Hacking NodeJS applications for fun and profit

Slide 1

Slide 1 text

Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac

Slide 2

Slide 2 text

Agenda ▪ Introduction nodejS security ▪ Npm security packages ▪ Node Goat project ▪ Tools

Slide 3

Slide 3 text

Node JS ▪ JavaScript in the backend ▪ Built on Chrome´s Javascript runtime(V8) ▪ NodeJs is based on event loop ▪ Designed to be asynchronous ▪ Single Thread ▪ Node.js is resilient to flooding attacks since there’s no limit on the number of concurrent requests.

Slide 4

Slide 4 text

Security updates https://expressjs.com/en/advance d/security-updates.html

Slide 5

Slide 5 text

Package vulnerabilities https://www.npmjs.com/advisories

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Npm security packages ▪ Helmet ▪ express-session ▪ cookie-session ▪ csurf ▪ express-validator ▪ bcrypt-node ▪ express-enforces-ssl

Slide 8

Slide 8 text

Security HTTP Headers ▪ Strict-Transport-Security ▪ X-Frame-Options ▪ X-XSS-Protection ▪ X-Content-Type-Options ▪ Content-Security-Policy

Slide 9

Slide 9 text

Helmet module ▪ https://www.npmjs.com/package /helmet

Slide 10

Slide 10 text

Helmet module ▪ https://github.com/helmetjs/helmet

Slide 11

Slide 11 text

Helmet module ▪ hidePoweredBy ▪ Hpkp→protection MITM ▪ Hsts→forces https connections ▪ noCache→desactive client cache ▪ Frameguard→protection clickjacking ▪ xssFilter→protection XSS

Slide 12

Slide 12 text

Helmet CSP

Slide 13

Slide 13 text

Check headers security ▪ http://cyh.herokuapp.com/cyh ▪ https://securityheaders.io/

Slide 14

Slide 14 text

Express versions ▪ https://www.shodan.io/ search?query=express

Slide 15

Slide 15 text

Disable x-powered-by

Slide 16

Slide 16 text

Disable x-powered-by ▪ Avoid framework fingerprinting

Slide 17

Slide 17 text

Disable x-powered-by ▪ Use Helmet and use “hide-powered-by” plugin

Slide 18

Slide 18 text

Sessions management ▪ secure ▪ httpOnly ▪ domain ▪ path ▪ expires ▪ https://www.npmjs.com/pack age/cookie-session

Slide 19

Slide 19 text

httpOnly & secure:true

Slide 20

Slide 20 text

XSS attacks ▪ An attacker can exploit XSS vulnerability to: ▪ Steal session cookies/Sesion hijacking ▪ Redirect user to malicious sites ▪ Defacing and content manipulation ▪ Cross Site Request forgery

Slide 21

Slide 21 text

CSRF attacks

Slide 22

Slide 22 text

https://www.npmjs.com/package/csurf

Slide 23

Slide 23 text

CSRF Submit app.use(function (request, response, next) { response.locals.csrftoken = request.csrfToken(); next(); });

Slide 24

Slide 24 text

CSRF

Slide 25

Slide 25 text

Filter/sanitize user input ▪ Fixing XSS attacks ▪ https://www.npmjs.com/package/sanitizer ▪ Module express-validator ▪ https://www.npmjs.com/package/express-validator

Slide 26

Slide 26 text

Express Validator

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

Bcrypt-node ▪ https://github.com/kelektiv/node.bcrypt.js

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

Node Goat ▪ http://nodegoat.herokuapp.com /tutorial

Slide 32

Slide 32 text

Node Goat ▪ https://github.com/OWASP/Node Goat

Slide 33

Slide 33 text

EVAL() ATTACKS res.end(require('fs').read dirSync('.').toString())

Slide 34

Slide 34 text

Insecure Direct Object References ▪ Use session instead of request param ▪ var userId = req.session.userId;

Slide 35

Slide 35 text

Tools ▪ KrakenJS ▪ Lusca middleware ▪ NodeJsScan

Slide 36

Slide 36 text

http://krakenjs.com/

Slide 37

Slide 37 text

https://github.com/krakenjs/lusca

Slide 38

Slide 38 text

NodeJsScan ▪ https://github.com/ajinabra ham/NodeJsScan

Slide 39

Slide 39 text

NodeJsScan https://github.com/jmorteg a/NodeJsScan/blob/maste r/rules.xml

Slide 40

Slide 40 text

NodeJsScan

Slide 41

Slide 41 text

GitHub repositories ▪ https://github.com/jmortega/testing_nodejs_security ▪ https://github.com/cr0hn/vulnerable-node ▪ https://github.com/rdegges/svcc-auth ▪ https://github.com/strongloop/loopback-getting-start ed-intermediate ▪ https://github.com/Feeld/strong-node

Slide 42

Slide 42 text

Node security learning ▪ https://www.udemy.com/nodejs-security- pentesting-and-exploitation/

Slide 43

Slide 43 text

Books

Slide 44

Slide 44 text

References ▪ https://blog.risingstack.com/node-js-security-checklist/ ▪ https://blog.risingstack.com/node-js-security-tips/ ▪ https://www.npmjs.com/package/helmet ▪ https://expressjs.com/en/advanced/best-practice-security.html ▪ https://expressjs.com/en/advanced/security-updates.html ▪ http://nodegoat.herokuapp.com/tutorial ▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa t_Project