Transcription
Hacking NodeJSapplications for funand profitTesting NodeJS Securityby @jmortegac
Agenda Introduction nodejS security Npm security packages Node Goat project Tools
Node JS JavaScript in the backendBuilt on Chrome s Javascript runtime(V8)NodeJs is based on event loopDesigned to be asynchronousSingle ThreadNode.js is resilient to flooding attacks sincethere’s no limit on the number of concurrent requests.
ecurity-updates.html
ries
Npmsecuritypackages lidatorbcrypt-nodeexpress-enforces-ssl
Security HTTPHeaders y
Helmet module https://www.npmjs.com/package/helmet
https://github.com/helmetjs/helmetHelmet module
Helmet module hidePoweredBy Hpkp protection MITM Hsts forces httpsconnections noCache desactive clientcache Frameguard protectionclickjacking xssFilter protection XSS
Helmet CSP
Check headerssecurity http://cyh.herokuapp.com/cyh https://securityheaders.io/
Expressversions https://www.shodan.io/search?query express
Disablex-powered-by
Disablex-powered-by Avoid frameworkfingerprinting
Disablex-powered-by Use Helmet and use“hide-powered-by” plugin
Sessionsmanagement securehttpOnlydomainpathexpires https://www.npmjs.com/package/cookie-session
httpOnly &secure:true
XSS attacks An attacker can exploit XSS vulnerability to: Steal session cookies/Sesion hijackingRedirect user to malicious sitesDefacing and content manipulationCross Site Request forgery
CSRF attacks
https://www.npmjs.com/package/csurf
CSRFapp.use(function (request, response, next) {response.locals.csrftoken request.csrfToken();next();}); form action "/process" method "POST" input type "hidden" name " csrf"value "{{csrfToken}}" button type "submit" Submit /button /form
CSRF
Filter/sanitize user input Fixing XSS attacks https://www.npmjs.com/package/sanitizer Module express-validator https://www.npmjs.com/package/express-validator
ExpressValidator
ode
Node Goat http://nodegoat.herokuapp.com/tutorial
Node Goat https://github.com/OWASP/NodeGoat
).toString())
Insecure DirectObjectReferences Use session instead ofrequest param var userId req.session.userId;
Tools KrakenJS Luscamiddleware NodeJsScan
http://krakenjs.com/
https://github.com/krakenjs/lusca
NodeJsScan https://github.com/ajinabraham/NodeJsScan
lob/master/rules.xml
NodeJsScan
GitHub repositories https://github.com/jmortega/testing nodejs e https://github.com/Feeld/strong-node
Node securitylearning d-exploitation/
Books
References ps://www.owasp.org/index.php/Projects/OWASP Node js Goat Project
Node JS JavaScript in the backend Built on Chrome s Javascript runtime(V8) NodeJs is based on event loop Designed to be asynchronous Single Thread Node.js is resilient to flooding attacks sin