Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Midwest JS 2014 - Securing your Node.js & Singl...

Mark Stuart
August 14, 2014
Programming
2
340

Midwest JS 2014 - Securing your Node.js & Single Page Apps

My slide deck from my talk at Midwest JS 2014 - Securing your Node.js & Single Page Apps

Mark Stuart

August 14, 2014
Tweet

More Decks by Mark Stuart

See All by Mark Stuart
JS@PayPal 2015 - Insanely fast rendering w/ Service Workers and Early Flushing
mstuart
0
900
Splitting up 8Ball and building/sharing components
mstuart
0
100
enterJS 2014 - Securing your Node.js & Single Page Apps
mstuart
4
620
HTML5DevConf 2014 - Securing your JavaScript apps
mstuart
0
180

Other Decks in Programming

See All in Programming
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
190
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
170
광고 소재 심사 과정에 AI를 도입하여 광고 서비스 생산성 향상시키기
kakao
PRO
0
170
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
100
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
610
RubyLSPのマルチバイト文字対応
notfounds
0
120
Amazon Bedrock Agentsを用いてアプリ開発してみた!
har1101
0
330
Macとオーディオ再生 2024/11/02
yusukeito
0
370
Remix on Hono on Cloudflare Workers
yusukebe
1
280
C++でシェーダを書く
fadis
6
4.1k
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Optimizing for Happiness
mojombo
376
70k
Building Applications with DynamoDB
mza
90
6.1k
A Tale of Four Properties
chriscoyier
156
23k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Happy Clients
brianwarren
98
6.7k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k

Transcript

  1. Securing Your Node.js & Single Page Apps

  2. bit.ly/jssecurity

  3. @mark_stuart @mstuart

  4. How are you using JavaScript?

  5. So, why security?

  6. None
  7. None
  8. None

  9. Not just PayPal, but your company too.

  10. None
  11. None
  12. None

  13. The scoop on security

  14. Same vulnerabilities. Nothing new.

  15. ok cya.

  16. Same vulnerabilities. Different beast.

  17. Node

  18. Know what you require() Rule #1 ! ! !

  19. npm has ~80,000 modules

  20. modulecounts.com

  21. Really great developer ecosystem, except…

  22. Anyone can publish anything

  23. Node is still JavaScript ! ! ! Rule #2

  24. Client-side vulnerabilities still exist on the server-side

  25. Eval is still evil

  26. Do not run as root ! ! ! Rule #3

  27. Running as root is wreckless

  28. If you’re compromised, terrible things could happen

  29. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  30. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  31. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  32. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  33. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  34. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  35. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  36. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  37. Ok, so if not root, then what?

  38. Create a user for node with restricted permissions ! (plenty

    of docs out there)

  39. Create a user for node with restricted permissions ! (plenty

    of docs out there)

  40. Create a user for node with restricted permissions ! (plenty

    of docs out there)

  41. Use good security defaults ! ! ! Rule #4

  42. Node is a set of barebones modules

  43. HTTP OS DNS TLS/SSL Path Process UDP URL File System

    Crypto Buffer

  44. Express is a barebones framework

  45. Express does very little to secure your app

  46. But, that’s okay!

  47. … drum roll …

  48. None

  49. Enterprise-grade Express "

  50. Lusca App Security module for Express

  51. var express = require(‘express’), app = express(), lusca = require(‘lusca’);

  52. app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 });

    app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

  53. Pardon the interruption

  54. CSRF

  55. Trick victim’s browser into making malicious requests CSRF

  56. All you need is a valid cookie CSRF

  57. # User yoursite.com " Cookie CSRF

  58. CSRF # User hackedsite.com Cookie

  59. <form name=“someHiddenForm” action=“http://yoursite.com/webapps/ transferFunds”> <input type=“hidden” name=“amount” value=“500.00” /> <input

    type=“hidden” name=“recipient” value=“[email protected]” /> </form> ! <script>document.forms.someHiddenForm.submit();</script> CSRF

  60. # User hackedsite.com Cookie yoursite.com CSRF POST /transferFunds

  61. It’s a simple HTTP request. CSRF

  62. If only we had a way to ensure requests were

    legitimate… CSRF

  63. lusca.csrf();

  64. Token synchronizer pattern lusca.csrf();

  65. 1. Creates a random token (using some crazy crypto libraries)

    lusca.csrf();

  66. 2. Adds token to res.locals lusca.csrf();

  67. 3. Dump token on the page <input type=“hidden” name=“csrf” value=“{{_csrf}}”

    /> lusca.csrf();

  68. 4. Send token with every POST, PUT, DELETE request lusca.csrf();

  69. $.ajaxPrefilter(function(options, _, xhr) { if (!xhr.crossDomain) { xhr.setRequestHeader('X-CSRF-Token', csrfToken); }

    }); lusca.csrf();

  70. 5. Verify token is correct, otherwise return 403. lusca.csrf();

  71. CSP

  72. CSP is really awesome.

  73. It’s basically a whitelist.

  74. Content-Security-Policy: default-src 'self' https://*.your-cdn.com; script-src 'self' https://*.your-cdn.com; img-src https://*.your-cdn.com data:;

    object-src 'self'; font-src 'self' https://*.googlefonts.com; connect-src … frame-src … style-src … media-src …
  75. None

  76. lusca.csp( { /* … */ } );

  77. lusca.csp({ "default-src": "'self' https://*.your-cdn.com”, "script-src": “'self' https://*.your-cdn.com”, "img-src": “https://*.your-cdn.com data:”,

    "font-src": “‘self’", “report-uri”: “https://mysite.com/cspReporter” });

  78. “report-uri”: “https://mysite.com/cspReporter”

  79. lusca.hsts();

  80. lusca.hsts(); Ensures HTTPS traffic

  81. Helps prevent MITM attacks lusca.hsts();

  82. lusca.xframe();

  83. lusca.xframe(); Prevent others from loading your app in an iframe

  84. None

  85. app.use(lusca.xssProtection()); app.use(lusca.p3p());

  86. app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 });

    app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

  87. Okay, now where were we?

  88. HTTPOnly cookies

  89. Prevents session hijacking HTTPOnly cookies

  90. app.use(express.session({ secret: ‘0m6!s3cr37’, cookie: { httpOnly: true, secure: true },

    })); HTTPOnly cookies

  91. Set-Cookie:! connect.sid=%3AbzLqvcp7DnQJMaLAPmJ7p; ! Path=/; Expires=Wed, 21 May 2014 18:26:44 GMT;

    HttpOnly HTTPOnly cookies

  92. Handle errors, or crash. ! ! ! Rule #5

  93. ! Wed, 21 May 2014 18:49:00 GMT ! uncaughtException Object

    #<Object> has no method ‘forEach'! ! TypeError: Object #<Object> has no method 'forEach'! at module.exports.fetchSettings (/Users/marstuart/oddjob/helpers.js:174:18)! ! Process finished with exit code 1!

  94. Basically, a DOS attack

  95. Catch them or restart

  96. Scan for vulnerable modules ! ! ! Rule #6

  97. Node Security Project http://nodesecurity.io

  98. Audit all modules in npm

  99. Contribute patches

  100. None

  101. Educate others

  102. npm install grunt-nsp-package --save-dev grunt validate-package

  103. None

  104. Define custom rules ESLint

  105. Security can be automated

  106. Make it a part of your CI

  107. Update your dependencies ! ! ! Rule #7

  108. August 6th, just 1 week ago..

  109. DoS attack with qs

  110. qs is a query string parser

  111. qs.parse(‘a=c’); // { a: ‘c’ }

  112. qs.parse(‘a=c’); // { a: ‘c’ } qs.parse(‘a[1]=c&a[0]=b’); // { a:

    [‘b’, ‘c’] }

  113. qs.parse(‘foo[0][100000000]=ba’); ! FATAL ERROR: JS Allocation failed - process out

    of memory Abort trap: 6

  114. qs is used by lots of popular modules

  115. express hapi restify body-parser restler superagent

  116. express hapi restify body-parser restler superagent

  117. express hapi restify body-parser restler superagent

  118. express hapi restify body-parser restler superagent

  119. express hapi restify body-parser restler superagent

  120. express hapi restify body-parser restler superagent

  121. The problem is…

  122. Most of us are using express

  123. Just pass foo[0][100000000]=ba as your user agent

  124. Or… pass foo[0][100000000]=ba as a query string param

  125. And you can crash the server FATAL ERROR: JS Allocation

    failed - process out of memory

  126. And you can crash the server FATAL ERROR: JS Allocation

    failed - process out of memory

  127. Good news!

  128. It’s been patched

  129. Although you’re probably running an old version

  130. Update your dependencies

  131. Add a badge to your README

  132. None
  133. None

  134. david-dm.org <img src=“https://david-dm.org/username/repo.png” />

  135. Let’s recap…

  136. 1. Know what you require() 2. Node is still JavaScript

    3. Do not run as root 3. Use good security defaults 4. Security can be automated, too!

  137. Client-side JS

  138. Escape everything. ! ! ! Rule #1

  139. Content injection

  140. XSS sucks. It’s everywhere.

  141. <script src=“http://hacker.com/session-hijacker.js”></script> &lt;script src=&#39;http://hacker.com/ sessionhijacker.js&#39;&gt;&lt;/script&gt;

  142. User input and backend data

  143. Don’t trust backend services to escape properly

  144. Persistent or Stored XSS

  145. # Attacker yoursite.com PUT /account/edit { firstName: ‘<script>…’ } #

    Victim # Victim <script>…</script> GET /addressBook <script>…</script> GET /addressBook yoursite.com yoursite.com

  146. Case Study: TweetDeck worm

  147. TweetDeck worm

  148. TweetDeck worm

  149. Just one tweet. TweetDeck worm

  150. Just two months ago. TweetDeck worm

  151. … So how do I escape?

  152. DOMPurify and Google Caja

  153. <script src=“dompurify.js"></script> DOMPurify Plain ol’ JavaScript var clean = DOMPurify.sanitize(dirty);

  154. require(['dompurify'], function(DOMPurify) { var clean = DOMPurify.sanitize(dirty); }); RequireJS /

    AMD DOMPurify

  155. Node? DOMPurify

  156. Node? DOMPurify Coming soon!

  157. Know your templating library. ! ! ! Rule #2

  158. Use it properly.

  159. Underscore templates

  160. <input type=“text” name=“zipCode” value=“<%- zipCode %>” /> <input type=“text” name=“zipCode”

    value=“<%= zipCode %>” />

  161. Dust.js templates

  162. {@if cond=“{cardType} === ‘VISA’”} <li class=“visa”></li> {/if}

  163. {@if cond=“{zipCode} === {defaultZipCode}”} <li class=“default”></li> {/if} { “zipCode”: “\\”,

    “defaultZipCode”: “);process.exit();//“ }

  164. Your server crashed. $

  165. Upgrade your front-end dependencies. ! ! ! Rule #3

  166. Retire.js

  167. jQuery <1.9.0 jQuery Mobile <1.0.1 Backbone <0.5.0 Angular <1.2.0 Handlebars

    <1.0.0 YUI <3.9.2 Ember <1.3.2 Mustache <0.3.1 easyXDM <2.4.19

  168. Running "retire:jsPath" (retire) task! ! >> test-files/jquery-1.6.js! >> ↳ jquery

    1.6 has known vulnerabilities: http://web.nvd.nist.gov/view/ vuln/detail?vulnId=CVE-2011-4969! ! >> Aborted due to warnings. npm install grunt-retire --save-dev grunt retire

  169. Automate it!

  170. C’mon, it’s 1 line.

  171. Rules of Thumb

  172. No matter what you do, someone will always find a

    way in

  173. But, you’ll get 80% there if you…

  174. Choose libraries with good security defaults. ! ! !

  175. Sanitize data coming in and going out. ! ! !

  176. Update your dependencies! ! ! !

  177. Automate security, too. ! ! !

  178. Ok.

  179. Ok. so,

  180. Ok. so, listen…

  181. Node is awesome.

  182. It’s enterprise ready.

  183. We just need to write better, more secure apps.

  184. thanks!

  185. We’re hiring!

  186. mark stuart @mark_stuart @mstuart

  187. Links https://github.com/nodesecurity/grunt-nsp-package https://github.com/bekk/grunt-retire https://nodesecurity.io/ https://github.com/evilpacket/helmet http://krakenjs.com/ https://github.com/krakenjs/lusca https://david-dm.org/ https://www.owasp.org/index.php/Cross-Site