Upgrade to Pro — share decks privately, control downloads, hide ads and more …

enterJS 2014 - Securing your Node.js & Single Page Apps

Mark Stuart
July 01, 2014
Programming
4
610

enterJS 2014 - Securing your Node.js & Single Page Apps

Securing your Node.js & Single Page Apps

Mark Stuart

July 01, 2014
Tweet

More Decks by Mark Stuart

See All by Mark Stuart
JS@PayPal 2015 - Insanely fast rendering w/ Service Workers and Early Flushing
mstuart
0
780
Splitting up 8Ball and building/sharing components
mstuart
0
85
Midwest JS 2014 - Securing your Node.js & Single Page Apps
mstuart
2
340
HTML5DevConf 2014 - Securing your JavaScript apps
mstuart
0
180

Other Decks in Programming

See All in Programming
Folding Cheat Sheet #2
philipschwarz
PRO
0
110
元気予報
suu_mire0726
0
860
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
430
SwiftUI Performance 不要なViewの再描画と更新を抑える
bigamitiongit
1
160
pixivアプリでマルチモジュールを実現するまで
gatosyocora
1
130
Semantic search with Django and pgvector
pauloxnet
0
240
Ruby Function Composition
bkuhlmann
1
330
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
4
580
CQRS/ES avec Symfony, c’est (trop) bien !
jeremyfreeagent
1
630
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
0
160
StoreKit2によるiOSのアプリ内課金のリニューアル
kangnux
0
100
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
180

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
397
65k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Practical Orchestrator
shlominoach
181
9.7k
How GitHub (no longer) Works
holman
304
140k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Faster Mobile Websites
deanohume
297
30k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
356
22k
BBQ
matthewcrist
80
8.7k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
The Pragmatic Product Professional
lauravandoore
24
5.8k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k

Transcript

  1. Securing Your Node.js & Single Page Apps

  2. @mark_stuart @mstuart

  3. How are you using JavaScript?

  4. So, why security?

  5. None
  6. None
  7. None

  8. Not just PayPal, but your company too.

  9. None
  10. None
  11. None

  12. Web Security State of the Union 2014

  13. Same vulnerabilities. Nothing new.

  14. ok cya.

  15. Same vulnerabilities. Different beast.

  16. Node

  17. Know what you require() Rule #1 ! ! !

  18. npm has ~80,000 modules

  19. modulecounts.com

  20. Really great developer ecosystem, except…

  21. Anyone can publish anything

  22. Node is still JavaScript Rule #2 ! ! !

  23. Client-side vulnerabilities still exist on the server-side

  24. Eval is still evil

  25. Do not run as root Rule #2 ! ! !

  26. Running as root is wreckless

  27. If you’re compromised, terrible things could happen

  28. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  29. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  30. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  31. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  32. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  33. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  34. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  35. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  36. Ok, so if not root, then what?

  37. Create a user for node with restricted permissions ! (plenty

    of docs out there)

  38. Create a user for node with restricted permissions ! (plenty

    of docs out there)

  39. Create a user for node with restricted permissions ! (plenty

    of docs out there)

  40. Use good security defaults Rule #3 ! ! !

  41. Node is a set of barebones modules

  42. HTTP OS DNS TLS/SSL Path Process UDP URL File System

    Crypto Buffer

  43. Express is a barebones framework

  44. Express does very little to secure your app

  45. But, that’s okay!

  46. … drum roll …

  47. None

  48. Enterprise-grade Express "

  49. Lusca App Security module for Express

  50. var express = require(‘express’), app = express(), lusca = require(‘lusca’);

  51. app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 });

    app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

  52. Pardon the interruption

  53. CSRF

  54. Trick victim’s browser into making malicious requests CSRF

  55. All you need is a valid cookie CSRF

  56. CSRF # Victim yoursite.com " Cookie

  57. CSRF # Victim hackedsite.com Cookie yoursite.com

  58. CSRF <form name=“someHiddenForm” action=“http://yoursite.com/webapps/ transferFunds”> <input type=“hidden” name=“amount” value=“500.00” />

    <input type=“hidden” name=“recipient” value=“[email protected]” /> </form> ! <script>document.forms.someHiddenForm.submit();</script>

  59. It’s a simple HTTP request. CSRF

  60. If only we had a way to ensure requests were

    legitimate… CSRF

  61. lusca.csrf();

  62. Token synchronizer pattern lusca.csrf();

  63. 1. Creates a random token (using some crazy crypto libraries)

    lusca.csrf();

  64. 2. Adds token to res.locals lusca.csrf();

  65. 3. Dump token on the page <input type=“hidden” name=“csrf” value=“{{_csrf}}”

    /> lusca.csrf();

  66. 4. Send token with every POST, PUT, DELETE request lusca.csrf();

  67. $.ajaxPrefilter(function(options, _, xhr) { if (!xhr.crossDomain) { xhr.setRequestHeader('X-CSRF-Token', csrfToken); }

    }); lusca.csrf();

  68. 5. Verify token is correct, otherwise return 403. lusca.csrf();

  69. CSP

  70. CSP is really awesome.

  71. It’s basically a whitelist.

  72. Content-Security-Policy: default-src 'self' https://*.your-cdn.com; script-src 'self' https://*.your-cdn.com; img-src https://*.your-cdn.com data:;

    object-src 'self'; font-src 'self' https://*.googlefonts.com; connect-src … frame-src … style-src … media-src …
  73. None

  74. lusca.csp( { /* … */ } );

  75. lusca.csp({ "default-src": "'self' https://*.your-cdn.com”, "script-src": “'self' https://*.your-cdn.com”, "img-src": “https://*.your-cdn.com data:”,

    "font-src": “‘self’", “report-uri”: “https://mysite.com/cspReporter” });

  76. “report-uri”: “https://mysite.com/cspReporter”

  77. lusca.hsts();

  78. lusca.hsts(); Ensures HTTPS traffic

  79. Helps prevent MITM attacks lusca.hsts();

  80. lusca.xframe();

  81. lusca.xframe(); Prevent others from loading your app in an iframe

  82. None

  83. app.use(lusca.xssProtection()); app.use(lusca.p3p());

  84. app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 });

    app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

  85. Okay, now where were we?

  86. HTTPOnly cookies

  87. Prevents session hijacking HTTPOnly cookies

  88. app.use(express.session({ secret: ‘0m6!s3cr37’, cookie: { httpOnly: true, secure: true },

    })); HTTPOnly cookies

  89. Set-Cookie:! connect.sid=%3AbzLqvcp7DnQJMaLAPmJ7p; ! Path=/; Expires=Wed, 21 May 2014 18:26:44 GMT;

    HttpOnly HTTPOnly cookies

  90. Handle errors, or crash. Rule #4 ! ! !

  91. ! Wed, 21 May 2014 18:49:00 GMT ! uncaughtException Object

    #<Object> has no method ‘forEach'! ! TypeError: Object #<Object> has no method 'forEach'! at module.exports.fetchSettings (/Users/marstuart/oddjob/helpers.js:174:18)! ! Process finished with exit code 1!

  92. Basically, a DOS attack

  93. Catch them or restart

  94. Scan for vulnerable modules Rule #6 ! ! !

  95. Node Security Project http://nodesecurity.io

  96. Audit all modules in npm

  97. Contribute patches

  98. None

  99. Educate others

  100. npm install grunt-nsp-package --save-dev grunt validate-package

  101. None

  102. Define custom rules ESLint

  103. Security can be automated

  104. Make it a part of your CI

  105. Update your dependencies Rule #7 ! ! !

  106. Add a badge to your README

  107. None
  108. None

  109. david-dm.org <img src=“https://david-dm.org/username/repo.png” />

  110. Let’s recap…

  111. 1. Know what you require() 2. Node is still JavaScript

    3. Do not run as root 3. Use good security defaults 4. Security can be automated, too!

  112. Client-side JS

  113. Escape everything. Rule #1 ! ! !

  114. Content injection

  115. XSS sucks. It’s everywhere.

  116. <script src=“http://hacker.com/session-hijacker.js”></script> &lt;script src=&#39;http://hacker.com/ sessionhijacker.js&#39;&gt;&lt;/script&gt;

  117. User input and backend data

  118. Don’t trust backend services to escape properly

  119. Persistent or Stored XSS

  120. # Attacker yoursite.com PUT /account/edit { firstName: ‘<script>…’ } #

    Victim # Victim <script>…</script> GET /addressBook <script>…</script> GET /addressBook yoursite.com yoursite.com

  121. Case Study: TweetDeck worm

  122. TweetDeck worm

  123. TweetDeck worm

  124. Just one tweet. TweetDeck worm

  125. Just two weeks ago. TweetDeck worm

  126. … So how do I escape?

  127. DOMPurify and Google Caja

  128. <script src=“dompurify.js"></script> DOMPurify Plain ol’ JavaScript var clean = DOMPurify.sanitize(dirty);

  129. require(['dompurify'], function(DOMPurify) { var clean = DOMPurify.sanitize(dirty); }); DOMPurify RequireJS

    / AMD

  130. var DOMPurify = require(‘dompurify’); var clean = DOMPurify.sanitize(dirty); DOMPurify Node

    npm install dompurify

  131. Know your templating library. Rule #2 ! ! !

  132. Use it properly.

  133. Underscore templates

  134. <input type=“text” name=“zipCode” value=“<%- zipCode %>” /> <input type=“text” name=“zipCode”

    value=“<%= zipCode %>” />

  135. Dust.js templates

  136. {@if cond=“{cardType} === ‘VISA’”} <li class=“visa”></li> {/if}

  137. {@if cond=“{zipCode} === {defaultZipCode}”} <li class=“default”></li> {/if} { “zipCode”: “\\”,

    “defaultZipCode”: “);process.exit();//“ }

  138. Your server crashed. $

  139. Upgrade your front-end dependencies. Rule #3 ! ! !

  140. Retire.js

  141. jQuery <1.9.0 jQuery Mobile <1.0.1 Backbone <0.5.0 Angular <1.2.0 Handlebars

    <1.0.0 YUI <3.5.0 Ember <1.3.0 Mustache <0.3.1

  142. Running "retire:jsPath" (retire) task! ! >> test-files/jquery-1.6.js! >> ↳ jquery

    1.6 has known vulnerabilities: http://web.nvd.nist.gov/view/ vuln/detail?vulnId=CVE-2011-4969! ! >> Aborted due to warnings. npm install grunt-retire --save-dev grunt retire

  143. Automate it!

  144. C’mon, it’s 1 line.

  145. Rules of Thumb

  146. No matter what you do, someone will always find a

    way in

  147. But, you’ll get 80% there if you…

  148. Choose libraries with good security defaults. ! ! !

  149. Sanitize data coming in and going out. ! ! !

  150. Update your dependencies! ! ! !

  151. Automate security, too. ! ! !

  152. Ok.

  153. Ok. so,

  154. Ok. so, listen…

  155. Node is awesome.

  156. It’s enterprise ready.

  157. We just need to write better, more secure apps.

  158. thanks!

  159. We’re hiring! (we have an office in Berlin, too!)

  160. mark stuart @mark_stuart @mstuart

  161. Links https://github.com/nodesecurity/grunt-nsp-package https://github.com/bekk/grunt-retire https://nodesecurity.io/ https://github.com/evilpacket/helmet http://krakenjs.com/ https://github.com/krakenjs/lusca https://david-dm.org/ https://www.owasp.org/index.php/Cross-Site