Secure Coding in Node.js

Secure Coding in Node.js Advanced Edition Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 1

Introduction Seth Law VP of Research & Development @ nvisium Developer/Contributor of Django.nV, Swift.nV, SiRATool, RAFT, Grails.nV Hacker, AppSec Architect, Security Consultant Soccer Hooligan Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 2

Your App

Hopefully, not your App

node.js + security =???

Good The developer is in charge of the entire HTTP interaction. Bad Node.js Your web server is only as secure as you make it. Introduces trivial to exploit SSI depending on programming techniques

Google + Security 70,000,000 60,000,000 50,000,000 40,000,000 Google + Security 30,000,000 20,000,000 10,000,000 0 Node.js Rails Django Flask Play Grails October 5, 2015

Reporting a Bug nodejs.org docs Information Disclosure

blog.risingstack.com - Node.js Security Checklist Config mgmt (Headers + data handling) Authentication Session Mgmt (Cookies + CSRF) Data Validation (XSS, SQLi, Command Injection) Secure Transmission (SSL, HSTS) Denial of Service Error Handling Other resources

Houston, we have a problem

OWASP Top 10 Injection Broken Authentication & Session Management Cross-Site Scripting Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery Using Components with Known Vulns Invalidated Redirects and Forwards

OWASP Top 10 Injection Broken Authentication & Session Management Cross-Site Scripting Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery Using Components with Known Vulns Invalidated Redirects and Forwards

Vulnerabilities Insecure Direct Object Reference Mass Assignment Cross Site Request Forgery (CSRF) Business Logic Flaws Defenses Tools Agenda

Security Mindset All comes down to trust Trust you can defend against a reasonable level of attacker skill set Trust you can recover from that which you cannot prevent Your users can trust your product Your product does not trust its users

Vulnerabilities Why? Disclaimer

Insecure Direct Object Reference AKA IDOR Seeing a rise in the number of instances. Authorization Knowledge of identifier values is the only thing required to access the associated record.

IDOR

IDOR Changing an identifier value.

Mitigation Insecure Direct Object Reference Always check to see if a user has access to a resource or function before operating on it. Access controls should be enforced at the controller level, not the route level. This double checks access in the case that multiple routes point to the same controller.

Mass Assignment AKA Data-Binding Attacks Active-record pattern abuse Add parameters to request to modify data

Mass Assignment

Mass Assignment Mitigation Don t trust user input Only save/store expected parameters

CSRF AKA Session Riding, XSRF A web application will process all requests that include authorization cookies, no questions asked.

Problem?

Is not enabled by default app.use(express.csrf()); Needs a little help app.use(function (req, res, next) { res.locals.csrftoken = req.session._csrf; }); next(); CSRF

CSRF Inside the view <input type=hidden name=_csrf value= {{csrftoken}} ></input> Request is validated when Express sees the token in: req.body._csrf req.query._csrf req.headers[ x-csrf-token ]

CSRF Issues (Express CSRF) Uses Math.random and session secret Multi-step process == mistakes Order matters! Must be included after express.session Express ignores tokens in GET, OPTIONS and HEAD requests method-override anyone?

CSRF

Not so secret

CSRF

Mitigation Secret must be secret Any sensitive form Pay attention to RESTful APIs Periodically check code for CSRF QA tests? CSRF

Is it possible to bypass steps? Process validation Business Logic Flaws What about Node.js asynchronous functions calls? Especially when dealing with authorization decisions.

Demo Control Flow (goat.js) Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 42

Mitigation Wait for asynchronous when making authorization decisions. async library Business Logic Flaws

Defense Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 44

Defense Strategy - Integrate into the SDLC Teach first (seccasts.com) Design Test Test Test Start over

Defense Library Security Security Middleware Helmet.js Kraken.js

NPM 343 new modules/day

Node Security Project

Malicious Packages

retire.js

RequireSafe

Helmet.js crossdomain.xml CSP (Content Security Policy) X-Powered-By nosniff frame guard xssfilter HPKP HSTS ienoopen nocache

Kraken.js - Lusca Cross Site Request Forgery (CSRF) Content Security Policy (CSP) X-Frame-Options Platform for Privacy Preferences (P3P) HTTP Strict Transport Security (HSTS) X-XSS-Protection

Defense Tools - Static Code Analysis JSPrime ScanJS HP Fortify IBM AppScan Source

Defense JSPrime - Static Code Analysis

Defense ScanJS - Static Code Analysis

Defense ScanJS - Static Code Analysis DEPRECATED

Tools Weaknesses Geared towards single pages/files Only effective at finding specific vulnerabilities False Positives Fortify/AppScan/Veracode

Conclusion Security is hard, try harder Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 59

Questions? Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 60

Thank you @sethlaw - Seth Law seth@nvisium.com Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 61