Phillip ChaffeeJuly 7th, 2015

Security for web servers written in Javascript

Node.js Security

Javascript interpreter for writing servers

Built on Google Chrome’s Javascript Runtime – V8

Event driven

Non-blocking I/O model

Written in C

Node.js Overview

Either Fork and deploy (Heroku)

Fork, clone, and run locally

Open the source code

Follow the walkthrough

Source code comments are very helpful

How to use it

Node Goat is a purposefully flawed application developed using Node.js.

Made to be hacked/fixed to learn the OWASP top 10 for Node.js.

What is it?

OWASP Node Goat

ExpressJSNode.js framework

Node is very low level

Needs a framework to sit on top of it to handle routing

MongoDBA NoSQL database that uses a Javascript console

Stores data in JSON objects

SwigA front end framework for injecting Javascript into the browser

Main Libraries Used in Node Goat

OWASP Top 10

A1 - Injection

A2 – Broken Auth

Password field needs encryptions

NPM to the rescue

Bcrypt

Not much different then in a non Node.js app

Validate all inputs

Use correct output encoding

HTTP only on session cookies not needed by JS

Use built in Express middleware session managementapp.use(express.session({});

A3 - XSS

A4 – Insecure Direct Object References

Use session instead of request parameters

AlsoCheck access

Use indirect session/user object references

Node.js configurations tips Use the latest and most stable versions of node.js and all major

packages being used

Lock all npm packages versions

Use HTTP request body limiting middleware

Never run an application with root privileges

HelmetHelmet is a great node package that bundles together a lot of the

security configuration you will need

A5 - Misconfiguration

Use secure HTTPS protocol https.createserver()

Encrypt all sensitive data var crypto = require(“crypto”);

Don’t store sensitive data longer than you need to

Verify algorithms strength

Disable autocomplete

A6 – Sensitive Data

Verify that the current user has sufficient rights to view restricted areas

ExpressJS middleware

A7 – Mission Function Level Access Control

Malicious web pages

ExpressJS provides middleware specifically for thisapp.use(express.csrf());

app.use(function(req, res, next) {

res.locals.csrftoken = req.csrftoken();

next();

});

A8 – Cross-Site Request Forgery

Do not run any modules with root privileges

Use the Node Security Project npm install nsp –g

Nsp package

This scans the package.json file and alerts you to any packages with known vulnerabilities

A9 - Using Components with Known Vulnerabilities

Avoid using redirects and forwards altogether

If used, don’t include user parameters

Otherwise, validate destination and current user

A10-Unvalidated Redirects and Forwards

ZAProxy still works great for testing

It has it’s own npm package npm install zaproxy

var options = { proxy : ‘http://localhost:4000’ };

var ZapClient = require(‘zaproxy’);

var zaproxy = new ZapClient(options);

Node.js is very low level, so security can be built as middleware

Further reading/information https://github.com/PhillipChaffee/nodejs-

security/blob/master/reading.md

Conclusion

Questions & Discussion