entire HTTP interaction. • Bad • Your web server is only as secure as you make it. • Introduces trivial to exploit SSI depending on programming techniques Node.js
Scripting • Insecure Direct Object References • Security Misconfiguration • Sensitive Data Exposure • Missing Function Level Access Control • Cross-Site Request Forgery • Using Components with Known Vulns • Invalidated Redirects and Forwards OWASP Top 10
Scripting • Insecure Direct Object References • Security Misconfiguration • Sensitive Data Exposure • Missing Function Level Access Control • Cross-Site Request Forgery • Using Components with Known Vulns • Invalidated Redirects and Forwards OWASP Top 10
defend against a reasonable level of attacker skill set • Trust you can recover from that which you cannot prevent • Your users can trust your product • Your product does not trust its users Security Mindset
instances. • Authorization • Knowledge of identifier values is the only thing required to access the associated record. Insecure Direct Object Reference
has access to a resource or function before operating on it. • Access controls should be enforced at the controller level, not the route level. • This double checks access in the case that multiple routes point to the same controller. Insecure Direct Object Reference
• Multi-step process == mistakes • Order matters! Must be included after express.session • Express ignores tokens in GET, OPTIONS and HEAD requests • method-override anyone? CSRF
• Where are decisions made? • What about Node.js’ asynchronous functions calls? • Especially when dealing with authorization decisions. Business Logic Flaws