PAGE
3 of 70
Know thy self, know thy enemy.
A thousand battles, a thousand victories.
- Sun Tzu, The Art of War
Slide 4
Slide 4 text
Quiz
Identify the weakest area in a web application, where
an attacker is most likely to find vulnerabilities?
A. Data Encryption
B. Environment Configuration
C. Input Validation
D. Error Handling
PAGE
4 of 70
Slide 5
Slide 5 text
PAGE
5 of 70
Source: HP 2013 cyber risk report
Year 2013 Vulnerabilities Sampling by Category
The X-Powered-By header can be extremely useful to
an attacker for building site’s risk profile.
PAGE
8 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
HTTP Response Headers
Slide 9
Slide 9 text
X-Powered-By header has no functional value. It can
be removed safely.
var express = require("express");
var app = express();
…
app.disable("x-powered-by");
PAGE
9 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
server.js
Slide 10
Slide 10 text
Other ways to remove X-Powered-By –
…
app.use(helmet.hidePoweredBy());
PAGE
10 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
server.js
Slide 11
Slide 11 text
Other ways to remove X-Powered-By –
…
app.use(helmet.hidePoweredBy({
setTo: "PHP 4.2.0"
}));
PAGE
11 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
server.js
Slide 12
Slide 12 text
Another source of implementation disclosure - default
session cookie name
PAGE
12 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
HTTP Response Headers
Slide 13
Slide 13 text
Use generic cookie names
var session = require("express-session");
app.use(session({
secret: "s3Cur3",
key: "sessionId",
…
}));
PAGE
13 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE
server.js
Slide 14
Slide 14 text
PAGE
14 of 70
Configuring Protection
against CSRF
FORTIFY OUR DEFENSES
Addressing Overlooked Environment Configuration Issues
Slide 15
Slide 15 text
var csrf= require("csurf");
app.use(csrf());
PAGE
15 of 70 CONFIGURING CSRF PROTECTION
Enable CSRF Protection
server.js
var csrf= require("csurf");
app.use(csrf());
…
app.use(function(req, res, next) {
res.locals.csrftoken = req.csrfToken();
next();
});
PAGE
17 of 70
Enable CSRF Protection server.js
…
Form Template
CONFIGURING CSRF PROTECTION
Slide 18
Slide 18 text
Express CSRF middleware ignores verifying tokens
on HTTP GET, OPTIONS, and HEAD requests (which is
a correct behavior)
Ensure GET APIs are coded not to mutate states.
PAGE
18 of 70 CONFIGURING CSRF PROTECTION
Slide 19
Slide 19 text
var methodOverride = require("method-override");
var csrf= require("csurf");
app.use(methodOverride("X-HTTP-Method-Override"));
app.use(csrf());
PAGE
19 of 70
Use method-override module before CSRF
server.js
CONFIGURING CSRF PROTECTION
Slide 20
Slide 20 text
PAGE
20 of 70
Using Secure Version of
Software Dependencies
FORTIFY OUR DEFENSES
Addressing Overlooked Environment Configuration Issues
Slide 21
Slide 21 text
Use the latest stable version of Node.js and
frameworks.
Node.js security vulnerabilities
Express security updates
PAGE
21 of 70 USING SECURE DEPENDENCIES
Slide 22
Slide 22 text
Stay up to date on npm module versions and known
vulnerbailities
Useful tools:
npm outdated
Node Security Project
Retire.js
PAGE
22 of 70 USING SECURE DEPENDENCIES
Slide 23
Slide 23 text
PAGE
23 of 70
2. Engaging in Warfare
Mitigating Overlooked Security Attacks
Slide 24
Slide 24 text
Cross Site Scripting
(XSS) Attack
PAGE
24 of 70
ENGAGE IN WARFARE
Mitigating Overlooked Security Attacks
Slide 25
Slide 25 text
An attacker can exploit XSS vulnerability to -
Steal session cookies, and then impersonate the user.
Redirect user to malicious sites.
PAGE
25 of 70 XSS
Slide 26
Slide 26 text
Myth: Template libraries handle output encoding by
default, making application safe against XSS attacks
XSS
PAGE
26 of 70 XSS
Slide 27
Slide 27 text
Myth: Template libraries handle output encoding by
default, making application safe against XSS attacks
XSS
PAGE
27 of 70
Encode untrusted data for correct context depending
on where it will be placed
XSS
Slide 28
Slide 28 text
Encode for HTML Body
Untrusted Data
& à &
< à <
> à >
" à "
' à '
/ à /
PAGE
28 of 70 XSS
Slide 29
Slide 29 text
Encode for HTML Attributes
Untrusted Data
Non-alphanumeric characters à HH; format
Enclose attribute value in quotes
PAGE
29 of 70 XSS
Slide 30
Slide 30 text
contents
Encode for CSS
Untrusted Data
Untrusted data à CSS Hex Encoding (\HH or \HHHHHH)
XSS
PAGE
30 of 70 XSS
Slide 31
Slide 31 text
var firstName=" ";
Encode for JavaScript
Untrusted Data
Non-alphanumeric characters à \uXXXX; unicode format
PAGE
31 of 70 XSS
Slide 32
Slide 32 text
Encode for URL
Untrusted data à encodeURI()
Show Details
Untrusted Data
PAGE
32 of 70 XSS
Slide 33
Slide 33 text
PAGE
33 of 70
Encode for URL Parameter
Untrusted data à encodeURIComponent()
Show Details
Untrusted Data
XSS
Slide 34
Slide 34 text
PAGE
34 of 70
Movie Reviews
Untrusted Data
document.write("<h1>"+ document.location.hash +"</h1>");
DOM Based XSS: Encode on both server and client
XSS
Slide 35
Slide 35 text
PAGE
35 of 70
Use proven utilities for encoding (e.g. OWASP ESAPI)
XSS
Slide 36
Slide 36 text
Add HTTPOnly, Secure attributes on Session Cookie
var session = require("express-session");
app.use(session({
secret: "s3Cur3",
key: "sessionId",
cookie: {
httpOnly: true,
secure: true
}
}));
server.js
PAGE
36 of 70 XSS
Regular Expression
Denial of Service
(ReDoS) Attack
PAGE
38 of 70
ENGAGE IN WARFARE
Mitigating Overlooked Security Attacks
Slide 39
Slide 39 text
Evil regex can take exponential execution time when
applied to certain non-matching inputs.
PAGE
39 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)
Slide 40
Slide 40 text
Evil regex can take exponential execution time when
applied to certain non-matching inputs.
By default, regex gets executed in event loop thread,
so could be exploited for DoS attack.
PAGE
40 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)
Slide 41
Slide 41 text
Evil regex pattern requirements:
( )+
1. Grouping with repetition, and
2. Inside repeated group, repeatation or alternation
with operlapping
PAGE
41 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)
Slide 42
Slide 42 text
Evil regex pattern requirements:
( a+ )+
1. Grouping with repetition, and
2. Inside repeated group, repeatation or alternation
with operlapping
PAGE
42 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)
Slide 43
Slide 43 text
Evil regex pattern requirements:
( a|aa )+
1. Grouping with repetition, and
2. Inside repeated group, repeatation or alternation
with overlapping
PAGE
43 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)
Slide 44
Slide 44 text
PAGE
44 of 70
Example: Commonly used URL validator regex
/^(?!mailto:)(?:(?:https?|ftp):\/\/)?(?:\S+(?::\S*)?@)?(?:(?:(?:[1-9]\d?|1\d
\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:
[0-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1-
\uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-
\uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,})))|
localhost)(?::\d{2,5})?(?:\/[^\s]*)?$/i
Input pattern: aaaaaaaaaaaaaaaa!
REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)
Slide 45
Slide 45 text
PAGE
45 of 70
Example: Commonly used URL validator regex
# of Input Characters Execution Time
30 6 sec
35 3min
36 6 min
37 13 min
38 25 min
39 1hr 28 min
40 3 hr 46 min
REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)
Slide 46
Slide 46 text
Review regex in our own or external code for evil pattern
Tools: RXRR, SDL Regex Fuzzer
PAGE
46 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)
Slide 47
Slide 47 text
Review regex in our own or external code for evil pattern
Tools: RXRR, SDL Regex Fuzzer
Do not use user supplied inputs as regex
PAGE
47 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)
Slide 48
Slide 48 text
HTTP Parameter
Pollution (HPP)
PAGE
48 of 70
ENGAGE IN WARFARE
Mitigating Overlooked Security Attacks
Slide 49
Slide 49 text
// GET /search?firstname=John&firstname=John
req.query.firstname
//=>
PAGE
49 of 70 HTTP PARAMETER POLLUTION
Quiz
Slide 50
Slide 50 text
PAGE
50 of 70 HTTP PARAMETER POLLUTION
// GET /search?firstname=John&firstname=John
req.query.firstname
//=> [“John”, “John”]
Slide 51
Slide 51 text
PAGE
51 of 70 HTTP PARAMETER POLLUTION
// POST firstname=John&firstname=John
Slide 52
Slide 52 text
PAGE
52 of 70 HTTP PARAMETER POLLUTION
// POST firstname=John&firstname=John
req.body.firstname
//=> [“John”, “John”]
Slide 53
Slide 53 text
PAGE
53 of 70 HTTP PARAMETER POLLUTION
Express populates HTTP request parameters with same
name in an array
Slide 54
Slide 54 text
PAGE
54 of 70 HTTP PARAMETER POLLUTION
Express populates HTTP request parameters with same
name in an array
Attacker can intentionally pollute request parameters to
exploit this mechanism
Slide 55
Slide 55 text
An attacker can exploit HPP to:
Trigger Type Errors in application
PAGE
55 of 70 HTTP PARAMETER POLLUTION
Server Console
Slide 56
Slide 56 text
Any uncaught errors in async code could crash the
HTTP server causing DoS.
PAGE
56 of 70 HTTP PARAMETER POLLUTION
Slide 57
Slide 57 text
An attacker can exploit HPP to:
Modify application behavior
PAGE
57 of 70 HTTP PARAMETER POLLUTION
DB Shell
Slide 58
Slide 58 text
PAGE
58 of 70
An attacker can exploit HPP to:
Bypass input validations applied on strings in our own
code, WAF, browser filters.
HTTP PARAMETER POLLUTION
Slide 59
Slide 59 text
PAGE
59 of 70
An attacker can exploit HPP to:
Bypass input validations applied on strings in our own
code, WAF, browser filters.
HTTP PARAMETER POLLUTION
Slide 60
Slide 60 text
Check expected type as part of the input validation
PAGE
60 of 70 HTTP PARAMETER POLLUTION
Slide 61
Slide 61 text
Check expected type as part of the input validation
Implement robust error handling mechanism using
try/catch, domain, and cluster.
PAGE
61 of 70 HTTP PARAMETER POLLUTION
Slide 62
Slide 62 text
OWASP Top 10
PAGE
62 of 70
ENGAGE IN WARFARE
Mitigating Overlooked Security Attacks
Slide 63
Slide 63 text
PAGE
63 of 70
Educate developers about OWASP Top 10 Risks
OWASP NODEGOAT
Slide 64
Slide 64 text
PAGE
64 of 70
Educate developers about OWASP Top 10 risks
OWASP Node Goat Project
OWASP NODEGOAT
Slide 65
Slide 65 text
PAGE
65 of 70
Quick Recap
Slide 66
Slide 66 text
Remove X-Powered-By response header and use
generic session cookie names
Keep watch on security vulnerabilities in
dependencies
PAGE
66 of 70 QUICK RECAP
Slide 67
Slide 67 text
Ensure HTTP GET requests are idempotent
Include method-override module before any module
that depends on method of the request
PAGE
67 of 70 QUICK RECAP
Slide 68
Slide 68 text
Encode for all contexts on both server and client to
protect against XSS attack.
Use HTTPOnly and Secure attributes on session
cookie, include CSP headers.
PAGE
68 of 70 QUICK RECAP
Slide 69
Slide 69 text
Review regex for evil pattern to mitigate ReDoS
attack.
Verify input types as part of the validation
PAGE
69 of 70 QUICK RECAP