Download - Surviving Web Security - Node Interactive
![Page 1: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/1.jpg)
![Page 2: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/2.jpg)
Surviving Web Security
Gergely Nemeth, RisingStack
![Page 3: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/3.jpg)
![Page 4: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/4.jpg)
ATTACK TREES
![Page 5: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/5.jpg)
“formal, methodical way of describing the security of systems, based on varying attacks”
Bruce Schneier
ATTACK TREES
![Page 6: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/6.jpg)
ATTACK TREES
Open Safe
Pick Lock Learn Combo Bad Setup
Find it WrittenLearn From
Target
Blackmail Eavesdrop Bribe
![Page 7: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/7.jpg)
KNOW YOUR ATTACKER
ATTACK TREES
![Page 8: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/8.jpg)
ATTACK TREES
Open Safe (P)
Pick Lock (I)Learn Combo
(P)Bad Setup (I)
Find it Written (I)
Learn From Target (P)
Blackmail (I) Eavesdrop (I) Bribe (P)
P = Possible
I = Impossible
![Page 9: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/9.jpg)
DENIAL OF SERVICE
![Page 10: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/10.jpg)
ATTACK TREES - DENIAL OF SERVICE
Denial of Service
Find Evil Regex Vulnerability
Distributed Mass Traffic
![Page 11: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/11.jpg)
ATTACK TREES - DENIAL OF SERVICE
1
^(a+)+$
2
3
4 5a a a
a
a
a a a
Nondeterministic finite automaton
![Page 12: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/12.jpg)
ATTACK TREES - DENIAL OF SERVICE
^(a+)+$
for the input “aaaaX”
16 possible paths
![Page 13: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/13.jpg)
ATTACK TREES - DENIAL OF SERVICE
^(a+)+$
for the input “aaaaaaaaaaaaaaaaX”
65536 possible paths
![Page 14: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/14.jpg)
ATTACK TREES - DENIAL OF SERVICE
Regular Expression implementations may
reach extreme situations that cause them to
work very slowly
![Page 15: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/15.jpg)
ATTACK TREES - DENIAL OF SERVICE
Evil Regexes
- Grouping with repetition
- Inside the repeated group:
- Repetition
- Alternation with overlapping
![Page 16: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/16.jpg)
WE HAVE A SINGLE THREAD
![Page 17: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/17.jpg)
ATTACK TREES - DENIAL OF SERVICE
![Page 19: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/19.jpg)
ATTACK TREE FOR USER ACCOUNTS
![Page 20: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/20.jpg)
ATTACK TREES - USER ACCOUNT
Get Access
Modify Credentials
Learn PasswordBypass Access
Control
Get Access to Database
Social Engineering
Get Access to DMZ
Listen on Transport Layer
GuessingInsecure
Dependencies
![Page 21: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/21.jpg)
ATTACK TREES - USER ACCOUNT
Get Access
Modify Credentials
Learn PasswordBypass Access
Control
Get Access to Database
Social Engineering
Get Access to DMZ
Listen on Transport Layer
GuessingInsecure
Dependencies
![Page 22: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/22.jpg)
GUESSING - BRUTE FORCE
systematically enumerating all possible
candidates for the solution
![Page 23: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/23.jpg)
GUESSING - BRUTE FORCE
use a rate-limiter for your endpoints
![Page 24: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/24.jpg)
GUESSING - BRUTE FORCE
![Page 25: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/25.jpg)
GUESSING - TIMING ATTACKS
compromise a cryptosystem by analyzing
the time taken to execute cryptographic
algorithms
![Page 26: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/26.jpg)
GUESSING - TIMING ATTACKS
![Page 27: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/27.jpg)
GUESSING - TIMING ATTACKS
WRONG!
![Page 28: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/28.jpg)
GUESSING - TIMING ATTACKS
T R A C E T R A C E
1st iteration
![Page 29: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/29.jpg)
GUESSING - TIMING ATTACKS
T R A C E T R A C E
2nd iteration
![Page 30: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/30.jpg)
GUESSING - TIMING ATTACKS
T R A C E T R A C E
5th iteration
![Page 31: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/31.jpg)
GUESSING - TIMING ATTACKS
T R A C E T R I C K
1th iteration
![Page 32: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/32.jpg)
GUESSING - TIMING ATTACKS
T R A C E T R I C K
2nd iteration
![Page 33: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/33.jpg)
GUESSING - TIMING ATTACKS
T R A C E T R I C K
3rd iteration
![Page 34: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/34.jpg)
GUESSING - TIMING ATTACKS
T R A C E T R I C K
3rd iteration
missmatch - no more iterations
![Page 35: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/35.jpg)
GUESSING - TIMING ATTACKS
the more letters match from the password,
the more time it takes
![Page 36: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/36.jpg)
GUESSING - TIMING ATTACKS
ALWAYS USE FIXED-TIME
COMPARISON
![Page 37: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/37.jpg)
GUESSING - TIMING ATTACKS
![Page 38: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/38.jpg)
INSECUREDEPENDENCIES
![Page 39: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/39.jpg)
ATTACK TREES - USER ACCOUNT
Get Access
Modify Credentials
Learn PasswordBypass Access
Control
Get Access to Database
Social Engineering
Get Access to DMZ
Listen on Transport Layer
GuessingInsecure
Dependencies
![Page 40: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/40.jpg)
YOU ARE WHAT YOU REQUIRE
INSECURE DEPENDENCIES
![Page 41: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/41.jpg)
INSECURE DEPENDENCIES
![Page 42: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/42.jpg)
INSECURE DEPENDENCIES
node-uuid is downloaded 255.000 times
daily, while 4.000+ modules depend on it
![Page 43: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/43.jpg)
INSECURE DEPENDENCIES
![Page 44: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/44.jpg)
THE HUMAN FACTOR
![Page 45: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/45.jpg)
ATTACK TREES - USER ACCOUNT
Get Access
Modify Credentials
Learn PasswordBypass Access
Control
Get Access to Database
Social Engineering
Get Access to DMZ
Listen on Transport Layer
GuessingInsecure
Dependencies
![Page 46: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/46.jpg)
95% OF ALL SECURITY INCIDENTS INVOLVE HUMAN ERROR
![Page 47: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/47.jpg)
WE ARE THE WEAKEST LINK
![Page 48: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/48.jpg)
security must be part of the agile workflow
THE HUMAN FACTOR
![Page 49: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/49.jpg)
stories should include acceptance criteria for security
THE HUMAN FACTOR
![Page 50: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/50.jpg)
Given an unauthenticated user,
when tries to view her profile,
then redirected to the login.
![Page 51: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/51.jpg)
SECURITY IS PART OF YOUR JOB!
![Page 52: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/52.jpg)
- Node.js Security Checklist -
https://blog.risingstack.com/node-js-security-checklist/
- Advisories of NSP - on nodesecurity.io
- OWASP TOP 10 - on owasp.org
WHAT’S NEXT?
![Page 53: Surviving Web Security - Node Interactive](https://reader033.vdocuments.mx/reader033/viewer/2022051709/586f77251a28ab10258b66db/html5/thumbnails/53.jpg)
Thanks!