Transcription
NODE.JS SECURITYDONE RIGHTTips and TricksLiran TalR&D Team Lead for a Full-Stack TechnologyWeb MarketplaceThey Won’t TeachYou in School
Hello!I amLiran TalR&D Team Lead for a Full-Stack TechnologyWeb Marketplace
Open Source Evangelist
Agenda1. Node.js background2. Security Horror Stories in Node.js3. Tips & Recipes Security by HTTP HeadersSecure Session CookiesNoSQL InjectionRegular Expressions DOS attackDependencies Vuln’ ScanningSecurity as a Service
The Big Bang of JavaScript
Node.js Born in 2009 Open Source Cross-Platform Asynchronous JavaScript Runtime
“Ryan Dahl was inspired to create Node.jsafter seeing a file upload progressbar on Flickr.source: https://en.wikipedia.org/wiki/Node.js
By 2011 Node.JS 0.1.14 Package Management (npm)
Node.JS Rapid Adoption
Node.JS is JavaScriptJavaScript is Everywhere
2015 GitHubDeveloper Survey50,000 World WideSoftware Engineers
JavaScript winsBackend and Frontendpopularity
JavaScript winsmost open sourceprojects
SecurityHorrorStoriesin Node.JS
By January 2015 rimrafall package published to npm
rimrafall ?
rimrafall npm pre-install script rm –rf /*
Fishing Attacks,npm Style
validator.js helps validate and sanitize strings
npm install validator.js --save
validator.js! validator
malicious modulesof similar names
malicious modulesof similar names3,500,000 socket.io2,000 socketio
malicious modulesof similar names11,000,00050,000uglify-jsuglifyjs
Failing to educatethe youngergeneration
seemingly innocenttutorial to learn from
Tips &Recipes toSecureNode.js
1Security by HTTPHeaders
STRICT-TRANSPORTSECURITYBrowsers enforce secureconnections to the server(HTTPS)
X-FRAME-OPTIONSClickjacking protectionby not rendering contentin iframes
CONTENT-SECURITYPOLICYWhitelist trusted content,and services
X-XSS-PROTECTIONenables *browser XSSfiltering* IE8 IE9
X-CONTENT-TYPEOPTIONS*browsers do not sniffMIME responses*IE8 Chrome Safari
HelmetSecuring ExpressJS
Putting it alltogetherwith Helmet andExpressJS
LuscaSecuring ExpressJS
Putting it alltogetherwith Lusca andExpressJS
2Securing the Cookies
SECUREcookies sent over HTTPSconnections only
httpOnlycookies are notaccessible fromJavaScript
Fingerprinting Node.JS
Fun with Headers
3noSQL Injections
Creating TRUESQL statements
Creating TRUESQL statements
show me the code Live Demo!
No HTTP body inExpressJSit relies on bodyParser lib
ExpressJS usesbodyParserlibrary to accessHTTP bodypayload
ExpressJS usesbodyParserlibrary to accessHTTP bodypayload
Creating TRUESQL statements
Creating TRUESQL statements
Validate Input Validate Length and Type Validate & Sanitize input to expectedtype Parameters Binding Security in Depth
ExpressJS usesbodyParserlibrary to accessHTTP bodypayload
4ReDoSRegular Expressions DoS
Requirement: Validate the input has at least one ‘a’character and allow unlimitedoccurences
3 Months Later
More work on thefeature: Different Engineer gets the job Requirement changes: Validate theinput has exactly 10 characters of ‘a’
show me the code Live Demo!
Attacker sends Array(100).join(‘a’) ‘!’
BOOM
ExpressJS usesneogitator parsing the Accept-Language headerParameters Binding
10,000,000negotiator
Best Practices Validator.js node.js module
Best Practices safe-regex node.js module checks regex complexity/backtrackingvulnerability
Best Practices OWASP Validation RegEx Repo
5Vulnerability Scan
ask yourselfAre my dependenciesvulnerable?
snyk check cve db for known issues check installed node modules dir provides patch-level fix provides interactive patch wizard
nsp check cve db for known issues check installed node modules dir
shrinkwrap pin-down dependencies pin-down devDependencies ship with tested packages avoid surprises in production build
SecurityOpsIntegrated Security into yourbuild pipeline
6Security as a Service
david-dm monitor nodejs dependencies check installed node modules dir
Bithound.io monitor nodejs dependencies lint / static code analysis
Summary:123Helmet or Lusca for secure HTTPheadersObsecure the session nameValidate and Sanitize req.body paramsto NoSQL
Summary:456Use validator.js for regexDependencies check with snyk, andnspSaaS Security with bithound.io anddavid-dm
Thanks!Any questions? liran.tal@hpe.com GitHub
1. Node.js background 2. Security Horror Stories in Node.js 3. Tips & Recipes Agenda Security by HTTP Headers Secure Session Cookies NoSQL Injection Regular Expressions DOS att