Javascript Security - Three main methods of defending your MEAN stack
-
Upload
ran-bar-zik -
Category
Technology
-
view
630 -
download
0
Transcript of Javascript Security - Three main methods of defending your MEAN stack
RAN BAR-ZIKBlogger an writer @ internet-
Israel.com[Hebrew]
Software developer at HPE
Father of 4
children
Expert in PowerPo
int :P
HACKERS - MYTH
Source: https://commons.wikimedia.org/wiki/File:Hacker_-_Hacking_-_Symbol.jpg
HACKERS - REALITY
Source: https://pixabay.com/static/uploads/photo/2014/04/03/11/55/robot-312566_960_720.png
HACKS CYCLESecurity hole
createdSomeone finds it
(Vulnerability test, penetration testing etc.)
Patch is being issues
Hackers track the patch list and
create bot
Programmer create code
YOU DON’T NEED TO BE A HACKER TO PROTECT YOURSELF
• You don’t need to be a professional burglar in order to know how to lock doors.
• First know about the attack, and then learn how to deal with it.
• Implementing security in JavaScript is easy, fun and can win you true love!
TWO MAIN WAYS TO HELL XSS
• By not validating the input before insertion to the DataBase.
• By not sanitizing the output before showing it to the user.
VALIDATE
Input validation on server side.
Making sure that the input is what you want.
Using node.js? Great! Use validate.js module, this is what we do.
VALIDATE.JS EXAMPLEvar express = require("express");var validation = require("validator");var bodyParser = require("body-parser");
var app = express();app.use(bodyParser.urlencoded({ extended: false }));
app.get('/',function(req,res){ res.sendFile(__dirname + '/form.html');});
/* Form will redirect here with Input data */app.post('/validateform',function(req,res){ if(!validation.isEmail(req.body.email)) { //True or false return by this function. res.send("Email is Bad"); } else if(!validation.isAlpha(req.body.user_name)) { res.send("Name is Bad"); } else { res.send("Form submitted"); }});app.listen(4000);
WHY HASSLE? USE EXPRESS.JS MIDDLEWARE
Express.js entry point
express-validator middle ware
All your strings are validated
See for yourself! https://github.com/ctavan/express-validator
DOING SANITIZATION
• Using angular.js? It comes free without charge! Even ngBindHtml is not allowing <script> tag.
• Using another platform? Use the sanitization tools that come with it.
There are more ways to insert JavaScript to elements!
Meet the wonderful world of HTML5 vulnerabilities!
Allowing users to insert <videos> elements?
<video><source onerror="alert(1)">
Will work on Chrome\Firefox
Check https://html5sec.org/
CROSS SITE REQUEST FORGERY (CSRF)
• Every site operation is REST API request. For example:
• GET /users
• DELETE user/123
• PUT user/123 {role: admin}
<a href="https://most-secured-site.com/delete-all-users"> Click here to see the model naked! <img src="hot_model_almost_naked" /> </a>
SOLUTION TO CSRF
Use tokens!
Server generated unique strings that is based on some hash value + time and generated every time the form is outputted and submitted along the form.
No valid token? Get out!
HOW TO IMPLEMENT CSRF?In node.js\ Express.js just use csurf middleware!https://github.com/expressjs/csurf
Make sure to implement it both on client and server side!
SQL INJECTION IN NOSQL DATABASE\NODE.JS
• SQL Injection can be performed on any database.
• The Database can be MongoDB, the server can be Node.js, but the method is the same.
NOSQL INJECTION IN MONGODBdb.users.find({username: username, password: password});
app.post('/', function (req, res) { db.users.find({username: req.body.username, password: req.body.password}, function (err, users) { // if it is True, run the following code. });});
POST http://target/ HTTP/1.1Content-Type: application/json
{ "username": {"$gt": ""}, "password": {"$gt": ""}}