Post on 12-Jul-2015
Node Security
By
Rejah Rehim
Know what you require ();
NPM has ~75000 modules
Use good Security Defaults
Node is a set of barebons modules
Express is a barebons framework
Lusca
App security module for express
var express = require('express'),
app = express(),
lusca = require('lusca');
With Express Middleware
● app.use(lusca.csrf());● app.use(lusca.csp({ /* ... */}));● app.use(lusca.xframe('SAMEORIGIN'));● app.use(lusca.p3p('ABCDEF'));● app.use(lusca.hsts({ maxAge: 31536000 }));● app.use(lusca.xssProtection(true));
CSRF
Trick victim's browser into making malicious requests
Lusca.csrf()
Uses Token Synchronizer pattern
1) Create a random token on serverside
2) Add token to res.local
3) Dump that token in app page
4) Sends with every PUT DELETE POST request
5) Verify token is correct, Else return 403
CSP
● Content Security Policy ● Basically a white listing
Lusca.csp()
app.use(lusca.csp({
policy: {
'default-src': 'none',
'script-src': '\'self\' https://apis.google.com'
},
reportUri: '/report-violation'
}));
Lusca.hsts()
● Ensures HTTPS traffic● Prevent MITM
Lusca.xframe()
● Prevent Others from loading your app in Iframe
HTTPOnly Cookies
● Prevent Session Hijacking
app.use(express.session({ secret: 'My super session secret', cookie: { httpOnly: true, secure: true }}));
Eval is evil
Node Security Project
● Audit all modules in NPM● Contribute patches● Educate others
Scan For vulnerable modules
npm install grunt-nsp-package --save-dev
grunt validate-package
Update your dependency
Clientside modules
Escape everithing
● Not just user inputs Backend bata as well
Underscore templates
<% %> - to execute some code
<%= %> - to print some value in template
<%- %> - to print some values with HTML escaped
Know your templating library
● Use it properly
Update your front-end dependencies
● Retire.js
npm install grunt-retire --save-dev
grunt retire
Let's Recap
● Know what you're require()'ing● Node is stil a Javascript● Use good security defaults● Update your dependencies – use automation
Thanks