node_security_pdf.pdf

Transcript

1. Node.js Security Tips Tamar Twena-Stern

2. Tamar Twena-Stern • Software Engineer - manager and architect •

   Architect @PaloAltoNetworks • Was a CTO of my own startup • Passionate about Node.js ! • Twitter: @SternTwena

3. Tamar Twena-Stern • Just Finished My Maternity Leave • Have

   3 kids • Loves to play my violin • Javascript Israel community leader

4. Node.js Framework •Server side platform for developing servers • Web

   • Mobile • Enterprise •Open source, cross platform •Enables to build fast and scalable network applications

5. Traditional Approach - Blocking IO client thread request request request

   thread thread Server

6. Node.js Architecture - High Level

7. What Is An Attack ? • An attack launched from

   one or more computers • The attack is against another computer, multiple computers or networks • Two broad types : • Denial of service attack • Get target computer’s data

8. Now, Lets Hack Some Code

9. Eval Is Evil

10. Eval Function • JavaScript function which is used for evaluate

    code. • Evaluate an expression \ code • You will get the result of the evaluation

11. Eval Code Samples

12. Denial Of Service Attack • Attacker seeks to make the

    service unavailable to it’s intended users • For Eval function, the most common attack type is achieved by : • Inject a script that will cause a CPU intensive operation and cause the server to be too busy in performing it

13. Demo – Denial Of Service Attack Using Script Injection To

    Eval

14. Don’t Use Eval • Makes your application vulnerable to multiple

    kind of attacks: • injection attacks. • Denial of service attacks • And more

15. But I Did Not See A Lot Of Code With

    Eval In Node.js Echo System …

16. Node.js Echo System Functions That Based On Eval • setInterval

    • setTimeout • new Function(string)

17. Preventing The Attack

18. Cross Language Solutions • If you do use eval /setImmediate

    /setTimeout: • The expression is not come from the user input • Use escaping techniques on the expression • Use blacklist / whitelist approach on the expression

19. ESLint Security PlugIn • Hard to detect a user input

    that directly arrives to eval on big repositories • ESLint security plugin comes to the rescue

20. Demo - ESLint Security PlugIn

21. What Else ESLint Security PlugIn Detects ? • File Injection

    - variables inside file paths • Allow the attacker to Access everything in your system • RegExp Injection - variables inside regex • Allow an attacker to DOS your server with a long-running regular expression

22. Demo - ESLint Security PlugIn - Detect File Injection

23. Lets Look At Another Popular Denial Of Service Attack

24. Flooding The Server With Requests • Each server has a

    limited amount of requests it can handle • Depends on hardware + cluster size • When too many requests arrived - the server cannot serve any of them

25. Defence - Rate Limiting • Rate Limiting : • Recognise

    the request’s source ip • Block the requests if too many requests are coming from the same IP within specific time window • Can also help in preventing brute force password guessing attacks – • multiple requests are sent to a specific endpoint to guess the password

26. Demo - Use Rate Limit On A Single Node.js Server

27. Rate Limit Support In Cluster

28. Rate Limit Support In Cluster - Cloud Services • Cloudflare

    - Cloud services for rate limit • AWS - support of rate limit on the API gateway layer • Configuring rate limit in Google Cloud Platform

29. Preventing Password Brute Force Attacks By Username • You can

    limit login routes per request ip, and also per username and password. • Limiting login routes per username can be very helpful to prevent password brute force attacks • In many attacks, using only IP parameter is not enough – since requests can come from multiple IPs.

30. Express-Brute Library

31. Express-Brute Library

32. Validating User Input On Request

33. Node.js Request Input Validation • The most common use of

    Node.js is to build a REST api using express library. • Most developers writing the REST layer using Express library. • Usually, input is taken from request body or url query . • In most cases, input is transferred to the next layer in the pipeline as it received from user.

34. Injection Attack • Allows the attacker to supply untrusted input

    to a program • The input will get processed as part of the execution of the software • The input can cause damage to the software • Example : • SQL injection • Command injection

35. Let’s Perform Login Without Knowing Even One Valid Username Or

    Password ….

36. Defend This Attack • In Express - Almost all functionalities

    are added with middlewares. • It is crucial to add a middleware that performs input validations on the requests that arrives to the server. • You can write one yourself – or use one of the known middlewares exists.

37. Demo – User Input Validations Using Express middleware

38. Other Capabilities Of Express Validator • Multiple built in functionality

    : • Optional parameters • Validating hex colors • Matching a url or a constant value • Validating numbers • Provide a schema to the validator to create any rule based validation required to your application

39. Demo – Using Escape To Prevent Query Injection

40. Escape Native JavaScript Function • Native JavaScript function • Encodes

    special characters • Can be used to sanitize the input you give to the DB • You can wrap each parameter to protect from query injections. • Can be used for escaping HTMLs , JavaScript scripts and too.

41. Child Processes And Command Injections

42. Child Process Module • Ability to spawn a child process

    • Enables to access operating system functionality by running system commands in a child process • Control child process’s input stream • Listen to the child process’s output stream

43. Child Process Code Sample

44. Lets See Code That Is Vulnerable For Command Injection

45. Defend This Attack • Prefer Using Spawn Or execFile methods

    – that limit you to execute one command • Always validate and sanitise user input. • Limit permissions of parent and child process , by using the appropriate identities in your system.

46. Questions ?

47. • Twitter: @SternTwena