Tweet
Tweet

Slide 1

Slide 1 text

Testing Node Security by @jmortegac NOV 18-19 · 2016

Slide 2

Slide 2 text

Agenda  Introduction nodejS security  Npm security packages  Node Goat project  Tools

Slide 3

Slide 3 text

nodeJS introduction  JavaScript in the backend  Built on Chrome´s Javascript runtime(V8)  NodeJs is based on event loop  Designed to be asynchronous  Single Thread  Concurrent requests.

Slide 4

Slide 4 text

Security updates

Slide 5

Slide 5 text

Security updates

Slide 6

Slide 6 text

Find nodeJS vulnerabilities  http://cve.mitre.org/find/

Slide 7

Slide 7 text

Last vulnerabilities  https://nodesecurity.io/advisories

Slide 8

Slide 8 text

NPM modules install

Slide 9

Slide 9 text

Npm security packages  Helmet  express-session / cookie-session  csurf  express-validator  bcrypt-node  express-enforces-ssl

Slide 10

Slide 10 text

Security HTTP Headers  Strict-Transport-Security  X-Frame-Options  X-XSS-Protection  X-Content-Type-Options  Content-Security-Policy

Slide 11

Slide 11 text

Helmet module  https://www.npmjs.com/package/helmet

Slide 12

Slide 12 text

Helmet module  https://github.com/helmetjs/helmet

Slide 13

Slide 13 text

Helmet module  CSPContent-Security-Policy header  hidePoweredBydeletes X-Powered-by header  Hpkpprotection MITM  Hstsforces https connections  noCachedesactive client cache  Frameguardprotection clickjacking  xssFilterprotection XSS

Slide 14

Slide 14 text

Helmet module

Slide 15

Slide 15 text

Check headers security  http://cyh.herokuapp.com/cyh  https://securityheaders.io/

Slide 16

Slide 16 text

Express versions  https://www.shodan.io/search?query=express

Slide 17

Slide 17 text

Disable x-powered-by  Avoid framework fingerprinting

Slide 18

Slide 18 text

Disable x-powered-by  Use Helmet and use “hide-powered-by” plugin

Slide 19

Slide 19 text

Sessions management  https://www.npmjs.com/package/cookie-session  secure  httpOnly  domain  path  expires

Slide 20

Slide 20 text

httpOnly & secure:true

Slide 21

Slide 21 text

Delete cookies from cache browser // Set cache control header to eliminate cookies from cache app.use(function (req, res, next) { res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"'); next(); });

Slide 22

Slide 22 text

XSS attacks  An attacker can exploit XSS vulnerability to:  Steal session cookies/Sesion hijacking  Redirect user to malicious sites  Defacing and content manipulation  Cross Site Request forgery

Slide 23

Slide 23 text

https://www.npmjs.com/package/csurf

Slide 24

Slide 24 text

CSRF Submit app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });

Slide 25

Slide 25 text

CSRF

Slide 26

Slide 26 text

Filter/sanitize user input  Avoid XSS attacks  https://www.npmjs.com/package/sanitizer  Module express-validator  https://www.npmjs.com/package/express-validator

Slide 27

Slide 27 text

Validator

Slide 28

Slide 28 text

Validator

Slide 29

Slide 29 text

Validator

Slide 30

Slide 30 text

Validator with reg exp

Slide 31

Slide 31 text

Regular expressions  https://www.npmjs.com/package/safe-regex  Detect vulnerable regular expressions that can cause DoS

Slide 32

Slide 32 text

NodeJS Crypto  http://nodejs.org/api/crypto.html  Use require(‘crypto’) to access this module  The crypto module requires OpenSSL require("crypto") .createHash("sha1") //algorithm .update(“cOdEmOtiOn") //text .digest("hex"); //hexadecimal result

Slide 33

Slide 33 text

Bcrypt-node  https://github.com/kelektiv/node.bcrypt.js

Slide 34

Slide 34 text

Bcrypt-node

Slide 35

Slide 35 text

Bcrypt-node

Slide 36

Slide 36 text

Bcrypt-node

Slide 37

Slide 37 text

Building a secure HTTPS server

Slide 38

Slide 38 text

Building a secure HTTPS server  https://www.npmjs.com/package/https-redirect-server  https://www.npmjs.com/package/express-enforces-ssl  Redirect all traffic to https and a secure port

Slide 39

Slide 39 text

Building a secure HTTPS server

Slide 40

Slide 40 text

Building a secure HTTPS server var helmet = require("helmet"); var ms = require("ms"); app.use(helmet.hsts({ maxAge: ms("1 year"), includeSubdomains: true }));  Send hsts header for all requests

Slide 41

Slide 41 text

Node Goat  http://nodegoat.herokuapp.com/tutorial

Slide 42

Slide 42 text

Node Goat  https://github.com/OWASP/NodeGoat

Slide 43

Slide 43 text

EVAL()

Slide 44

Slide 44 text

EVAL() on github

Slide 45

Slide 45 text

EVAL() ATTACKS res.end(require('fs').readdirSync('.').toString()) res.end(require('fs').readdirSync('..').toString())

Slide 46

Slide 46 text

Insecure Direct Object References  Use session instead of request param  var userId = req.session.userId;

Slide 47

Slide 47 text

Tools  NSP  Require Safe  David  KrakenJS / Lusca middleware  Retire  snyk.io

Slide 48

Slide 48 text

NSP  https://github.com/nodesecurity/nsp  npm install -g nsp  Analyze package.json  nsp check --output summary

Slide 49

Slide 49 text

NSP with Grunt  npm install –g grunt-nsp-package

Slide 50

Slide 50 text

Nsp execution

Slide 51

Slide 51 text

Nsp execution

Slide 52

Slide 52 text

Project dependences  https://david-dm.org/

Slide 53

Slide 53 text

Project dependences

Slide 54

Slide 54 text

Project dependences  npm install –g david

Slide 55

Slide 55 text

https://snyk.io

Slide 56

Slide 56 text

http://krakenjs.com/

Slide 57

Slide 57 text

https://github.com/krakenjs/lusca

Slide 58

Slide 58 text

Retire.js  http://retirejs.github.io/retire.js  Detecting components and js libraries with known vulnerabilities

Slide 59

Slide 59 text

Retire.js

Slide 60

Slide 60 text

Retire.js

Slide 61

Slide 61 text

Retire.js

Slide 62

Slide 62 text

Retire.js  https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json

Slide 63

Slide 63 text

Retire.js execution

Slide 64

Slide 64 text

NodeJsScan  https://github.com/ajinabraham/NodeJsScan python NodeJsScan.py -d

Slide 65

Slide 65 text

NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml

Slide 66

Slide 66 text

NodeJsScan

Slide 67

Slide 67 text

Passport

Slide 68

Slide 68 text

Passport

Slide 69

Slide 69 text

https://github.com/jmortega/testing_nodejs_security

Slide 70

Slide 70 text

GitHub repositories  https://github.com/cr0hn/vulnerable-node  https://github.com/rdegges/svcc-auth  https://github.com/strongloop/loopback-getting-started- intermediate

Slide 71

Slide 71 text

References  https://blog.risingstack.com/node-js-security-checklist/  https://blog.risingstack.com/node-js-security-tips/  https://groups.google.com/forum/#!forum/nodejs-sec  https://nodejs.org/en/blog/vulnerability/september-2016- security-releases/  https://expressjs.com/en/advanced/security-updates.html  http://opensecurity.in/nodejsscan/  http://stackabuse.com/securing-your-node-js-app/

Slide 72

Slide 72 text

Node security learning  https://www.udemy.com/nodejs-security-pentesting-and-exploitation/

Slide 73

Slide 73 text

Books