロジェクトにおける段階的な技術刷新 / ABEMA iOS Technology Upgrade
akkyie
1
240
Boos Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
620
ナレッジイネイブリングにAIを活用してみる ゆるSRE勉強会 #9
nealle
0
170
Featured
See All Featured
It's Worth the Effort
3n
184
28k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
Side Projects
sachag
452
42k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.7k
A Tale of Four Properties
chriscoyier
158
23k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
46
2.4k
Raft: Consensus for Rubyists
vanstee
137
6.8k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.2k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.2k
Music & Morning Musume
bryan
46
6.4k
Transcript
Testing Node Security by @jmortegac NOV 18-19 · 2016
Agenda Introduction nodejS security Npm security packages
Node Goat project Tools
nodeJS introduction JavaScript in the backend Built on
Chrome´s Javascript runtime(V8) NodeJs is based on event loop Designed to be asynchronous Single Thread Concurrent requests.
Security updates
Security updates
Find nodeJS vulnerabilities http://cve.mitre.org/find/
Last vulnerabilities https://nodesecurity.io/advisories
NPM modules install
Npm security packages Helmet express-session / cookie-session
csurf express-validator bcrypt-node express-enforces-ssl
Security HTTP Headers Strict-Transport-Security X-Frame-Options X-XSS-Protection
X-Content-Type-Options Content-Security-Policy
Helmet module https://www.npmjs.com/package/helmet
Helmet module https://github.com/helmetjs/helmet
Helmet module CSPContent-Security-Policy header hidePoweredBydeletes X-Powered-by header
Hpkpprotection MITM Hstsforces https connections noCachedesactive client cache Frameguardprotection clickjacking xssFilterprotection XSS
Helmet module
Check headers security http://cyh.herokuapp.com/cyh https://securityheaders.io/
Express versions https://www.shodan.io/search?query=express
Disable x-powered-by Avoid framework fingerprinting
Disable x-powered-by Use Helmet and use “hide-powered-by” plugin
Sessions management https://www.npmjs.com/package/cookie-session secure httpOnly domain
path expires
httpOnly & secure:true
Delete cookies from cache browser // Set cache control header
to eliminate cookies from cache app.use(function (req, res, next) { res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"'); next(); });
XSS attacks An attacker can exploit XSS vulnerability to:
Steal session cookies/Sesion hijacking Redirect user to malicious sites Defacing and content manipulation Cross Site Request forgery
https://www.npmjs.com/package/csurf
CSRF <form action="/process" method="POST"> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button>
</form> app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });
CSRF
Filter/sanitize user input Avoid XSS attacks https://www.npmjs.com/package/sanitizer
Module express-validator https://www.npmjs.com/package/express-validator
Validator
Validator
Validator
Validator with reg exp
Regular expressions https://www.npmjs.com/package/safe-regex Detect vulnerable regular expressions that
can cause DoS
NodeJS Crypto http://nodejs.org/api/crypto.html Use require(‘crypto’) to access this
module The crypto module requires OpenSSL require("crypto") .createHash("sha1") //algorithm .update(“cOdEmOtiOn") //text .digest("hex"); //hexadecimal result
Bcrypt-node https://github.com/kelektiv/node.bcrypt.js
Bcrypt-node
Bcrypt-node
Bcrypt-node
Building a secure HTTPS server
Building a secure HTTPS server https://www.npmjs.com/package/https-redirect-server https://www.npmjs.com/package/express-enforces-ssl
Redirect all traffic to https and a secure port
Building a secure HTTPS server
Building a secure HTTPS server var helmet = require("helmet"); var
ms = require("ms"); app.use(helmet.hsts({ maxAge: ms("1 year"), includeSubdomains: true })); Send hsts header for all requests
Node Goat http://nodegoat.herokuapp.com/tutorial
Node Goat https://github.com/OWASP/NodeGoat
EVAL()
EVAL() on github
EVAL() ATTACKS res.end(require('fs').readdirSync('.').toString()) res.end(require('fs').readdirSync('..').toString())
Insecure Direct Object References Use session instead of request
param var userId = req.session.userId;
Tools NSP Require Safe David KrakenJS
/ Lusca middleware Retire snyk.io
NSP https://github.com/nodesecurity/nsp npm install -g nsp Analyze
package.json nsp check --output summary
NSP with Grunt npm install –g grunt-nsp-package
Nsp execution
Nsp execution
Project dependences https://david-dm.org/
Project dependences
Project dependences npm install –g david
https://snyk.io
http://krakenjs.com/
https://github.com/krakenjs/lusca
Retire.js http://retirejs.github.io/retire.js Detecting components and js libraries with
known vulnerabilities
Retire.js
Retire.js
Retire.js
Retire.js https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json
Retire.js execution
NodeJsScan https://github.com/ajinabraham/NodeJsScan python NodeJsScan.py -d <dir>
NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml
NodeJsScan
Passport
Passport
https://github.com/jmortega/testing_nodejs_security
GitHub repositories https://github.com/cr0hn/vulnerable-node https://github.com/rdegges/svcc-auth https://github.com/strongloop/loopback-getting-started- intermediate
References https://blog.risingstack.com/node-js-security-checklist/ https://blog.risingstack.com/node-js-security-tips/ https://groups.google.com/forum/#!forum/nodejs-sec https://nodejs.org/en/blog/vulnerability/september-2016- security-releases/
https://expressjs.com/en/advanced/security-updates.html http://opensecurity.in/nodejsscan/ http://stackabuse.com/securing-your-node-js-app/
Node security learning https://www.udemy.com/nodejs-security-pentesting-and-exploitation/
Books