JAVASCRIPT SECURITYRAN BAR-ZIK, HPE 2016

RAN BAR-ZIKBlogger an writer @ internet-

Israel.com[Hebrew]

Software developer at HPE

Father of 4

children

Expert in PowerPo

int :P

HACKERS - MYTH

Source: https://commons.wikimedia.org/wiki/File:Hacker_-_Hacking_-_Symbol.jpg

HACKERS - REALITY

Source: https://pixabay.com/static/uploads/photo/2014/04/03/11/55/robot-312566_960_720.png

HACKS CYCLESecurity hole

createdSomeone finds it

(Vulnerability test, penetration testing etc.)

Patch is being issues

Hackers track the patch list and

create bot

Programmer create code

YOU DON’T NEED TO BE A HACKER TO PROTECT YOURSELF

• You don’t need to be a professional burglar in order to know how to lock doors.

• First know about the attack, and then learn how to deal with it.

• Implementing security in JavaScript is easy, fun and can win you true love!

XSS – CROSS SIDE SCRIPTINGXSS is very simple:

Attacker can insert custom

JavaScript to the site.

TWO MAIN WAYS TO HELL XSS

• By not validating the input before insertion to the DataBase.

• By not sanitizing the output before showing it to the user.

VALIDATE

Input validation on server side.

Making sure that the input is what you want.

Using node.js? Great! Use validate.js module, this is what we do.

VALIDATE.JS EXAMPLEvar express       =     require("express");var validation    =     require("validator");var bodyParser    =     require("body-parser");

var app = express();app.use(bodyParser.urlencoded({ extended: false }));

app.get('/',function(req,res){    res.sendFile(__dirname + '/form.html');});

/* Form will redirect here with Input data */app.post('/validateform',function(req,res){    if(!validation.isEmail(req.body.email)) {                //True or false return by this function.        res.send("Email is Bad");    } else if(!validation.isAlpha(req.body.user_name)) {        res.send("Name is Bad");    } else {        res.send("Form submitted");    }});app.listen(4000);

WHY HASSLE? USE EXPRESS.JS MIDDLEWARE

Express.js entry point

express-validator middle ware

All your strings are validated

See for yourself! https://github.com/ctavan/express-validator

SANITIZATION

Simple: Do not allow running JavaScript code in the output.

DOING SANITIZATION

• Using angular.js? It comes free without charge! Even ngBindHtml is not allowing <script> tag.

• Using another platform? Use the sanitization tools that come with it.

There are more ways to insert JavaScript to elements!

Meet the wonderful world of HTML5 vulnerabilities!

Allowing users to insert <videos> elements?

<video><source onerror="alert(1)">

Will work on Chrome\Firefox

Check https://html5sec.org/

CROSS SITE REQUEST FORGERY (CSRF)

• Every site operation is REST API request. For example:

• GET /users

• DELETE user/123

• PUT user/123 {role: admin}

<a href="https://most-secured-site.com/delete-all-users"> Click here to see the model naked! <img src="hot_model_almost_naked" /> </a>

SOLUTION TO CSRF

Use tokens!

Server generated unique strings that is based on some hash value + time and generated every time the form is outputted and submitted along the form.

No valid token? Get out!

HOW TO IMPLEMENT CSRF?In node.js\ Express.js just use csurf middleware!https://github.com/expressjs/csurf

Make sure to implement it both on client and server side!

SQL INJECTION IN NOSQL DATABASE\NODE.JS

• SQL Injection can be performed on any database.

• The Database can be MongoDB, the server can be Node.js, but the method is the same.

NOSQL INJECTION IN MONGODBdb.users.find({username: username, password: password});

app.post('/', function (req, res) { db.users.find({username: req.body.username, password: req.body.password}, function (err, users) { // if it is True, run the following code. });});

POST http://target/ HTTP/1.1Content-Type: application/json

{ "username": {"$gt": ""}, "password": {"$gt": ""}}

SOLUTION TO SQL INJECTION

• Sanitize and validate, the same as XSS.

FINAL WORDS OF WISDOM