Securing your nodejs deployments while you sleep

6932fd8236cec12354ba8230c0e80d81?s=47 Ahamed Nafeez
September 19, 2014

Securing your nodejs deployments while you sleep

JSFoo 2014, Bangalore.

Developers push code at a much faster rate, that your security engineers don’t have enough time to take a look at them. Most of the vulnerabilites like XSS & CSRF comes in to existence when developers try to bring the next uber feature live, by not giving much attention to security or one of them is simply not aware of writing secure code. It has been a problem which is worrying most of the startups and organizations recently. In spite of having a secure framework which inherently takes care of most common security issues, it becomes a nightmare for security engineers / testers to take a look at every code commit for a vulnerability in their code. This talk is about automating the process of finding insecure code pushes for Nodejs deployments.

6932fd8236cec12354ba8230c0e80d81?s=128

Ahamed Nafeez

September 19, 2014
Tweet

Transcript

  1. 2.
  2. 4.

    A vulnerability gets out to the internet before the security

    team looks at it or a scanner is run. Code deployment is now near instantaneous
  3. 10.

    Or maybe you never gave a thought about your front-

    end architecture to prevent against, Cross-Domain attacks
  4. 12.

    Watch the code as soon as it gets deployed. !

    Do Continuous Integration with security checks relevant to the Diffs / Delta
  5. 15.

    1. Use GitHub’s WebHooks.
 2. Get all commits to your

    repository.
 3. Get the DIFF and send it across various security tests. In 3 simple steps
  6. 17.

    ! 1. Insecure usage of templates for Cross-Site Scripting (XSS)

    2. Insecure libraries 3. . . . ! ! Simple static analysis !
  7. 18.
  8. 21.

    Imagine an injection context inside a JS variable <html> <script>

    var a = “—-user-input-here—”; alert(‘Finished’); </script> </html>
  9. 25.

    Principle of Un-obtrusive Javascript Client-Side Templating Content Security Policy Reduce

    the entry point to one What defensive front-end architecture looks like
  10. 26.

    Templating & XSS <%= %>, {{ }} — HTML Encoded

    - Usually XSS Safe <%- %>, {{{ }}} — No Encoding - Causes XSS in any context. Your design should naturally avoid this.
  11. 28.

    Things to look out Anything which has <%- or {{{

    needs some attention. Write a simple module which checks the code commits for that.
  12. 31.

    Scan on new routes being added? In Express, app._router.stack gives

    you all the registered routes. Pretty useful if you want to trigger a scan for a newly added end-point.! Figure out what works for your framework!