View
18
Download
0
Category
Preview:
Citation preview
Phillip ChaffeeJuly 7th, 2015
Security for web servers written in Javascript
Node.js Security
Javascript interpreter for writing servers
Built on Google Chrome’s Javascript Runtime – V8
Event driven
Non-blocking I/O model
Written in C
Node.js Overview
Either Fork and deploy (Heroku)
Fork, clone, and run locally
Open the source code
Follow the walkthrough
Source code comments are very helpful
How to use it
Node Goat is a purposefully flawed application developed using Node.js.
Made to be hacked/fixed to learn the OWASP top 10 for Node.js.
What is it?
OWASP Node Goat
ExpressJSNode.js framework
Node is very low level
Needs a framework to sit on top of it to handle routing
MongoDBA NoSQL database that uses a Javascript console
Stores data in JSON objects
SwigA front end framework for injecting Javascript into the browser
Main Libraries Used in Node Goat
OWASP Top 10
A1 - Injection
A2 – Broken Auth
Password field needs encryptions
NPM to the rescue
Bcrypt
Not much different then in a non Node.js app
Validate all inputs
Use correct output encoding
HTTP only on session cookies not needed by JS
Use built in Express middleware session managementapp.use(express.session({});
A3 - XSS
A4 – Insecure Direct Object References
Use session instead of request parameters
AlsoCheck access
Use indirect session/user object references
Node.js configurations tips Use the latest and most stable versions of node.js and all major
packages being used
Lock all npm packages versions
Use HTTP request body limiting middleware
Never run an application with root privileges
HelmetHelmet is a great node package that bundles together a lot of the
security configuration you will need
A5 - Misconfiguration
Use secure HTTPS protocol https.createserver()
Encrypt all sensitive data var crypto = require(“crypto”);
Don’t store sensitive data longer than you need to
Verify algorithms strength
Disable autocomplete
A6 – Sensitive Data
Verify that the current user has sufficient rights to view restricted areas
ExpressJS middleware
A7 – Mission Function Level Access Control
Malicious web pages
ExpressJS provides middleware specifically for thisapp.use(express.csrf());
app.use(function(req, res, next) {
res.locals.csrftoken = req.csrftoken();
next();
});
A8 – Cross-Site Request Forgery
Do not run any modules with root privileges
Use the Node Security Project npm install nsp –g
Nsp package
This scans the package.json file and alerts you to any packages with known vulnerabilities
A9 - Using Components with Known Vulnerabilities
Avoid using redirects and forwards altogether
If used, don’t include user parameters
Otherwise, validate destination and current user
A10-Unvalidated Redirects and Forwards
ZAProxy still works great for testing
It has it’s own npm package npm install zaproxy
var options = { proxy : ‘http://localhost:4000’ };
var ZapClient = require(‘zaproxy’);
var zaproxy = new ZapClient(options);
Node.js is very low level, so security can be built as middleware
Further reading/information https://github.com/PhillipChaffee/nodejs-
security/blob/master/reading.md
Conclusion
Questions & Discussion
Recommended