Scribd Logo
Upload

Welcome to Scribd!

  • Hacking Nodejs Applications For Fun and Profit: February 2019

    Uploaded by

    MohammedYehia
    21 views45 pages

    Original Title

    F_Testing_Node_Security

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    21 views45 pages

    Hacking Nodejs Applications For Fun and Profit: February 2019

    Uploaded by

    MohammedYehia

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 45

    See discussions, stats, and author profiles for this publication at: https://www.researchgate.

    net/publication/338825372

    Hacking NodeJS applications for fun and profit

    Presentation · February 2019


    DOI: 10.13140/RG.2.2.34059.44322

    CITATIONS READS

    0 457

    1 author:

    José Manuel Ortega


    University of Alicante
    28 PUBLICATIONS   0 CITATIONS   

    SEE PROFILE

    Some of the authors of this publication are also working on these related projects:

    Python Security View project

    Docker Security View project

    All content following this page was uploaded by José Manuel Ortega on 25 January 2020.

    The user has requested enhancement of the downloaded file.


    Hacking NodeJS
    applications for fun
    and profit
    Testing NodeJS Security

    by @jmortegac
    Agenda

    ▪ Introduction nodejS security


    ▪ Npm security packages
    ▪ Node Goat project
    ▪ Tools
    Node JS
    ▪ JavaScript in the backend
    ▪ Built on Chrome´s Javascript runtime(V8)
    ▪ NodeJs is based on event loop
    ▪ Designed to be asynchronous
    ▪ Single Thread
    ▪ Node.js is resilient to flooding attacks since
    there’s no limit on the number of concurrent requests.
    Security https://expressjs.com/en/advance
    d/security-updates.html
    updates
    Package https://www.npmjs.com/advisories
    vulnerabilities
    ▪ Helmet
    Npm ▪ express-session
    security ▪ cookie-session
    packages ▪ csurf
    ▪ express-validator
    ▪ bcrypt-node
    ▪ express-enforces-ssl
    Security HTTP
    Headers ▪ Strict-Transport-Security
    ▪ X-Frame-Options
    ▪ X-XSS-Protection
    ▪ X-Content-Type-Options
    ▪ Content-Security-Policy
    ▪ https://www.npmjs.com/package
    Helmet module /helmet
    ▪ https://github.com/helmetjs/helmet

    Helmet module
    ▪ hidePoweredBy
    Helmet module ▪ Hpkp→protection MITM
    ▪ Hsts→forces https
    connections
    ▪ noCache→desactive client
    cache
    ▪ Frameguard→protection
    clickjacking
    ▪ xssFilter→protection XSS
    Helmet CSP
    ▪ http://cyh.herokuapp.com/cyh
    Check headers ▪ https://securityheaders.io/
    security
    Express ▪ https://www.shodan.io/
    versions search?query=express
    Disable
    x-powered-by
    Disable ▪ Avoid framework
    x-powered-by fingerprinting
    Disable ▪ Use Helmet and use
    “hide-powered-by” plugin
    x-powered-by
    ▪ https://www.npmjs.com/pack
    Sessions
    age/cookie-session
    management
    ▪ secure
    ▪ httpOnly
    ▪ domain
    ▪ path
    ▪ expires
    httpOnly &
    secure:true
    XSS attacks
    ▪ An attacker can exploit XSS vulnerability to:
    ▪ Steal session cookies/Sesion hijacking
    ▪ Redirect user to malicious sites
    ▪ Defacing and content manipulation
    ▪ Cross Site Request forgery
    CSRF attacks
    https://www.npmjs.com/package/csurf
    app.use(function (request, response, next) {
    CSRF response.locals.csrftoken =
    request.csrfToken();
    next();
    });

    <form action="/process" method="POST">


    <input type="hidden" name="_csrf"
    value="{{csrfToken}}">
    <button type="submit">Submit</button>
    </form>
    CSRF
    Filter/sanitize user input

    ▪ Fixing XSS attacks


    ▪ https://www.npmjs.com/package/sanitizer

    ▪ Module express-validator
    ▪ https://www.npmjs.com/package/express-validator
    Express
    Validator
    ▪ https://github.com/kelektiv/node.bcrypt.js

    Bcrypt-node
    ▪ http://nodegoat.herokuapp.com
    Node Goat /tutorial
    ▪ https://github.com/OWASP/Node
    Node Goat Goat
    res.end(require('fs').read
    EVAL() dirSync('.').toString())
    ATTACKS
    Insecure Direct ▪ Use session instead of
    Object request param
    References ▪ var userId =
    req.session.userId;
    Tools
    ▪ KrakenJS
    ▪ Lusca
    middleware
    ▪ NodeJsScan
    http://krakenjs.com/
    https://github.com/krakenjs/lusca
    ▪ https://github.com/ajinabra
    NodeJsScan ham/NodeJsScan
    NodeJsScan https://github.com/jmorteg
    a/NodeJsScan/blob/maste
    r/rules.xml
    NodeJsScan
    GitHub repositories

    ▪ https://github.com/jmortega/testing_nodejs_security
    ▪ https://github.com/cr0hn/vulnerable-node
    ▪ https://github.com/rdegges/svcc-auth
    ▪ https://github.com/strongloop/loopback-getting-start
    ed-intermediate
    ▪ https://github.com/Feeld/strong-node
    Node security ▪ https://www.udemy.com/nodejs-security-
    pentesting-and-exploitation/
    learning
    Books
    References
    ▪ https://blog.risingstack.com/node-js-security-checklist/
    ▪ https://blog.risingstack.com/node-js-security-tips/
    ▪ https://www.npmjs.com/package/helmet
    ▪ https://expressjs.com/en/advanced/best-practice-security.html
    ▪ https://expressjs.com/en/advanced/security-updates.html
    ▪ http://nodegoat.herokuapp.com/tutorial
    ▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa
    t_Project

    View publication stats

    You might also like