Testing Node Security by @jmortegac

NOV 18-19 · 2016

Agenda

Introduction nodejS security

Npm security packages

Node Goat project

Tools

nodeJS introduction

JavaScript in the backend

Built on Chrome´s Javascript runtime(V8)

NodeJs is based on event loop

Designed to be asynchronous

Single Thread

Concurrent requests.

Security updates

Security updates

Find nodeJS vulnerabilities http://cve.mitre.org/find/

Last vulnerabilities https://nodesecurity.io/advisories

NPM modules install

Npm security packages

Helmet

express-session / cookie-session

csurf

express-validator

bcrypt-node

express-enforces-ssl

Security HTTP Headers

Strict-Transport-Security

X-Frame-Options

X-XSS-Protection

X-Content-Type-Options

Content-Security-Policy

Helmet module https://www.npmjs.com/package/helmet

Helmet module https://github.com/helmetjs/helmet

Helmet module

CSPContent-Security-Policy header

hidePoweredBydeletes X-Powered-by header

Hpkpprotection MITM

Hstsforces https connections

noCachedesactive client cache

Frameguardprotection clickjacking

xssFilterprotection XSS

Helmet module

Check headers security http://cyh.herokuapp.com/cyh

https://securityheaders.io/

Express versions

https://www.shodan.io/search?query=express

Disable x-powered-by

Avoid framework fingerprinting

Disable x-powered-by

Use Helmet and use “hide-powered-by” plugin

Sessions management

https://www.npmjs.com/package/cookie-session

secure

httpOnly

domain

path

expires

httpOnly & secure:true

Delete cookies from cache browser

// Set cache control header to eliminate cookies from cache

app.use(function (req, res, next) {

res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"');

next();

});

XSS attacks

An attacker can exploit XSS vulnerability to:

Steal session cookies/Sesion hijacking

Redirect user to malicious sites

Defacing and content manipulation

Cross Site Request forgery

https://www.npmjs.com/package/csurf

CSRF

<form action="/process" method="POST">

<input type="hidden" name="_csrf" value="{{csrfToken}}">

<button type="submit">Submit</button>

</form>

app.use(function (request, response, next) {

response.locals.csrftoken = request.csrfToken();

next();

});

CSRF

Filter/sanitize user input

Avoid XSS attacks https://www.npmjs.com/package/sanitizer

Module express-validator https://www.npmjs.com/package/express-validator

Validator

Validator

Validator

Validator with reg exp

Regular expressions

https://www.npmjs.com/package/safe-regex

Detect vulnerable regular

expressions that can cause DoS

NodeJS Crypto

http://nodejs.org/api/crypto.html Use require(‘crypto’) to access this module

The crypto module requires OpenSSL

require("crypto")

.createHash("sha1") //algorithm

.update(“cOdEmOtiOn") //text

.digest("hex"); //hexadecimal result

Bcrypt-node

https://github.com/kelektiv/node.bcrypt.js

Bcrypt-node

Bcrypt-node

Bcrypt-node

Building a secure HTTPS server

Building a secure HTTPS server

https://www.npmjs.com/package/https-redirect-server

https://www.npmjs.com/package/express-enforces-ssl

Redirect all traffic to https and a

secure port

Building a secure HTTPS server

Building a secure HTTPS server

var helmet = require("helmet");

var ms = require("ms");

app.use(helmet.hsts({

maxAge: ms("1 year"),

includeSubdomains: true

}));

Send hsts header for all requests

Node Goat http://nodegoat.herokuapp.com/tutorial

Node Goat https://github.com/OWASP/NodeGoat

EVAL()

EVAL() on github

EVAL() ATTACKS

res.end(require('fs').readdirSync('.').toString())

res.end(require('fs').readdirSync('..').toString())

Insecure Direct Object References

Use session instead of request param

var userId = req.session.userId;

Tools

NSP

Require Safe

David

KrakenJS / Lusca middleware

Retire

snyk.io

NSP https://github.com/nodesecurity/nsp

npm install -g nsp

Analyze package.json

nsp check --output summary

NSP with Grunt

npm install –g grunt-nsp-package

Nsp execution

Nsp execution

Project dependences https://david-dm.org/

Project dependences

Project dependences npm install –g david

https://snyk.io

http://krakenjs.com/

https://github.com/krakenjs/lusca

Retire.js

http://retirejs.github.io/retire.js

Detecting components and js libraries

with known vulnerabilities

Retire.js

Retire.js

Retire.js

Retire.js https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json

Retire.js execution

NodeJsScan

https://github.com/ajinabraham/NodeJsScan

python NodeJsScan.py -d <dir>

NodeJsScan https://github.com/jmortega/NodeJsScan/blob/master/rules.xml

NodeJsScan

Passport

Passport

https://github.com/jmortega/testing_nodejs_security

GitHub repositories

https://github.com/cr0hn/vulnerable-node

https://github.com/rdegges/svcc-auth

https://github.com/strongloop/loopback-getting-started-

intermediate

References

https://blog.risingstack.com/node-js-security-checklist/

https://blog.risingstack.com/node-js-security-tips/

https://groups.google.com/forum/#!forum/nodejs-sec

https://nodejs.org/en/blog/vulnerability/september-2016-

security-releases/

https://expressjs.com/en/advanced/security-updates.html

http://opensecurity.in/nodejsscan/

http://stackabuse.com/securing-your-node-js-app/

Node security learning

https://www.udemy.com/nodejs-security-pentesting-and-exploitation/

Books