Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
117 views

Node - Js Security

The document discusses security best practices for web applications built with Node.js. It provides an overview of Node.js and its features. It then discusses OWASP Node Goat, an intentionally insecure Node.js app used to demonstrate vulnerabilities. Main libraries like Express and MongoDB are explained. The OWASP Top 10 security risks are covered in detail, along with recommendations to address each one when developing Node.js apps. These include using encryption, access control, CSRF protection, and keeping dependencies up to date. Scanning for vulnerabilities with tools like nsp is advised.

Uploaded by

Dejan Mitic
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
117 views

Node - Js Security

The document discusses security best practices for web applications built with Node.js. It provides an overview of Node.js and its features. It then discusses OWASP Node Goat, an intentionally insecure Node.js app used to demonstrate vulnerabilities. Main libraries like Express and MongoDB are explained. The OWASP Top 10 security risks are covered in detail, along with recommendations to address each one when developing Node.js apps. These include using encryption, access control, CSRF protection, and keeping dependencies up to date. Scanning for vulnerabilities with tools like nsp is advised.

Uploaded by

Dejan Mitic
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Phillip Chaffee

July 7th, 2015

Node.js Security
Security for web servers written in Javascript
Node.js Overview

 Javascript interpreter for writing servers


 Built on Google Chrome’s Javascript Runtime – V8
 Event driven
 Non-blocking I/O model
 Written in C
OWASP Node Goat

What is it? How to use it

 Node Goat is a  Either


purposefully flawed  Fork and deploy (Heroku)
application developed  Fork, clone, and run locally
using Node.js.
 Open the source code
 Made to be hacked/fixed
to learn the OWASP top 10  Follow the walkthrough
for Node.js.
 Source code comments
are very helpful
Main Libraries Used in Node Goat

 ExpressJS
 Node.js framework
 Node is very low level
 Needs a framework to sit on top of it to handle routing

 MongoDB
 A NoSQL database that uses a Javascript console
 Stores data in JSON objects

 Swig
 A front end framework for injecting Javascript into the browser
OWASP Top 10
A1 - Injection
A2 – Broken Auth

 Password field needs encryptions


 NPM to the rescue
 Bcrypt
A3 - XSS

 Not much different then in a non Node.js app


 Validate all inputs
 Use correct output encoding
 HTTP only on session cookies not needed by JS
 Use built in Express middleware session management
 app.use(express.session({});
A4 – Insecure Direct Object References

 Use session instead of request parameters


 Also
 Check access
 Use indirect session/user object references
A5 - Misconfiguration

 Node.js configurations tips


 Use the latest and most stable versions of node.js and all major
packages being used
 Lock all npm packages versions
 Use HTTP request body limiting middleware
 Never run an application with root privileges

 Helmet
 Helmet is a great node package that bundles together a lot of the
security configuration you will need
A6 – Sensitive Data

 Use secure HTTPS protocol


 https.createserver()

 Encrypt all sensitive data


 var crypto = require(“crypto”);

 Don’t store sensitive data longer than you need to


 Verify algorithms strength
 Disable autocomplete
A7 – Mission Function Level Access Control

 Verifythat the current user has sufficient rights to view


restricted areas
 ExpressJS middleware
A8 – Cross-Site Request Forgery

 Malicious web pages


 ExpressJS provides middleware specifically for this
 app.use(express.csrf());
 app.use(function(req, res, next) {
 res.locals.csrftoken = req.csrftoken();
 next();
 });
A9 - Using Components with Known
Vulnerabilities

 Do not run any modules with root privileges


 Use the Node Security Project
 npm install nsp –g
 Nsp package

 This
scans the package.json file and alerts you to any
packages with known vulnerabilities
A10-Unvalidated Redirects and Forwards

 Avoid using redirects and forwards altogether


 If used, don’t include user parameters
 Otherwise, validate destination and current user
Conclusion

 ZAProxy still works great for testing


 It has it’s own npm package
 npm install zaproxy
 var options = { proxy : ‘http://localhost:4000’ };
 var ZapClient = require(‘zaproxy’);
 var zaproxy = new ZapClient(options);

 Node.jsis very low level, so security can be built as


middleware
 Further reading/information
 https://github.com/PhillipChaffee/nodejs-
security/blob/master/reading.md
Questions & Discussion

You might also like