Slide 1

Slide 1 text

Threat modelling Node.js applications Gergely Nemeth | @nthgergo

Slide 2

Slide 2 text

What’s civil engineering has to do with software security?

Slide 3

Slide 3 text

1977

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

The most influential work for software design patterns

Slide 7

Slide 7 text

1994

Slide 8

Slide 8 text

In 1988, Robert Barnard applied it for an IT attacker

Slide 9

Slide 9 text

● Threat modelling methodologies ○ Attack trees ○ STRIDE ○ DREAD ● Building more secure Node.js applications ○ HTTP Headers ○ Regex DDOS ○ XSS / CSRF attacks Agenda

Slide 10

Slide 10 text

Attack trees

Slide 11

Slide 11 text

Attack trees “A formal, methodical way of describing the security of systems, based on varying attacks.” Bruce Schneier

Slide 12

Slide 12 text

Attack trees Get Access Modify Credentials Learn Password Bypass Access Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies

Slide 13

Slide 13 text

Attack trees Get Access Modify Credentials Learn Password Bypass Access Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies Get Access Learn Password Guessing

Slide 14

Slide 14 text

STRIDE

Slide 15

Slide 15 text

Classification scheme for characterizing known threats: ● Spoofing of user identity ● Tampering ● Repudiation ● Information disclosure (privacy breach or data leak) ● Denial of service ● Elevation of privilege STRIDE

Slide 16

Slide 16 text

Users impersonating other users STRIDE: Spoofing of user identity

Slide 17

Slide 17 text

An attacker sending modified information, which the application may use and store without checking. STRIDE: Tampering

Slide 18

Slide 18 text

Applications should have web access logs, audit trails at each tier. STRIDE: Repudiation

Slide 19

Slide 19 text

Apps / browsers / content delivery networks leaking private data STRIDE: Information disclosure

Slide 20

Slide 20 text

Make the service unavailable for other users. STRIDE: Denial of service

Slide 21

Slide 21 text

Users getting rights that they should not have (like admin rights) STRIDE: Elevation of privilege

Slide 22

Slide 22 text

DREAD

Slide 23

Slide 23 text

Classification scheme for quantifying, comparing and prioritizing the amount of risk presented by each evaluated threat. DREAD

Slide 24

Slide 24 text

( DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY ) / 5 Calculating Risk:

Slide 25

Slide 25 text

The DREAD calculation always produces a number between 0 and 10; the higher the number, the more serious the risk.

Slide 26

Slide 26 text

DAMAGE: If a threat exploit occurs, how much damage will be caused? 0 = None 5 = Individual user data is compromised or affected. 10 = Complete system or data destruction

Slide 27

Slide 27 text

REPRODUCIBILITY: How easy is it to reproduce the exploit? 0 = Very hard or impossible, even for administrators. 5 = One or two steps required, may need to be an authorized user. 10 = Even a web browser is sufficient, without authentication.

Slide 28

Slide 28 text

EXPLOITABILITY: What is needed to exploit this threat? 0 = Advanced programming and networking knowledge, with custom or advanced tool. 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. 10 = Just a web browser

Slide 29

Slide 29 text

AFFECTED USERS: How many users will be affected? 0 = None 5 = Some users, but not all 10 = All users

Slide 30

Slide 30 text

DISCOVERABILITY: How easy is it to discover this threat? 10 - Just assume it is always discoverable

Slide 31

Slide 31 text

DREAD Example: SQL injection Damage: 10 (DROP TableName) Reproducibility: 5 (logged in state is needed) Exploitability: 10 (using forms) Affected users: 10 (everyone) Score: (10 + 5 + 10 + 10 + 10) / 5 = 9

Slide 32

Slide 32 text

DREAD Example: XSS attack Damage: 5 (Individual user data is affected) Reproducibility: 5 Exploitability: 10 (using forms) Affected users: 10 (everyone) Score: (5 + 5 + 10 + 10 + 10) / 5 = 8

Slide 33

Slide 33 text

Securing Node.js Applications

Slide 34

Slide 34 text

Securing HTTP

Slide 35

Slide 35 text

Strict-Transport-Security enforces secure (HTTP over SSL/TLS) connections to the server X-Frame-Options provides clickjacking protection X-XSS-Protection enables the Cross-site scripting (XSS) filter built into most recent web browsers Content-Security-Policy prevents a wide range of attacks, including Cross-site scripting and other cross-site injections Security HTTP headers

Slide 36

Slide 36 text

Use the helmet npm package - It automatically adds security headers. If you are building an express application, start the project with adding helmet. Security HTTP headers

Slide 37

Slide 37 text

Security HTTP headers

Slide 38

Slide 38 text

Side-channel attacks

Slide 39

Slide 39 text

An attack based on information gained from the physical implementation of a cryptosystem Side-channel attacks

Slide 40

Slide 40 text

- Power-monitoring attack - Data remanence - Acoustic cryptanalysis - Timing attack Side-channel attacks

Slide 41

Slide 41 text

TIMING ATTACKS

Slide 42

Slide 42 text

WRONG! TIMING ATTACKS

Slide 43

Slide 43 text

T R A C E T R A C E 1st iteration TIMING ATTACKS

Slide 44

Slide 44 text

T R A C E T R A C E 2nd iteration TIMING ATTACKS

Slide 45

Slide 45 text

T R A C E T R A C E 5th iteration TIMING ATTACKS

Slide 46

Slide 46 text

T R A C E T R I C K 1th iteration TIMING ATTACKS

Slide 47

Slide 47 text

T R A C E T R I C K 2nd iteration TIMING ATTACKS

Slide 48

Slide 48 text

T R A C E T R I C K 3rd iteration mismatch - no more iterations TIMING ATTACKS

Slide 49

Slide 49 text

The more letters match from the password, the more time the comparison takes.

Slide 50

Slide 50 text

Always use fixed-time comparison to avoid timing attacks.

Slide 51

Slide 51 text

TIMING ATTACKS

Slide 52

Slide 52 text

Denial of Service attacks

Slide 53

Slide 53 text

DoS attackers seek to make a machine or network unavailable to its intended users. Denial of Service attacks

Slide 54

Slide 54 text

Regex Denial of Service 1 ^(a+)+$ 2 3 4 5 a a a a a a a a Nondeterministic finite automaton

Slide 55

Slide 55 text

^(a+)+$ for the input “aaaaX” 16 possible paths Regex Denial of Service

Slide 56

Slide 56 text

^(a+)+$ for the input “aaaaaaaaaaaaaaaaX” 65536 possible paths Regex Denial of Service

Slide 57

Slide 57 text

Regular Expression implementations may reach extreme situations that cause them to work very slowly. Regex Denial of Service

Slide 58

Slide 58 text

- Grouping with repetition (a+)+ - Inside the repeated group: - Repetition (a+)+ - Alternation with overlapping (a|aa)+ Evil Regexes

Slide 59

Slide 59 text

WE HAVE A SINGLE THREAD

Slide 60

Slide 60 text

Regex Denial of Service

Slide 61

Slide 61 text

Insecure dependencies

Slide 62

Slide 62 text

YOU ARE WHAT YOU REQUIRE

Slide 63

Slide 63 text

Insecure Dependencies

Slide 64

Slide 64 text

Us

Slide 65

Slide 65 text

95% of all security incidents involve human error.

Slide 66

Slide 66 text

We are the weakest link.

Slide 67

Slide 67 text

Security is part of your job!

Slide 68

Slide 68 text

- Node.js Security Checklist - https://blog.risingstack.com/node-js-security-checklist - Advisories of NSP - on nodesecurity.io - OWASP TOP 10 - on owasp.org WHAT’S NEXT?

Slide 69

Slide 69 text

No content