NODE.JS SECURITY DONE RIGHT - OWASP
2y ago
50 Views
1 Downloads
2.93 MB
101 Pages
Report/dmca
Download PDF

Transcription

NODE.JS SECURITYDONE RIGHTTips and TricksLiran TalR&D Team Lead for a Full-Stack TechnologyWeb MarketplaceThey Won’t TeachYou in School

Hello!I amLiran TalR&D Team Lead for a Full-Stack TechnologyWeb Marketplace

Open Source Evangelist

Agenda1. Node.js background2. Security Horror Stories in Node.js3. Tips & Recipes Security by HTTP HeadersSecure Session CookiesNoSQL InjectionRegular Expressions DOS attackDependencies Vuln’ ScanningSecurity as a Service

The Big Bang of JavaScript

Node.js Born in 2009 Open Source Cross-Platform Asynchronous JavaScript Runtime

“Ryan Dahl was inspired to create Node.jsafter seeing a file upload progressbar on Flickr.source: https://en.wikipedia.org/wiki/Node.js

By 2011 Node.JS 0.1.14 Package Management (npm)

Node.JS Rapid Adoption

Node.JS is JavaScriptJavaScript is Everywhere

2015 GitHubDeveloper Survey50,000 World WideSoftware Engineers

JavaScript winsBackend and Frontendpopularity

JavaScript winsmost open sourceprojects

SecurityHorrorStoriesin Node.JS

By January 2015 rimrafall package published to npm

rimrafall ?

rimrafall npm pre-install script rm –rf /*

Fishing Attacks,npm Style

validator.js helps validate and sanitize strings

npm install validator.js --save

validator.js! validator

malicious modulesof similar names

malicious modulesof similar names3,500,000 socket.io2,000 socketio

malicious modulesof similar names11,000,00050,000uglify-jsuglifyjs

Failing to educatethe youngergeneration

seemingly innocenttutorial to learn from

Tips &Recipes toSecureNode.js

1Security by HTTPHeaders

STRICT-TRANSPORTSECURITYBrowsers enforce secureconnections to the server(HTTPS)

X-FRAME-OPTIONSClickjacking protectionby not rendering contentin iframes

CONTENT-SECURITYPOLICYWhitelist trusted content,and services

X-XSS-PROTECTIONenables *browser XSSfiltering* IE8 IE9

X-CONTENT-TYPEOPTIONS*browsers do not sniffMIME responses*IE8 Chrome Safari

HelmetSecuring ExpressJS

Putting it alltogetherwith Helmet andExpressJS

LuscaSecuring ExpressJS

Putting it alltogetherwith Lusca andExpressJS

2Securing the Cookies

SECUREcookies sent over HTTPSconnections only

httpOnlycookies are notaccessible fromJavaScript

Fingerprinting Node.JS

Fun with Headers

3noSQL Injections

Creating TRUESQL statements

Creating TRUESQL statements

show me the code Live Demo!

No HTTP body inExpressJSit relies on bodyParser lib

ExpressJS usesbodyParserlibrary to accessHTTP bodypayload

ExpressJS usesbodyParserlibrary to accessHTTP bodypayload

Creating TRUESQL statements

Creating TRUESQL statements

Validate Input Validate Length and Type Validate & Sanitize input to expectedtype Parameters Binding Security in Depth

ExpressJS usesbodyParserlibrary to accessHTTP bodypayload

4ReDoSRegular Expressions DoS

Requirement: Validate the input has at least one ‘a’character and allow unlimitedoccurences

3 Months Later

More work on thefeature: Different Engineer gets the job Requirement changes: Validate theinput has exactly 10 characters of ‘a’

show me the code Live Demo!

Attacker sends Array(100).join(‘a’) ‘!’

BOOM

ExpressJS usesneogitator parsing the Accept-Language headerParameters Binding

10,000,000negotiator

Best Practices Validator.js node.js module

Best Practices safe-regex node.js module checks regex complexity/backtrackingvulnerability

Best Practices OWASP Validation RegEx Repo

5Vulnerability Scan

ask yourselfAre my dependenciesvulnerable?

snyk check cve db for known issues check installed node modules dir provides patch-level fix provides interactive patch wizard

nsp check cve db for known issues check installed node modules dir

shrinkwrap pin-down dependencies pin-down devDependencies ship with tested packages avoid surprises in production build

SecurityOpsIntegrated Security into yourbuild pipeline

6Security as a Service

david-dm monitor nodejs dependencies check installed node modules dir

Bithound.io monitor nodejs dependencies lint / static code analysis

Summary:123Helmet or Lusca for secure HTTPheadersObsecure the session nameValidate and Sanitize req.body paramsto NoSQL

Summary:456Use validator.js for regexDependencies check with snyk, andnspSaaS Security with bithound.io anddavid-dm

Thanks!Any questions? liran.tal@hpe.com GitHub

1. Node.js background 2. Security Horror Stories in Node.js 3. Tips & Recipes Agenda Security by HTTP Headers Secure Session Cookies NoSQL Injection Regular Expressions DOS att

Related Books

Node.js Example Application - Tutorial Kart

Node.js Example Application - Tutorial Kart

Learn NodeJS in 1 Day

Learn NodeJS in 1 Day

Node-RED dashboard User Manual Getting started

Node-RED dashboard User Manual Getting started

Node - riptutorial

Node - riptutorial

Introduction of the IoT Platform Node-RED and Hitachi’s .

Introduction of the IoT Platform Node-RED and Hitachi’s .

The Basics of Getting Things Done - uni-freiburg.de

The Basics of Getting Things Done - uni-freiburg.de

Doubly-Linked Lists

Doubly-Linked Lists

A PDF Reference for The Complete Node.js Dev Course

A PDF Reference for The Complete Node.js Dev Course

Node - Tutorialspoint

Node - Tutorialspoint

Learn and Master Node - HTML5 Hive

Learn and Master Node - HTML5 Hive

Introduction to the MATLAB Parallel Toolbox

Introduction to the MATLAB Parallel Toolbox

PopularTags

Recent Views