Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your nodejs deployments while you sleep

Nafeez
September 19, 2014

Securing your nodejs deployments while you sleep

JSFoo 2014, Bangalore.

Developers push code at a much faster rate, that your security engineers don’t have enough time to take a look at them. Most of the vulnerabilites like XSS & CSRF comes in to existence when developers try to bring the next uber feature live, by not giving much attention to security or one of them is simply not aware of writing secure code. It has been a problem which is worrying most of the startups and organizations recently. In spite of having a secure framework which inherently takes care of most common security issues, it becomes a nightmare for security engineers / testers to take a look at every code commit for a vulnerability in their code. This talk is about automating the process of finding insecure code pushes for Nodejs deployments.

Nafeez

September 19, 2014
Tweet

More Decks by Nafeez

Other Decks in Technology

Transcript

  1. Securing your nodejs
    deployments while you
    sleep
    Ahamed Nafeez
    !

    View Slide

  2. View Slide

  3. Continuous Delivery

    View Slide

  4. A vulnerability gets out to the internet
    before
    the security team looks at it or a scanner is run.
    Code deployment is now
    near instantaneous

    View Slide

  5. Constant iteration in production via feature flags,
    A/B testings etc

    View Slide

  6. Attack vs Defence

    View Slide

  7. A-B usability tests
    Error-Catchers
    Benchmarking
    These don’t write themselves

    View Slide

  8. What about the security of your data and
    nodejs app?

    View Slide

  9. People start with a simple access control policy-
    Everyone has access to everything.

    View Slide

  10. Or maybe you never gave a thought about your front-
    end architecture to prevent against,
    Cross-Domain attacks

    View Slide

  11. Security should be a first class requirement.

    View Slide

  12. Watch the code as soon as it gets deployed.
    !
    Do Continuous Integration with security checks relevant to
    the Diffs / Delta

    View Slide

  13. What if you could monitor code commits
    for insecure patterns / behaviours?

    View Slide

  14. Lets try doing that to a repository on GitHub

    View Slide

  15. 1. Use GitHub’s WebHooks.

    2. Get all commits to your repository.

    3. Get the DIFF and send it across various security tests.
    In 3 simple steps

    View Slide

  16. What can you test?

    View Slide

  17. !
    1. Insecure usage of templates for Cross-Site Scripting (XSS)
    2. Insecure libraries
    3. . . .
    !
    !
    Simple static analysis !

    View Slide

  18. !
    1. New routes being added!!
    2. State changing routes being added
    !
    Dynamic analysis !

    View Slide

  19. git-watchdog 

    Collects post-receive from GitHub and
    alerts you on security errors


    View Slide

  20. Cross-Site Scripting
    (XSS)

    View Slide

  21. Imagine an injection context
    inside a JS variable

    <br/>var a = “—-user-input-here—”;<br/>alert(‘Finished’);<br/>

    View Slide

  22. Just strip out / escape the “ character
    (Double Quotes)

    View Slide

  23. Guess what happens ?

    <br/>var a = “”;
    alert(‘Finished’);


    View Slide

  24. HTML Parser have preference over JS Parser.

    View Slide

  25. Principle of Un-obtrusive Javascript
    Client-Side Templating
    Content Security Policy
    Reduce the entry point to one
    What defensive front-end architecture looks like

    View Slide

  26. Templating & XSS
    <%= %>, {{ }} — HTML Encoded - Usually XSS
    Safe
    <%- %>, {{{ }}} — No Encoding - Causes XSS in
    any context. Your design should naturally avoid
    this.

    View Slide

  27. This works until someone who doesn’t understands your
    code starts committing to production.

    View Slide

  28. Things to look out
    Anything which has <%- or {{{ needs some
    attention.
    Write a simple module which checks the code
    commits for that.

    View Slide

  29. Writing an XSS checker in git-watchdog

    View Slide

  30. ExpressJS!
    Web Application framework for node

    View Slide

  31. Scan on new routes being
    added?
    In Express, app._router.stack gives you all
    the registered routes.
    Pretty useful if you want to trigger a scan for a
    newly added end-point.!
    Figure out what works for your framework!

    View Slide

  32. Lets discuss more
    @skeptic_fx

    View Slide