Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac
Agenda ▪ Introduction nodejS security ▪ Npm security packages ▪ Node Goat project ▪ Tools
Node JS ▪ JavaScript in the backend ▪ Built on Chrome´s Javascript runtime(V8) ▪ NodeJs is based on event loop ▪ Designed to be asynchronous ▪ Single Thread ▪ Node.js is resilient to flooding attacks since there’s no limit on the number of concurrent requests.
Security https://expressjs.com/en/advance d/security-updates.html updates
Package https://www.npmjs.com/advisories vulnerabilities
▪ Helmet Npm ▪ express-session security ▪ cookie-session packages ▪ csurf ▪ express-validator ▪ bcrypt-node ▪ express-enforces-ssl
Security HTTP Headers ▪ Strict-Transport-Security ▪ X-Frame-Options ▪ X-XSS-Protection ▪ X-Content-Type-Options ▪ Content-Security-Policy
▪ https://www.npmjs.com/package Helmet module /helmet
▪ https://github.com/helmetjs/helmet Helmet module
▪ hidePoweredBy Helmet module ▪ Hpkp → protection MITM ▪ Hsts → forces https connections ▪ noCache → desactive client cache ▪ Frameguard → protection clickjacking ▪ xssFilter → protection XSS
Helmet CSP
▪ http://cyh.herokuapp.com/cyh Check headers ▪ https://securityheaders.io/ security
Express ▪ https://www.shodan.io/ search?query=express versions
Disable x-powered-by
Disable ▪ Avoid framework x-powered-by fingerprinting
Disable ▪ Use Helmet and use “hide-powered-by” plugin x-powered-by
▪ https://www.npmjs.com/pack Sessions age/cookie-session management ▪ secure ▪ httpOnly ▪ domain ▪ path ▪ expires
httpOnly & secure:true
XSS attacks ▪ An attacker can exploit XSS vulnerability to: ▪ Steal session cookies/Sesion hijacking ▪ Redirect user to malicious sites ▪ Defacing and content manipulation ▪ Cross Site Request forgery
CSRF attacks
https://www.npmjs.com/package/csurf
app.use(function (request, response, next) { CSRF response.locals.csrftoken = request.csrfToken(); next(); }); <form action="/process" method=" POST "> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button> </form>
CSRF
Filter/sanitize user input ▪ Fixing XSS attacks ▪ https://www.npmjs.com/package/sanitizer ▪ Module express-validator ▪ https://www.npmjs.com/package/express-validator
Express Validator
▪ https://github.com/kelektiv/node.bcrypt.js Bcrypt-node
▪ http://nodegoat.herokuapp.com Node Goat /tutorial
▪ https://github.com/OWASP/Node Node Goat Goat
res.end(require('fs').read EVAL() dirSync('.').toString()) ATTACKS
Insecure Direct ▪ Use session instead of Object request param References ▪ var userId = req.session.userId;
Tools ▪ KrakenJS ▪ Lusca middleware ▪ NodeJsScan
http://krakenjs.com/
https://github.com/krakenjs/lusca
▪ https://github.com/ajinabra NodeJsScan ham/NodeJsScan
https://github.com/jmorteg NodeJsScan a/NodeJsScan/blob/maste r/rules.xml
NodeJsScan
GitHub repositories ▪ https://github.com/jmortega/testing_nodejs_security ▪ https://github.com/cr0hn/vulnerable-node ▪ https://github.com/rdegges/svcc-auth ▪ https://github.com/strongloop/loopback-getting-start ed-intermediate ▪ https://github.com/Feeld/strong-node
Node security ▪ https://www.udemy.com/nodejs-security- pentesting-and-exploitation/ learning
Books
References ▪ https://blog.risingstack.com/node-js-security-checklist/ ▪ https://blog.risingstack.com/node-js-security-tips/ ▪ https://www.npmjs.com/package/helmet ▪ https://expressjs.com/en/advanced/best-practice-security.html https://expressjs.com/en/advanced/security-updates.html ▪ http://nodegoat.herokuapp.com/tutorial ▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa ▪ t_Project
Recommend
More recommend
