Slide 1

Slide 1 text

JavaScript Summit 2014 November 20, 2014 Battling Top Overlooked Security Threats to Node.js Web Applications Chetan Karande, Omgeo, OWASP Twitter: karande_c GitHub: ckarande

Slide 2

Slide 2 text

Overview 1.  Fortify Our Defenses Addressing Overlooked Environment Configuration Issues 2.  Engage in Warfare Mitigating Overlooked Security Attacks PAGE 2 of 70

Slide 3

Slide 3 text

PAGE 3 of 70 Know thy self, know thy enemy. A thousand battles, a thousand victories. - Sun Tzu, The Art of War

Slide 4

Slide 4 text

Quiz Identify the weakest area in a web application, where an attacker is most likely to find vulnerabilities? A.  Data Encryption B.  Environment Configuration C.  Input Validation D.  Error Handling PAGE 4 of 70

Slide 5

Slide 5 text

PAGE 5 of 70 Source: HP 2013 cyber risk report Year 2013 Vulnerabilities Sampling by Category

Slide 6

Slide 6 text

PAGE 6 of 70 1.  Fortify Our Defenses Addressing Overlooked Environment Configuration Issues

Slide 7

Slide 7 text

PAGE 7 of 70 FORTIFY OUR DEFENSES Addressing Overlooked Environment Configuration Issues Preventing Internal Implementation Disclosure

Slide 8

Slide 8 text

  The X-Powered-By header can be extremely useful to an attacker for building site’s risk profile. PAGE 8 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE HTTP Response Headers

Slide 9

Slide 9 text

  X-Powered-By header has no functional value. It can be removed safely. var express = require("express"); var app = express(); … app.disable("x-powered-by"); PAGE 9 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE server.js

Slide 10

Slide 10 text

  Other ways to remove X-Powered-By – … app.use(helmet.hidePoweredBy()); PAGE 10 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE server.js

Slide 11

Slide 11 text

  Other ways to remove X-Powered-By – … app.use(helmet.hidePoweredBy({ setTo: "PHP 4.2.0" })); PAGE 11 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE server.js

Slide 12

Slide 12 text

  Another source of implementation disclosure - default session cookie name PAGE 12 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE HTTP Response Headers

Slide 13

Slide 13 text

  Use generic cookie names var session = require("express-session"); app.use(session({ secret: "s3Cur3", key: "sessionId", … })); PAGE 13 of 70 PREVENTING INTERNAL IMPLEMENTATION DISCLOSURE server.js

Slide 14

Slide 14 text

PAGE 14 of 70 Configuring Protection against CSRF FORTIFY OUR DEFENSES Addressing Overlooked Environment Configuration Issues

Slide 15

Slide 15 text

var csrf= require("csurf"); app.use(csrf()); PAGE 15 of 70 CONFIGURING CSRF PROTECTION   Enable CSRF Protection server.js

Slide 16

Slide 16 text

var csrf= require("csurf"); app.use(csrf()); … app.use(function(req, res, next) { res.locals.csrftoken = req.csrfToken(); next(); }); PAGE 16 of 70   Enable CSRF Protection server.js CONFIGURING CSRF PROTECTION

Slide 17

Slide 17 text

var csrf= require("csurf"); app.use(csrf()); … app.use(function(req, res, next) { res.locals.csrftoken = req.csrfToken(); next(); }); PAGE 17 of 70   Enable CSRF Protection server.js … Form Template CONFIGURING CSRF PROTECTION

Slide 18

Slide 18 text

  Express CSRF middleware ignores verifying tokens on HTTP GET, OPTIONS, and HEAD requests (which is a correct behavior)   Ensure GET APIs are coded not to mutate states. PAGE 18 of 70 CONFIGURING CSRF PROTECTION

Slide 19

Slide 19 text

var methodOverride = require("method-override"); var csrf= require("csurf"); app.use(methodOverride("X-HTTP-Method-Override")); app.use(csrf()); PAGE 19 of 70   Use method-override module before CSRF server.js CONFIGURING CSRF PROTECTION

Slide 20

Slide 20 text

PAGE 20 of 70 Using Secure Version of Software Dependencies FORTIFY OUR DEFENSES Addressing Overlooked Environment Configuration Issues

Slide 21

Slide 21 text

  Use the latest stable version of Node.js and frameworks. Node.js security vulnerabilities Express security updates PAGE 21 of 70 USING SECURE DEPENDENCIES

Slide 22

Slide 22 text

  Stay up to date on npm module versions and known vulnerbailities   Useful tools: npm outdated Node Security Project Retire.js PAGE 22 of 70 USING SECURE DEPENDENCIES

Slide 23

Slide 23 text

PAGE 23 of 70 2. Engaging in Warfare Mitigating Overlooked Security Attacks

Slide 24

Slide 24 text

Cross Site Scripting (XSS) Attack PAGE 24 of 70 ENGAGE IN WARFARE Mitigating Overlooked Security Attacks

Slide 25

Slide 25 text

An attacker can exploit XSS vulnerability to -   Steal session cookies, and then impersonate the user.   Redirect user to malicious sites. PAGE 25 of 70 XSS

Slide 26

Slide 26 text

  Myth: Template libraries handle output encoding by default, making application safe against XSS attacks XSS PAGE 26 of 70 XSS

Slide 27

Slide 27 text

  Myth: Template libraries handle output encoding by default, making application safe against XSS attacks XSS PAGE 27 of 70   Encode untrusted data for correct context depending on where it will be placed XSS

Slide 28

Slide 28 text

  Encode for HTML Body Untrusted Data & à & < à < > à > " à " ' à ' / à / PAGE 28 of 70 XSS

Slide 29

Slide 29 text

  Encode for HTML Attributes Untrusted Data Non-alphanumeric characters à HH; format Enclose attribute value in quotes PAGE 29 of 70 XSS

Slide 30

Slide 30 text

contents
  Encode for CSS Untrusted Data Untrusted data à CSS Hex Encoding (\HH or \HHHHHH) XSS PAGE 30 of 70 XSS

Slide 31

Slide 31 text

var firstName=" ";   Encode for JavaScript Untrusted Data Non-alphanumeric characters à \uXXXX; unicode format PAGE 31 of 70 XSS

Slide 32

Slide 32 text

  Encode for URL Untrusted data à encodeURI() Show Details Untrusted Data PAGE 32 of 70 XSS

Slide 33

Slide 33 text

PAGE 33 of 70   Encode for URL Parameter Untrusted data à encodeURIComponent() Show Details Untrusted Data XSS

Slide 34

Slide 34 text

PAGE 34 of 70 Movie Reviews Untrusted Data document.write("<h1>"+ document.location.hash +"</h1>");   DOM Based XSS: Encode on both server and client XSS

Slide 35

Slide 35 text

PAGE 35 of 70   Use proven utilities for encoding (e.g. OWASP ESAPI) XSS

Slide 36

Slide 36 text

  Add HTTPOnly, Secure attributes on Session Cookie var session = require("express-session"); app.use(session({ secret: "s3Cur3", key: "sessionId", cookie: { httpOnly: true, secure: true } })); server.js PAGE 36 of 70 XSS

Slide 37

Slide 37 text

  Add Content Security Policy header var policy = { defaultPolicy: { "default-src": ["'self'"], "img-src": ["static.example.com"] } } helmet.csp.policy(policy); server.js PAGE 37 of 70 XSS

Slide 38

Slide 38 text

Regular Expression Denial of Service (ReDoS) Attack PAGE 38 of 70 ENGAGE IN WARFARE Mitigating Overlooked Security Attacks

Slide 39

Slide 39 text

  Evil regex can take exponential execution time when applied to certain non-matching inputs. PAGE 39 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

Slide 40

Slide 40 text

  Evil regex can take exponential execution time when applied to certain non-matching inputs.   By default, regex gets executed in event loop thread, so could be exploited for DoS attack. PAGE 40 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

Slide 41

Slide 41 text

  Evil regex pattern requirements: ( )+ 1.  Grouping with repetition, and 2.  Inside repeated group, repeatation or alternation with operlapping PAGE 41 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

Slide 42

Slide 42 text

  Evil regex pattern requirements: ( a+ )+ 1.  Grouping with repetition, and 2.  Inside repeated group, repeatation or alternation with operlapping PAGE 42 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

Slide 43

Slide 43 text

  Evil regex pattern requirements: ( a|aa )+ 1.  Grouping with repetition, and 2.  Inside repeated group, repeatation or alternation with overlapping PAGE 43 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

Slide 44

Slide 44 text

PAGE 44 of 70   Example: Commonly used URL validator regex /^(?!mailto:)(?:(?:https?|ftp):\/\/)?(?:\S+(?::\S*)?@)?(?:(?:(?:[1-9]\d?|1\d \d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?: [0-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1- \uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1- \uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,})))| localhost)(?::\d{2,5})?(?:\/[^\s]*)?$/i Input pattern: aaaaaaaaaaaaaaaa! REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

Slide 45

Slide 45 text

PAGE 45 of 70   Example: Commonly used URL validator regex # of Input Characters Execution Time 30 6 sec 35 3min 36 6 min 37 13 min 38 25 min 39 1hr 28 min 40 3 hr 46 min REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

Slide 46

Slide 46 text

  Review regex in our own or external code for evil pattern Tools: RXRR, SDL Regex Fuzzer PAGE 46 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

Slide 47

Slide 47 text

  Review regex in our own or external code for evil pattern Tools: RXRR, SDL Regex Fuzzer   Do not use user supplied inputs as regex PAGE 47 of 70 REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

Slide 48

Slide 48 text

HTTP Parameter Pollution (HPP) PAGE 48 of 70 ENGAGE IN WARFARE Mitigating Overlooked Security Attacks

Slide 49

Slide 49 text

// GET /search?firstname=John&firstname=John req.query.firstname //=> PAGE 49 of 70 HTTP PARAMETER POLLUTION Quiz

Slide 50

Slide 50 text

PAGE 50 of 70 HTTP PARAMETER POLLUTION // GET /search?firstname=John&firstname=John req.query.firstname //=> [“John”, “John”]

Slide 51

Slide 51 text

PAGE 51 of 70 HTTP PARAMETER POLLUTION // POST firstname=John&firstname=John

Slide 52

Slide 52 text

PAGE 52 of 70 HTTP PARAMETER POLLUTION // POST firstname=John&firstname=John req.body.firstname //=> [“John”, “John”]

Slide 53

Slide 53 text

PAGE 53 of 70 HTTP PARAMETER POLLUTION Express populates HTTP request parameters with same name in an array

Slide 54

Slide 54 text

PAGE 54 of 70 HTTP PARAMETER POLLUTION Express populates HTTP request parameters with same name in an array Attacker can intentionally pollute request parameters to exploit this mechanism

Slide 55

Slide 55 text

An attacker can exploit HPP to:   Trigger Type Errors in application PAGE 55 of 70 HTTP PARAMETER POLLUTION Server Console

Slide 56

Slide 56 text

  Any uncaught errors in async code could crash the HTTP server causing DoS. PAGE 56 of 70 HTTP PARAMETER POLLUTION

Slide 57

Slide 57 text

An attacker can exploit HPP to:   Modify application behavior PAGE 57 of 70 HTTP PARAMETER POLLUTION DB Shell

Slide 58

Slide 58 text

PAGE 58 of 70 An attacker can exploit HPP to:   Bypass input validations applied on strings in our own code, WAF, browser filters. HTTP PARAMETER POLLUTION

Slide 59

Slide 59 text

PAGE 59 of 70 An attacker can exploit HPP to:   Bypass input validations applied on strings in our own code, WAF, browser filters. HTTP PARAMETER POLLUTION

Slide 60

Slide 60 text

  Check expected type as part of the input validation PAGE 60 of 70 HTTP PARAMETER POLLUTION

Slide 61

Slide 61 text

  Check expected type as part of the input validation   Implement robust error handling mechanism using try/catch, domain, and cluster. PAGE 61 of 70 HTTP PARAMETER POLLUTION

Slide 62

Slide 62 text

OWASP Top 10 PAGE 62 of 70 ENGAGE IN WARFARE Mitigating Overlooked Security Attacks

Slide 63

Slide 63 text

PAGE 63 of 70   Educate developers about OWASP Top 10 Risks OWASP NODEGOAT

Slide 64

Slide 64 text

PAGE 64 of 70   Educate developers about OWASP Top 10 risks OWASP Node Goat Project OWASP NODEGOAT

Slide 65

Slide 65 text

PAGE 65 of 70 Quick Recap

Slide 66

Slide 66 text

  Remove X-Powered-By response header and use generic session cookie names   Keep watch on security vulnerabilities in dependencies PAGE 66 of 70 QUICK RECAP

Slide 67

Slide 67 text

  Ensure HTTP GET requests are idempotent   Include method-override module before any module that depends on method of the request PAGE 67 of 70 QUICK RECAP

Slide 68

Slide 68 text

  Encode for all contexts on both server and client to protect against XSS attack.   Use HTTPOnly and Secure attributes on session cookie, include CSP headers. PAGE 68 of 70 QUICK RECAP

Slide 69

Slide 69 text

  Review regex for evil pattern to mitigate ReDoS attack.   Verify input types as part of the validation PAGE 69 of 70 QUICK RECAP

Slide 70

Slide 70 text

May Victory Be Yours. Twitter:@ karande_c

Slide 71

Slide 71 text

Links HP 2013 cyber risk report (http://www8.hp.com/h20195/v2/GetPDF.aspx/4AA5-0858ENW.pdf) Node.js security vulnerabilities (http://blog.nodejs.org/vulnerability/) Express security updates (http://expressjs.com/advanced/security-updates.html) npm outdated (https://www.npmjs.org/doc/cli/npm-outdated.html) Node Security Project (https://nodesecurity.io/advisories) Retire.js(http://open.bekk.no/retire-js-what-you-require-you-must-also-retire) RXRR (http://www.cs.bham.ac.uk/~hxt/research/rxxr-download.shtml) SDL Regex Fuzzer (http://www.microsoft.com/en-us/download/details.aspx?id=20095) OWASP ESAPI (https://www.owasp.org/index.php/Category:OWASP _Enterprise_Security_API) OWASP Node Goat Project (https://www.owasp.org/index.php/Projects/OWASP _Node_js_Goat_Project)

Slide 72

Slide 72 text

Image Credits http://www.shutterstock.com/pic.mhtml?id=93406768 http://www.shutterstock.com/pic.mhtml?id=67916401 http://www.shutterstock.com/pic.mhtml?id=97398575 http://www.bigstockphoto.com/image-36498607 http://openclipart.org/detail/169260/medieval-cannon-by-helm42