Secure Coding in Node.js

Transcription

1 Secure Coding in Node.js Advanced Edition Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA

2 Introduction Seth Law VP of Research & nvisium Developer/Contributor of Django.nV, Swift.nV, SiRATool, RAFT, Grails.nV Hacker, AppSec Architect, Security Consultant Soccer Hooligan Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA

3

4 Your App

5 Hopefully, not your App

6 node.js + security =???

7

8 Good The developer is in charge of the entire HTTP interaction. Bad Node.js Your web server is only as secure as you make it. Introduces trivial to exploit SSI depending on programming techniques

9

10 Google + Security 70,000,000 60,000,000 50,000,000 40,000,000 Google + Security 30,000,000 20,000,000 10,000,000 0 Node.js Rails Django Flask Play Grails October 5, 2015

11 Reporting a Bug nodejs.org docs Information Disclosure

12 blog.risingstack.com - Node.js Security Checklist Config mgmt (Headers + data handling) Authentication Session Mgmt (Cookies + CSRF) Data Validation (XSS, SQLi, Command Injection) Secure Transmission (SSL, HSTS) Denial of Service Error Handling Other resources

13 Houston, we have a problem

14

15 OWASP Top 10 Injection Broken Authentication & Session Management Cross-Site Scripting Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery Using Components with Known Vulns Invalidated Redirects and Forwards

16 OWASP Top 10 Injection Broken Authentication & Session Management Cross-Site Scripting Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery Using Components with Known Vulns Invalidated Redirects and Forwards

17

18 Vulnerabilities Insecure Direct Object Reference Mass Assignment Cross Site Request Forgery (CSRF) Business Logic Flaws Defenses Tools Agenda

19 Security Mindset All comes down to trust Trust you can defend against a reasonable level of attacker skill set Trust you can recover from that which you cannot prevent Your users can trust your product Your product does not trust its users

20 Vulnerabilities Why? Disclaimer

21 Insecure Direct Object Reference AKA IDOR Seeing a rise in the number of instances. Authorization Knowledge of identifier values is the only thing required to access the associated record.

22 IDOR

23

24 IDOR Changing an identifier value.

25 Mitigation Insecure Direct Object Reference Always check to see if a user has access to a resource or function before operating on it. Access controls should be enforced at the controller level, not the route level. This double checks access in the case that multiple routes point to the same controller.

26 Mass Assignment AKA Data-Binding Attacks Active-record pattern abuse Add parameters to request to modify data

27 Mass Assignment

28

29

30 Mass Assignment Mitigation Don t trust user input Only save/store expected parameters

31 CSRF AKA Session Riding, XSRF A web application will process all requests that include authorization cookies, no questions asked.

32 Problem?

33 Is not enabled by default app.use(express.csrf()); Needs a little help app.use(function (req, res, next) { res.locals.csrftoken = req.session._csrf; }); next(); CSRF

34 CSRF Inside the view <input type=hidden name=_csrf value= {{csrftoken}} ></input> Request is validated when Express sees the token in: req.body._csrf req.query._csrf req.headers[ x-csrf-token ]

35 CSRF Issues (Express CSRF) Uses Math.random and session secret Multi-step process == mistakes Order matters! Must be included after express.session Express ignores tokens in GET, OPTIONS and HEAD requests method-override anyone?

36 CSRF

37 Not so secret

38 CSRF

39 Mitigation Secret must be secret Any sensitive form Pay attention to RESTful APIs Periodically check code for CSRF QA tests? CSRF

40 Is it possible to bypass steps? Process validation Business Logic Flaws What about Node.js asynchronous functions calls? Especially when dealing with authorization decisions.

41

42 Demo Control Flow (goat.js) Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA

43 Mitigation Wait for asynchronous when making authorization decisions. async library Business Logic Flaws

44 Defense Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA

45 Defense Strategy - Integrate into the SDLC Teach first (seccasts.com) Design Test Test Test Start over

46 Defense Library Security Security Middleware Helmet.js Kraken.js

47 NPM 343 new modules/day

48 Node Security Project

49 Malicious Packages

50 retire.js

51 RequireSafe

52 Helmet.js crossdomain.xml CSP (Content Security Policy) X-Powered-By nosniff frame guard xssfilter HPKP HSTS ienoopen nocache

53 Kraken.js - Lusca Cross Site Request Forgery (CSRF) Content Security Policy (CSP) X-Frame-Options Platform for Privacy Preferences (P3P) HTTP Strict Transport Security (HSTS) X-XSS-Protection

54 Defense Tools - Static Code Analysis JSPrime ScanJS HP Fortify IBM AppScan Source

55 Defense JSPrime - Static Code Analysis

56 Defense ScanJS - Static Code Analysis

57 Defense ScanJS - Static Code Analysis DEPRECATED

58 Tools Weaknesses Geared towards single pages/files Only effective at finding specific vulnerabilities False Positives Fortify/AppScan/Veracode

59 Conclusion Security is hard, try harder Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA

60 Questions? Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA

61 Thank - Seth Law seth@nvisium.com Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA