1. Fusker NodeJS Security Fusker Security that fights back Eric Schoffstall @wearefractal

2. Comparisons

Better than when Bill Grates invented MichaelSoft

3. Better than when Mork Zoonerberg invented Fezbook 4. Cooler than existing NodeJS security frameworks Mac Zerkerberg 5. WUTS DAT? THERE ARE NO SECURITY FRAMEWORKS 6. Why is Fusker so hot?

Lightweight

7. Modular design 8. Flexible 9. Easy integration 10. Written in Coffeescript 11. Funny as hell 12. Integration/Support

Can wrap HTTPServer

13. Can wrap Socket.IO 14. Compatible with UselessJS 15. Can be used as Connect/Express middleware 16. Easy to modify and integrate with any other frameworks 17. All your logs are belong to us Logs are saved any time a request is detected. Socket and HTTP attacks are saved in separate files. [- ATTACK DETAILS FOR Fri Aug 12 2011 19:28:33 GMT-0700 (MST) -] --> Detective: SQLi-0 --> Request: GET /index.html?id=1'%20OR%20'1'='1' --> IP: 127.0.0.1 [- END ATTACK DETAILS -] 18. Before switching to Fusker var http = require('http'); var url = require('url'); var sys = require('sys'); var fs = require('fs'); var path = require('path'); var serv = http.createServer(function (req, res) { var file = url.parse(req.url).pathname; if (file === '/') { file = '/index.html'; } fs.readFile(file, function (err, data) { if (!err) { res.writeHead(200); res.write(data, 'utf8'); res.end(); } }); }); serv.listen(8080); io = socketio.listen(serv); 19. After switching to Fusker var fusker = require('fusker'); var server = fusker.http.createServer(8080); var io = fusker.socket.listen(server); 20. Slick Diagram 21. Detectives

Modules take incoming data and run it through a series of patterns

22. If a pattern matches the module can call the attack manager

Fusker comes with detectives for XSS, CSRF, SQLi and LFI vulnerabilities

23. Fusker can also treat 404s as a threat to punish people who are snooping around your server 24. Payloads

Payloads are executed by the attack manager when an attack is detected

25. Payloads have access to the request and response objects so you can do fun stuff like redirects or even send back browser exploits

Fusker comes with a large amount of built-in payloads that were designed with lulz in mind

26. The blacklist payload will add users to a blacklist and drop all future incoming requests 27. Configuration fusker.config.dir = process.cwd(); fusker.config.banLength = 1; fusker.config.verbose = true; fusker.http.detectives.push('csrf', 'xss', 'sqli', 'lfi', '404'); fusker.http.payloads.push('blacklist', 'bush'); fusker.socket.detectives.push('xss', 'sqli', 'lfi'); fusker.socket.payloads.push('blacklist'); 28. DIY Detectives exports.check = function (req, res) { for (var i = fusker.patterns.lfi.length - 1; i >= 0; --i) { if (fusker.patterns.lfi[i].test(req.url)) { fusker.http.handleAttack('LFI-' + i, req, res); return; } } };

Put an array of regex patterns for your detective in patterns.js

29. Loop through them and test against incoming data 30. Call handleAttack if a test is positive 31. DIY Payloads

Easy as hell

32. Lots of fun to be had messing with people trying to hack you exports.run = function (req, res) { res.writeHead(302, {'Location': 'http://nyan.cat/'}); res.end(); }; 33. Take a HWAK at it You think you're a raw dog? You think you can beat fusker? fusker.nodester.com Come at me bro. 34. Links Fusker: https://github.com/wearefractal/Fusker Other Projects: https://github.com/Contra Twitter: @wearefractal