Node.JS security

27
Node Security By Rejah Rehim

Transcript of Node.JS security

Page 1: Node.JS security

Node Security

By

Rejah Rehim

Page 2: Node.JS security

Know what you require ();

NPM has ~75000 modules

Page 3: Node.JS security

Use good Security Defaults

Node is a set of barebons modules

Express is a barebons framework

Page 4: Node.JS security

Lusca

App security module for express

var express = require('express'),

app = express(),

lusca = require('lusca');

Page 5: Node.JS security

With Express Middleware

● app.use(lusca.csrf());● app.use(lusca.csp({ /* ... */}));● app.use(lusca.xframe('SAMEORIGIN'));● app.use(lusca.p3p('ABCDEF'));● app.use(lusca.hsts({ maxAge: 31536000 }));● app.use(lusca.xssProtection(true));

Page 6: Node.JS security

CSRF

Trick victim's browser into making malicious requests

Page 7: Node.JS security
Page 8: Node.JS security
Page 9: Node.JS security

Lusca.csrf()

Uses Token Synchronizer pattern

1) Create a random token on serverside

2) Add token to res.local

3) Dump that token in app page

4) Sends with every PUT DELETE POST request

5) Verify token is correct, Else return 403

Page 10: Node.JS security

CSP

● Content Security Policy ● Basically a white listing

Page 11: Node.JS security
Page 12: Node.JS security
Page 13: Node.JS security

Lusca.csp()

app.use(lusca.csp({

policy: {

'default-src': 'none',

'script-src': '\'self\' https://apis.google.com'

},

reportUri: '/report-violation'

}));

Page 14: Node.JS security

Lusca.hsts()

● Ensures HTTPS traffic● Prevent MITM

Page 15: Node.JS security

Lusca.xframe()

● Prevent Others from loading your app in Iframe

Page 16: Node.JS security

HTTPOnly Cookies

● Prevent Session Hijacking

app.use(express.session({ secret: 'My super session secret', cookie: { httpOnly: true, secure: true }}));

Page 17: Node.JS security

Eval is evil

Page 18: Node.JS security

Node Security Project

● Audit all modules in NPM● Contribute patches● Educate others

Page 19: Node.JS security

Scan For vulnerable modules

npm install grunt-nsp-package --save-dev

grunt validate-package

Page 20: Node.JS security

Update your dependency

Page 21: Node.JS security

Clientside modules

Page 22: Node.JS security

Escape everithing

● Not just user inputs Backend bata as well

Page 23: Node.JS security

Underscore templates

<% %> - to execute some code

<%= %> - to print some value in template

<%- %> - to print some values with HTML escaped

Page 24: Node.JS security

Know your templating library

● Use it properly

Page 25: Node.JS security

Update your front-end dependencies

● Retire.js

npm install grunt-retire --save-dev

grunt retire

Page 26: Node.JS security

Let's Recap

● Know what you're require()'ing● Node is stil a Javascript● Use good security defaults● Update your dependencies – use automation

Page 27: Node.JS security

Thanks