Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your nodejs deployments while you sleep

Nafeez
September 19, 2014
Technology
3
290

Securing your nodejs deployments while you sleep

JSFoo 2014, Bangalore.

Developers push code at a much faster rate, that your security engineers don’t have enough time to take a look at them. Most of the vulnerabilites like XSS & CSRF comes in to existence when developers try to bring the next uber feature live, by not giving much attention to security or one of them is simply not aware of writing secure code. It has been a problem which is worrying most of the startups and organizations recently. In spite of having a secure framework which inherently takes care of most common security issues, it becomes a nightmare for security engineers / testers to take a look at every code commit for a vulnerability in their code. This talk is about automating the process of finding insecure code pushes for Nodejs deployments.

Nafeez

September 19, 2014
Tweet

More Decks by Nafeez

See All by Nafeez
Voracle - Compression Oracle Attacks on VPN Tunnels
skepticfx
2
6.6k
DomFlow - Untangling the DOM for easy juicy bugs
skepticfx
2
1.2k
Attacking Web Proxies in the modern Era.
skepticfx
3
730
JS Suicide: Using Javascript's security features to kill itself
skepticfx
2
800
alert(/xss/) – How to catch an XSS before someone reports or exploits it?
skepticfx
2
150

Other Decks in Technology

See All in Technology
MySQL の SQL クエリチューニングの要所を掴む勉強会
andpad
2
6k
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
150
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
150
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
760
GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model
mh4gf
7
1.3k
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
4
4.7k
JAWS-UG Bedrock Claude Night
yamahiro
3
540
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
440
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
120
API Gatewayと少し仲良くなってみた!
masuchoku
0
100
DevOpsDays History and my DevOps story
kawaguti
PRO
9
2.4k
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
250

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
49
28k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Atom: Resistance is Futile
akmur
259
25k
GraphQLとの向き合い方2022年版
quramy
32
12k
A Tale of Four Properties
chriscoyier
151
22k
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
Git: the NoSQL Database
bkeepers
PRO
422
63k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
Building Adaptive Systems
keathley
31
1.9k
[RailsConf 2023] Rails as a piece of cake
palkan
23
3.9k

Transcript

  1. Securing your nodejs deployments while you sleep Ahamed Nafeez !

  2. None

  3. Continuous Delivery

  4. A vulnerability gets out to the internet before the security

    team looks at it or a scanner is run. Code deployment is now near instantaneous

  5. Constant iteration in production via feature flags, A/B testings etc

  6. Attack vs Defence

  7. A-B usability tests Error-Catchers Benchmarking These don’t write themselves

  8. What about the security of your data and nodejs app?

  9. People start with a simple access control policy- Everyone has

    access to everything.

  10. Or maybe you never gave a thought about your front-

    end architecture to prevent against, Cross-Domain attacks

  11. Security should be a first class requirement.

  12. Watch the code as soon as it gets deployed. !

    Do Continuous Integration with security checks relevant to the Diffs / Delta

  13. What if you could monitor code commits for insecure patterns

    / behaviours?

  14. Lets try doing that to a repository on GitHub

  15. 1. Use GitHub’s WebHooks.
 2. Get all commits to your

    repository.
 3. Get the DIFF and send it across various security tests. In 3 simple steps

  16. What can you test?

  17. ! 1. Insecure usage of templates for Cross-Site Scripting (XSS)

    2. Insecure libraries 3. . . . ! ! Simple static analysis !

  18. ! 1. New routes being added!! 2. State changing routes

    being added ! Dynamic analysis !

  19. git-watchdog 
 Collects post-receive from GitHub and alerts you on

    security errors


  20. Cross-Site Scripting (XSS)

  21. Imagine an injection context inside a JS variable <html> <script>

    var a = “—-user-input-here—”; alert(‘Finished’); </script> </html>

  22. Just strip out / escape the “ character (Double Quotes)

  23. Guess what happens ? <html> <script> var a = “</script><svg/onload=alert(2)>”;

    alert(‘Finished’); </script> </html>

  24. HTML Parser have preference over JS Parser.

  25. Principle of Un-obtrusive Javascript Client-Side Templating Content Security Policy Reduce

    the entry point to one What defensive front-end architecture looks like

  26. Templating & XSS <%= %>, {{ }} — HTML Encoded

    - Usually XSS Safe <%- %>, {{{ }}} — No Encoding - Causes XSS in any context. Your design should naturally avoid this.

  27. This works until someone who doesn’t understands your code starts

    committing to production.

  28. Things to look out Anything which has <%- or {{{

    needs some attention. Write a simple module which checks the code commits for that.

  29. Writing an XSS checker in git-watchdog

  30. ExpressJS! Web Application framework for node

  31. Scan on new routes being added? In Express, app._router.stack gives

    you all the registered routes. Pretty useful if you want to trigger a scan for a newly added end-point.! Figure out what works for your framework!

  32. Lets discuss more @skeptic_fx