node_security_pdf.pdf - Speaker Deck

Slide 1

Slide 1 text

Node.js Security Tips Tamar Twena-Stern

Slide 2

Slide 2 text

Tamar Twena-Stern • Software Engineer - manager and architect • Architect @PaloAltoNetworks • Was a CTO of my own startup • Passionate about Node.js ! • Twitter: @SternTwena

Slide 3

Slide 3 text

Tamar Twena-Stern • Just Finished My Maternity Leave • Have 3 kids • Loves to play my violin • Javascript Israel community leader

Slide 4

Slide 4 text

Node.js Framework •Server side platform for developing servers • Web • Mobile • Enterprise •Open source, cross platform •Enables to build fast and scalable network applications

Slide 5

Slide 5 text

Traditional Approach - Blocking IO client thread request request request thread thread Server

Slide 6

Slide 6 text

Node.js Architecture - High Level

Slide 7

Slide 7 text

What Is An Attack ? • An attack launched from one or more computers • The attack is against another computer, multiple computers or networks • Two broad types : • Denial of service attack • Get target computer’s data

Slide 8

Slide 8 text

Now, Lets Hack Some Code

Slide 9

Slide 9 text

Eval Is Evil

Slide 10

Slide 10 text

Eval Function • JavaScript function which is used for evaluate code. • Evaluate an expression \ code • You will get the result of the evaluation

Slide 11

Slide 11 text

Eval Code Samples

Slide 12

Slide 12 text

Denial Of Service Attack • Attacker seeks to make the service unavailable to it’s intended users • For Eval function, the most common attack type is achieved by : • Inject a script that will cause a CPU intensive operation and cause the server to be too busy in performing it

Slide 13

Slide 13 text

Demo – Denial Of Service Attack Using Script Injection To Eval

Slide 14

Slide 14 text

Don’t Use Eval • Makes your application vulnerable to multiple kind of attacks: • injection attacks. • Denial of service attacks • And more

Slide 15

Slide 15 text

But I Did Not See A Lot Of Code With Eval In Node.js Echo System …

Slide 16

Slide 16 text

Node.js Echo System Functions That Based On Eval • setInterval • setTimeout • new Function(string)

Slide 17

Slide 17 text

Preventing The Attack

Slide 18

Slide 18 text

Cross Language Solutions • If you do use eval /setImmediate /setTimeout: • The expression is not come from the user input • Use escaping techniques on the expression • Use blacklist / whitelist approach on the expression

Slide 19

Slide 19 text

ESLint Security PlugIn • Hard to detect a user input that directly arrives to eval on big repositories • ESLint security plugin comes to the rescue

Slide 20

Slide 20 text

Demo - ESLint Security PlugIn

Slide 21

Slide 21 text

What Else ESLint Security PlugIn Detects ? • File Injection - variables inside ﬁle paths • Allow the attacker to Access everything in your system • RegExp Injection - variables inside regex • Allow an attacker to DOS your server with a long-running regular expression

Slide 22

Slide 22 text

Demo - ESLint Security PlugIn - Detect File Injection

Slide 23

Slide 23 text

Lets Look At Another Popular Denial Of Service Attack

Slide 24

Slide 24 text

Flooding The Server With Requests • Each server has a limited amount of requests it can handle • Depends on hardware + cluster size • When too many requests arrived - the server cannot serve any of them

Slide 25

Slide 25 text

Defence - Rate Limiting • Rate Limiting : • Recognise the request’s source ip • Block the requests if too many requests are coming from the same IP within specific time window • Can also help in preventing brute force password guessing attacks – • multiple requests are sent to a specific endpoint to guess the password

Slide 26

Slide 26 text

Demo - Use Rate Limit On A Single Node.js Server

Slide 27

Slide 27 text

Rate Limit Support In Cluster

Slide 28

Slide 28 text

Rate Limit Support In Cluster - Cloud Services • Cloudﬂare - Cloud services for rate limit • AWS - support of rate limit on the API gateway layer • Conﬁguring rate limit in Google Cloud Platform

Slide 29

Slide 29 text

Preventing Password Brute Force Attacks By Username • You can limit login routes per request ip, and also per username and password. • Limiting login routes per username can be very helpful to prevent password brute force attacks • In many attacks, using only IP parameter is not enough – since requests can come from multiple IPs.

Slide 30

Slide 30 text

Express-Brute Library

Slide 31

Slide 31 text

Express-Brute Library

Slide 32

Slide 32 text

Validating User Input On Request

Slide 33

Slide 33 text

Node.js Request Input Validation • The most common use of Node.js is to build a REST api using express library. • Most developers writing the REST layer using Express library. • Usually, input is taken from request body or url query . • In most cases, input is transferred to the next layer in the pipeline as it received from user.

Slide 34

Slide 34 text

Injection Attack • Allows the attacker to supply untrusted input to a program • The input will get processed as part of the execution of the software • The input can cause damage to the software • Example : • SQL injection • Command injection

Slide 35

Slide 35 text

Let’s Perform Login Without Knowing Even One Valid Username Or Password ….

Slide 36

Slide 36 text

Defend This Attack • In Express - Almost all functionalities are added with middlewares. • It is crucial to add a middleware that performs input validations on the requests that arrives to the server. • You can write one yourself – or use one of the known middlewares exists.

Slide 37

Slide 37 text

Demo – User Input Validations Using Express middleware

Slide 38

Slide 38 text

Other Capabilities Of Express Validator • Multiple built in functionality : • Optional parameters • Validating hex colors • Matching a url or a constant value • Validating numbers • Provide a schema to the validator to create any rule based validation required to your application

Slide 39

Slide 39 text

Demo – Using Escape To Prevent Query Injection

Slide 40

Slide 40 text

Escape Native JavaScript Function • Native JavaScript function • Encodes special characters • Can be used to sanitize the input you give to the DB • You can wrap each parameter to protect from query injections. • Can be used for escaping HTMLs , JavaScript scripts and too.

Slide 41

Slide 41 text

Child Processes And Command Injections

Slide 42

Slide 42 text

Child Process Module • Ability to spawn a child process • Enables to access operating system functionality by running system commands in a child process • Control child process’s input stream • Listen to the child process’s output stream

Slide 43

Slide 43 text

Child Process Code Sample

Slide 44

Slide 44 text

Lets See Code That Is Vulnerable For Command Injection

Slide 45

Slide 45 text

Defend This Attack • Prefer Using Spawn Or execFile methods – that limit you to execute one command • Always validate and sanitise user input. • Limit permissions of parent and child process , by using the appropriate identities in your system.