Secure Coding in Node.js Advanced Edition Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 1
Introduction Seth Law VP of Research & Development @ nvisium Developer/Contributor of Django.nV, Swift.nV, SiRATool, RAFT, Grails.nV Hacker, AppSec Architect, Security Consultant Soccer Hooligan Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 2
Your App
Hopefully, not your App
node.js + security =???
Good The developer is in charge of the entire HTTP interaction. Bad Node.js Your web server is only as secure as you make it. Introduces trivial to exploit SSI depending on programming techniques
Google + Security 70,000,000 60,000,000 50,000,000 40,000,000 Google + Security 30,000,000 20,000,000 10,000,000 0 Node.js Rails Django Flask Play Grails October 5, 2015
Reporting a Bug nodejs.org docs Information Disclosure
blog.risingstack.com - Node.js Security Checklist Config mgmt (Headers + data handling) Authentication Session Mgmt (Cookies + CSRF) Data Validation (XSS, SQLi, Command Injection) Secure Transmission (SSL, HSTS) Denial of Service Error Handling Other resources
Houston, we have a problem
OWASP Top 10 Injection Broken Authentication & Session Management Cross-Site Scripting Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery Using Components with Known Vulns Invalidated Redirects and Forwards
OWASP Top 10 Injection Broken Authentication & Session Management Cross-Site Scripting Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery Using Components with Known Vulns Invalidated Redirects and Forwards
Vulnerabilities Insecure Direct Object Reference Mass Assignment Cross Site Request Forgery (CSRF) Business Logic Flaws Defenses Tools Agenda
Security Mindset All comes down to trust Trust you can defend against a reasonable level of attacker skill set Trust you can recover from that which you cannot prevent Your users can trust your product Your product does not trust its users
Vulnerabilities Why? Disclaimer
Insecure Direct Object Reference AKA IDOR Seeing a rise in the number of instances. Authorization Knowledge of identifier values is the only thing required to access the associated record.
IDOR
IDOR Changing an identifier value.
Mitigation Insecure Direct Object Reference Always check to see if a user has access to a resource or function before operating on it. Access controls should be enforced at the controller level, not the route level. This double checks access in the case that multiple routes point to the same controller.
Mass Assignment AKA Data-Binding Attacks Active-record pattern abuse Add parameters to request to modify data
Mass Assignment
Mass Assignment Mitigation Don t trust user input Only save/store expected parameters
CSRF AKA Session Riding, XSRF A web application will process all requests that include authorization cookies, no questions asked.
Problem?
Is not enabled by default app.use(express.csrf()); Needs a little help app.use(function (req, res, next) { res.locals.csrftoken = req.session._csrf; }); next(); CSRF
CSRF Inside the view <input type=hidden name=_csrf value= {{csrftoken}} ></input> Request is validated when Express sees the token in: req.body._csrf req.query._csrf req.headers[ x-csrf-token ]
CSRF Issues (Express CSRF) Uses Math.random and session secret Multi-step process == mistakes Order matters! Must be included after express.session Express ignores tokens in GET, OPTIONS and HEAD requests method-override anyone?
CSRF
Not so secret
CSRF
Mitigation Secret must be secret Any sensitive form Pay attention to RESTful APIs Periodically check code for CSRF QA tests? CSRF
Is it possible to bypass steps? Process validation Business Logic Flaws What about Node.js asynchronous functions calls? Especially when dealing with authorization decisions.
Demo Control Flow (goat.js) Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 42
Mitigation Wait for asynchronous when making authorization decisions. async library Business Logic Flaws
Defense Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 44
Defense Strategy - Integrate into the SDLC Teach first (seccasts.com) Design Test Test Test Start over
Defense Library Security Security Middleware Helmet.js Kraken.js
NPM 343 new modules/day
Node Security Project
Malicious Packages
retire.js
RequireSafe
Helmet.js crossdomain.xml CSP (Content Security Policy) X-Powered-By nosniff frame guard xssfilter HPKP HSTS ienoopen nocache
Kraken.js - Lusca Cross Site Request Forgery (CSRF) Content Security Policy (CSP) X-Frame-Options Platform for Privacy Preferences (P3P) HTTP Strict Transport Security (HSTS) X-XSS-Protection
Defense Tools - Static Code Analysis JSPrime ScanJS HP Fortify IBM AppScan Source
Defense JSPrime - Static Code Analysis
Defense ScanJS - Static Code Analysis
Defense ScanJS - Static Code Analysis DEPRECATED
Tools Weaknesses Geared towards single pages/files Only effective at finding specific vulnerabilities False Positives Fortify/AppScan/Veracode
Conclusion Security is hard, try harder Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 59
Questions? Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 60
Thank you @sethlaw - Seth Law seth@nvisium.com Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 61