enterJS 2014 - Securing your Node.js & Single Page Apps

Securing
Your
Node.js &
Single Page Apps

View Slide

@mark_stuart
@mstuart

View Slide

How are you
using JavaScript?

View Slide

So, why security?

View Slide

View Slide

Not just PayPal,
but your company too.

View Slide

View Slide

Web Security
State of the Union
2014

View Slide

Same vulnerabilities.
Nothing new.

View Slide

ok cya.

View Slide

Same vulnerabilities.
Different beast.

View Slide

Node

View Slide

Know what you require()
Rule #1 !
!
!

View Slide

npm has ~80,000 modules

View Slide

modulecounts.com

View Slide

Really great developer
ecosystem, except…

View Slide

Anyone can publish anything

View Slide

Node is still JavaScript
Rule #2 !
!
!

View Slide

Client-side vulnerabilities
still exist on the server-side

View Slide

Eval is still evil

View Slide

Do not run as root
Rule #2 !
!
!

View Slide

Running as root is wreckless

View Slide

If you’re compromised,
terrible things could happen

View Slide

Steal SSH keys or conﬁgs
Read/write ﬁles Execute
binaries Cause server to hang
Tamper with routes Inject XSS
Steal session data Crash server

View Slide

Ok, so if not root, then what?

View Slide

Create a user for node
with restricted permissions
!
(plenty of docs out there)

View Slide

Use good security defaults
Rule #3 !
!
!

View Slide

Node is a set of
barebones modules

View Slide

HTTP
OS DNS
TLS/SSL
Path
Process
UDP URL
File System Crypto Buffer

View Slide

Express is a
barebones framework

View Slide

Express does very
little to secure your app

View Slide

But, that’s okay!

View Slide

… drum roll …

View Slide

View Slide

Enterprise-grade
Express "

View Slide

Lusca
App Security module for Express

View Slide

var express = require(‘express’),
app = express(),
lusca = require(‘lusca’);

View Slide

app.use(lusca.csrf());
app.use(lusca.csp({ /* ... */ }));
app.use(lusca.hsts({ maxAge: 31536000 });
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.p3p('ABCDEF'));
app.use(lusca.xssProtection(true);

View Slide

Pardon the interruption

View Slide

CSRF

View Slide

Trick victim’s browser into
making malicious requests
CSRF

View Slide

All you need is a valid cookie
CSRF

View Slide

CSRF
#
Victim
yoursite.com
"
Cookie

View Slide

CSRF
#
Victim
hackedsite.com
Cookie yoursite.com

View Slide

CSRF
transferFunds”>

!
document.forms.someHiddenForm.submit();

View Slide

It’s a simple HTTP request.
CSRF

View Slide

If only we had a way to ensure
requests were legitimate…
CSRF

View Slide

lusca.csrf();

View Slide

Token synchronizer pattern
lusca.csrf();

View Slide

1. Creates a random token
(using some crazy crypto libraries)
lusca.csrf();

View Slide

2. Adds token to res.locals
lusca.csrf();

View Slide

3. Dump token on the page

lusca.csrf();

View Slide

4. Send token with every
POST, PUT, DELETE request
lusca.csrf();

View Slide

$.ajaxPreﬁlter(function(options, _, xhr) {
if (!xhr.crossDomain) {
xhr.setRequestHeader('X-CSRF-Token', csrfToken);
}
});
lusca.csrf();

View Slide

5. Verify token is correct,
otherwise return 403.
lusca.csrf();

View Slide

CSP

View Slide

CSP is really awesome.

View Slide

It’s basically a whitelist.

View Slide

Content-Security-Policy:
default-src 'self' https://*.your-cdn.com;
script-src 'self' https://*.your-cdn.com;
img-src https://*.your-cdn.com data:;
object-src 'self';
font-src 'self' https://*.googlefonts.com;
connect-src …
frame-src …
style-src …
media-src …

View Slide

View Slide

lusca.csp( { /* … */ } );

View Slide

lusca.csp({
"default-src": "'self' https://*.your-cdn.com”,
"script-src": “'self' https://*.your-cdn.com”,
"img-src": “https://*.your-cdn.com data:”,
"font-src": “‘self’",
“report-uri”: “https://mysite.com/cspReporter”
});

View Slide

“report-uri”: “https://mysite.com/cspReporter”

View Slide

lusca.hsts();

View Slide

lusca.hsts();
Ensures HTTPS traffic

View Slide

Helps prevent MITM attacks
lusca.hsts();

View Slide

lusca.xframe();

View Slide

lusca.xframe();
Prevent others from loading
your app in an iframe

View Slide

View Slide

app.use(lusca.xssProtection());
app.use(lusca.p3p());

View Slide

app.use(lusca.csrf());
app.use(lusca.csp({ /* ... */ }));
app.use(lusca.hsts({ maxAge: 31536000 });
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.p3p('ABCDEF'));
app.use(lusca.xssProtection(true);

View Slide

Okay, now where were we?

View Slide

HTTPOnly cookies

View Slide

Prevents session hijacking
HTTPOnly cookies

View Slide

app.use(express.session({
secret: ‘0m6!s3cr37’,
cookie: { httpOnly: true, secure: true },
}));
HTTPOnly cookies

View Slide

Set-Cookie:!
connect.sid=%3AbzLqvcp7DnQJMaLAPmJ7p; !
Path=/; Expires=Wed, 21 May 2014 18:26:44 GMT;
HttpOnly
HTTPOnly cookies

View Slide

Handle errors, or crash.
Rule #4 !
!
!

View Slide

!
Wed, 21 May 2014 18:49:00 GMT !
uncaughtException Object # has no method ‘forEach'!
!
TypeError: Object # has no method 'forEach'!
at module.exports.fetchSettings (/Users/marstuart/oddjob/helpers.js:174:18)!
!
Process ﬁnished with exit code 1!

View Slide

Basically, a DOS attack

View Slide

Catch them or restart

View Slide

Scan for vulnerable modules
Rule #6 !
!
!

View Slide

Node Security Project
http://nodesecurity.io

View Slide

Audit all modules in npm

View Slide

Contribute patches

View Slide

View Slide

Educate others

View Slide

npm install grunt-nsp-package --save-dev
grunt validate-package

View Slide

View Slide

Deﬁne custom rules
ESLint

View Slide

Security can be automated

View Slide

Make it a part of your CI

View Slide

Update your dependencies
Rule #7 !
!
!

View Slide

Add a badge to your README

View Slide

View Slide

david-dm.org

View Slide

Let’s recap…

View Slide

1. Know what you require()
2. Node is still JavaScript
3. Do not run as root
3. Use good security defaults
4. Security can be automated, too!

View Slide

Client-side JS

View Slide

Escape everything.
Rule #1 !
!
!

View Slide

Content injection

View Slide

XSS sucks. It’s everywhere.

View Slide

User input and
backend data

View Slide

Don’t trust
backend services
to escape properly

View Slide

Persistent or
Stored XSS

View Slide

#
Attacker
yoursite.com
PUT /account/edit
{ ﬁrstName: ‘…’ }<br/>#<br/>Victim<br/>#<br/>Victim<br/><script>…
GET /addressBook
…
GET /addressBook
yoursite.com
yoursite.com

View Slide

Case Study: TweetDeck worm

View Slide

TweetDeck worm

View Slide

Just one tweet.
TweetDeck worm

View Slide

Just two weeks ago.
TweetDeck worm

View Slide

… So how do I escape?

View Slide

DOMPurify and Google Caja

View Slide

DOMPurify
Plain ol’ JavaScript
var clean = DOMPurify.sanitize(dirty);

View Slide

require(['dompurify'], function(DOMPurify) {
});
DOMPurify
RequireJS / AMD

View Slide

var DOMPurify = require(‘dompurify’);
DOMPurify
Node
npm install dompurify

View Slide

Know your templating library.
Rule #2 !
!
!

View Slide

Use it properly.

View Slide

Underscore templates

View Slide

” />
” />

View Slide

Dust.js templates

View Slide

{@if cond=“{cardType} === ‘VISA’”}

{/if}

View Slide

{@if cond=“{zipCode} === {defaultZipCode}”}

{/if}
{
“zipCode”: “\\”,
“defaultZipCode”: “);process.exit();//“
}

View Slide

Your server crashed.
$

View Slide

Upgrade your front-end
dependencies.
Rule #3 !
!
!

View Slide

Retire.js

View Slide

jQuery <1.9.0
jQuery Mobile <1.0.1
Backbone <0.5.0
Angular <1.2.0
Handlebars <1.0.0
YUI <3.5.0
Ember <1.3.0
Mustache <0.3.1

View Slide

Running "retire:jsPath" (retire) task!
!
>> test-ﬁles/jquery-1.6.js!
>> ↳ jquery 1.6 has known vulnerabilities: http://web.nvd.nist.gov/view/
vuln/detail?vulnId=CVE-2011-4969!
!
>> Aborted due to warnings.
npm install grunt-retire --save-dev
grunt retire

View Slide

Automate it!

View Slide

C’mon, it’s 1 line.

View Slide

Rules of Thumb

View Slide

No matter what you do,
someone will always
ﬁnd a way in

View Slide

But, you’ll get 80% there
if you…

View Slide

Choose libraries with
good security defaults.
!
!
!

View Slide

Sanitize data coming in
and going out.
!
!
!

View Slide

Update your dependencies!
!
!
!

View Slide

Automate security, too.
!
!
!

View Slide

Ok.

View Slide

Ok. so,

View Slide

Ok. so, listen…

View Slide

Node is awesome.

View Slide

It’s enterprise ready.

View Slide

We just need to write
better, more secure apps.

View Slide

thanks!

View Slide

We’re hiring!
(we have an office in Berlin, too!)

View Slide

mark stuart
@mark_stuart
@mstuart

View Slide

Links
https://github.com/nodesecurity/grunt-nsp-package
https://github.com/bekk/grunt-retire
https://nodesecurity.io/
https://github.com/evilpacket/helmet
http://krakenjs.com/
https://github.com/krakenjs/lusca
https://david-dm.org/
https://www.owasp.org/index.php/Cross-Site

View Slide

enterJS 2014 - Securing your Node.js & Single Page Apps

enterJS 2014 - Securing your Node.js & Single Page Apps

Mark Stuart

More Decks by Mark Stuart

Other Decks in Programming

Featured

Transcript