Fosdem Testing Node Security

The document presents a comprehensive overview of Node.js security, highlighting various npm security packages and tools for testing Node.js applications. It discusses vulnerabilities such as XSS and CSRF attacks, along with mitigation strategies like using Helmet and express-validator. Additionally, it provides references to resources and GitHub repositories for further learning and exploration of Node.js security practices.

Uploaded by

javalo1871

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

3 views45 pages

Fosdem Testing Node Security

Uploaded by

javalo1871

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 45

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/338825372

Hacking NodeJS applications for fun and proﬁt

Presentation · February 2019

DOI: 10.13140/RG.2.2.34059.44322

CITATIONS READS

0 4,963

1 author:

José Manuel Ortega

University of Alicante
54 PUBLICATIONS 16 CITATIONS

SEE PROFILE

All content following this page was uploaded by José Manuel Ortega on 25 January 2020.

The user has requested enhancement of the downloaded file.

Hacking NodeJS
applications for fun
and profit
Testing NodeJS Security

by @jmortegac
Agenda

▪ Introduction nodejS security

▪ Npm security packages
▪ Node Goat project
▪ Tools
Node JS
▪ JavaScript in the backend
▪ Built on Chrome´s Javascript runtime(V8)
▪ NodeJs is based on event loop
▪ Designed to be asynchronous
▪ Single Thread
▪ Node.js is resilient to flooding attacks since
there’s no limit on the number of concurrent requests.
Security https://expressjs.com/en/advance
d/security-updates.html
updates
Package https://www.npmjs.com/advisories
vulnerabilities
▪ Helmet
Npm ▪ express-session
security ▪ cookie-session
packages ▪ csurf
▪ express-validator
▪ bcrypt-node
▪ express-enforces-ssl
Security HTTP
Headers ▪ Strict-Transport-Security
▪ X-Frame-Options
▪ X-XSS-Protection
▪ X-Content-Type-Options
▪ Content-Security-Policy
▪ https://www.npmjs.com/package
Helmet module /helmet
▪ https://github.com/helmetjs/helmet

Helmet module
▪ hidePoweredBy
Helmet module ▪ Hpkp→protection MITM
▪ Hsts→forces https
connections
▪ noCache→desactive client
cache
▪ Frameguard→protection
clickjacking
▪ xssFilter→protection XSS
Helmet CSP
▪ http://cyh.herokuapp.com/cyh
Check headers ▪ https://securityheaders.io/
security
Express ▪ https://www.shodan.io/
versions search?query=express
Disable
x-powered-by
Disable ▪ Avoid framework
x-powered-by fingerprinting
Disable ▪ Use Helmet and use
“hide-powered-by” plugin
x-powered-by
▪ https://www.npmjs.com/pack
Sessions
age/cookie-session
management
▪ secure
▪ httpOnly
▪ domain
▪ path
▪ expires
httpOnly &
secure:true
XSS attacks
▪ An attacker can exploit XSS vulnerability to:
▪ Steal session cookies/Sesion hijacking
▪ Redirect user to malicious sites
▪ Defacing and content manipulation
▪ Cross Site Request forgery
CSRF attacks
https://www.npmjs.com/package/csurf
app.use(function (request, response, next) {
CSRF response.locals.csrftoken =
request.csrfToken();
next();
});

<form action="/process" method="POST">

<input type="hidden" name="_csrf"
value="{{csrfToken}}">
<button type="submit">Submit</button>
</form>
CSRF
Filter/sanitize user input

▪ Fixing XSS attacks

▪ https://www.npmjs.com/package/sanitizer

▪ Module express-validator
▪ https://www.npmjs.com/package/express-validator
Express
Validator
▪ https://github.com/kelektiv/node.bcrypt.js

Bcrypt-node
▪ http://nodegoat.herokuapp.com
Node Goat /tutorial
▪ https://github.com/OWASP/Node
Node Goat Goat
res.end(require('fs').read
EVAL() dirSync('.').toString())
ATTACKS
Insecure Direct ▪ Use session instead of
Object request param
References ▪ var userId =
req.session.userId;
Tools
▪ KrakenJS
▪ Lusca
middleware
▪ NodeJsScan
http://krakenjs.com/
https://github.com/krakenjs/lusca
▪ https://github.com/ajinabra
NodeJsScan ham/NodeJsScan
NodeJsScan https://github.com/jmorteg
a/NodeJsScan/blob/maste
r/rules.xml
NodeJsScan
GitHub repositories

▪ https://github.com/jmortega/testing_nodejs_security
▪ https://github.com/cr0hn/vulnerable-node
▪ https://github.com/rdegges/svcc-auth
▪ https://github.com/strongloop/loopback-getting-start
ed-intermediate
▪ https://github.com/Feeld/strong-node
Node security ▪ https://www.udemy.com/nodejs-security-
pentesting-and-exploitation/
learning
Books
References
▪ https://blog.risingstack.com/node-js-security-checklist/
▪ https://blog.risingstack.com/node-js-security-tips/
▪ https://www.npmjs.com/package/helmet
▪ https://expressjs.com/en/advanced/best-practice-security.html
▪ https://expressjs.com/en/advanced/security-updates.html
▪ http://nodegoat.herokuapp.com/tutorial
▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa
t_Project

View publication stats

NodeJS Security for Developers
No ratings yet
NodeJS Security for Developers
45 pages
Node - Js Security
No ratings yet
Node - Js Security
17 pages
MG-Develop A Backend Application Using Node Js
No ratings yet
MG-Develop A Backend Application Using Node Js
16 pages
Learning Node - Js For Mobile Application Development - Sample Chapter
No ratings yet
Learning Node - Js For Mobile Application Development - Sample Chapter
27 pages
Backend-User Authentication and Authorization (Node and Express)
No ratings yet
Backend-User Authentication and Authorization (Node and Express)
14 pages
Fa-3 MCQ by Abhishek Dhawan
No ratings yet
Fa-3 MCQ by Abhishek Dhawan
37 pages
Vol 6 Issue 5 M 07 PDF
No ratings yet
Vol 6 Issue 5 M 07 PDF
6 pages
Express Js
No ratings yet
Express Js
17 pages
Backend Development With Node - Js & Express - Js
100% (1)
Backend Development With Node - Js & Express - Js
3 pages
GFG Express Js
No ratings yet
GFG Express Js
26 pages
Lecture 10 User Authentication and Authorization
No ratings yet
Lecture 10 User Authentication and Authorization
43 pages
SWDBD401 - Backend Application Development
No ratings yet
SWDBD401 - Backend Application Development
28 pages
Nodejs Express Notes
No ratings yet
Nodejs Express Notes
7 pages
Node - Js Blueprints: Chapter No. 1 "Common Programming Paradigms"
No ratings yet
Node - Js Blueprints: Chapter No. 1 "Common Programming Paradigms"
23 pages
Tal L. Essential Node - Js Security For Express Web Applications 2023
No ratings yet
Tal L. Essential Node - Js Security For Express Web Applications 2023
140 pages
02 Session
No ratings yet
02 Session
45 pages
Unit 5 - Part II
No ratings yet
Unit 5 - Part II
66 pages
200+ MCQ Questions On Entire CHO Topics
No ratings yet
200+ MCQ Questions On Entire CHO Topics
42 pages
CH 6 and 7
No ratings yet
CH 6 and 7
9 pages
MSD Assignment 2
No ratings yet
MSD Assignment 2
28 pages
Building Scalable Apps With Redis and Node - Js Sample Chapter
No ratings yet
Building Scalable Apps With Redis and Node - Js Sample Chapter
44 pages
Node JS Ai Kit
No ratings yet
Node JS Ai Kit
13 pages
Lecture #13. ExpressJS. Web App Testing
No ratings yet
Lecture #13. ExpressJS. Web App Testing
36 pages
Question Answer
No ratings yet
Question Answer
3 pages
Node Collate
No ratings yet
Node Collate
110 pages
Building Microservices With Node - Js
No ratings yet
Building Microservices With Node - Js
16 pages
Mongo DB
No ratings yet
Mongo DB
14 pages
NodeTOC Final
No ratings yet
NodeTOC Final
2 pages
Web Based Chat Application Corrected
No ratings yet
Web Based Chat Application Corrected
24 pages
Rick L. - Express - Js - Guide Book On Web Framework For Node - Js (2016)
No ratings yet
Rick L. - Express - Js - Guide Book On Web Framework For Node - Js (2016)
143 pages
Node Js For Beginners 1.0
No ratings yet
Node Js For Beginners 1.0
2 pages
M5 - Securing Node-Based Application
No ratings yet
M5 - Securing Node-Based Application
8 pages
NodeJS Practicals Dax Patel Cleaned
No ratings yet
NodeJS Practicals Dax Patel Cleaned
4 pages
Node Interview Q Ans
No ratings yet
Node Interview Q Ans
9 pages
Part 1 & 2 Backend Manual
No ratings yet
Part 1 & 2 Backend Manual
8 pages
Node.js Security for Developers
No ratings yet
Node.js Security for Developers
54 pages
WINSEM2024-25 BITE304L TH VL2024250503415 2025-02-13 Reference-Material-I
No ratings yet
WINSEM2024-25 BITE304L TH VL2024250503415 2025-02-13 Reference-Material-I
27 pages
The Ultimate Guide To Node - JS, MongoDB, and Express Learn To Build Modern and Scalable Web Applications From Scratch (Web... (D. Truman, Neo) (Z-Library)
No ratings yet
The Ultimate Guide To Node - JS, MongoDB, and Express Learn To Build Modern and Scalable Web Applications From Scratch (Web... (D. Truman, Neo) (Z-Library)
159 pages
MERN 70 Interview
No ratings yet
MERN 70 Interview
25 pages
7719-Article Text-13770-1-10-20210615
No ratings yet
7719-Article Text-13770-1-10-20210615
6 pages
Question 2
No ratings yet
Question 2
53 pages
CH 5
No ratings yet
CH 5
8 pages
Backend and Nodejs Answers
No ratings yet
Backend and Nodejs Answers
2 pages
Node.js Async I/O & REST Guide
No ratings yet
Node.js Async I/O & REST Guide
8 pages
Domain: Student: Roll No: Company: Location: Tutor: Internship Duration
No ratings yet
Domain: Student: Roll No: Company: Location: Tutor: Internship Duration
17 pages
Nodejs Security Handbook
No ratings yet
Nodejs Security Handbook
28 pages
Grand Monty
No ratings yet
Grand Monty
11 pages
Node.js MCQs: Interview Prep Guide
No ratings yet
Node.js MCQs: Interview Prep Guide
9 pages
Wa0030.
No ratings yet
Wa0030.
22 pages
FSD Mod 1
No ratings yet
FSD Mod 1
17 pages
Introduction To Express - Js
No ratings yet
Introduction To Express - Js
9 pages
Node Js
100% (1)
Node Js
51 pages
Social Network Security Record
100% (1)
Social Network Security Record
70 pages
Full Stack Short Notes
No ratings yet
Full Stack Short Notes
15 pages
Backend Notes
No ratings yet
Backend Notes
116 pages
BTS & BSC Structure
No ratings yet
BTS & BSC Structure
104 pages
Bypass AMSI by Manual Modification S3cur3Th1sSh1t
No ratings yet
Bypass AMSI by Manual Modification S3cur3Th1sSh1t
9 pages
Speaker Notes: Ecommerce Marketing Summit
No ratings yet
Speaker Notes: Ecommerce Marketing Summit
7 pages
Robot ICT - RPA E-Book
No ratings yet
Robot ICT - RPA E-Book
45 pages
ST - Module 1: What Is Software Testing
No ratings yet
ST - Module 1: What Is Software Testing
30 pages
MCRNC Architecture Introduction: Slah Boubaker 2017/02 RTSC Tunisia
No ratings yet
MCRNC Architecture Introduction: Slah Boubaker 2017/02 RTSC Tunisia
33 pages
Green IT Strategies and Applications Using Environmental Intelligence Advanced Emerging Communications Technologies 1st Edition Bhuvan Unhelkar Download
No ratings yet
Green IT Strategies and Applications Using Environmental Intelligence Advanced Emerging Communications Technologies 1st Edition Bhuvan Unhelkar Download
52 pages
Top-K Graph Mining Algorithm
No ratings yet
Top-K Graph Mining Algorithm
18 pages
Colour 2
No ratings yet
Colour 2
18 pages
Gee3 Midterm New
No ratings yet
Gee3 Midterm New
28 pages
IT Internship Report at Jongo Hub
No ratings yet
IT Internship Report at Jongo Hub
29 pages
HOLIDAY HOMEWORK Class New10th
No ratings yet
HOLIDAY HOMEWORK Class New10th
4 pages
PCB Checking 3
No ratings yet
PCB Checking 3
9 pages
How To 10x Your Productivity: Getting Things Done (GTD)
100% (3)
How To 10x Your Productivity: Getting Things Done (GTD)
24 pages
VSD Service Switch Troubleshooting
No ratings yet
VSD Service Switch Troubleshooting
10 pages
Classification and Prediction Guide
No ratings yet
Classification and Prediction Guide
98 pages
Certifikaty T10-G3
No ratings yet
Certifikaty T10-G3
1 page
Q L Series Programming Manual
No ratings yet
Q L Series Programming Manual
1,646 pages
Leetcode Revision
No ratings yet
Leetcode Revision
4 pages
WTA WorkForce API Specs Guide - 18.3
No ratings yet
WTA WorkForce API Specs Guide - 18.3
508 pages
Ethernet LAN Switching
No ratings yet
Ethernet LAN Switching
4 pages
Backpropagation - Theory, Architectures, and Applications (1) - 1-100
No ratings yet
Backpropagation - Theory, Architectures, and Applications (1) - 1-100
100 pages
sl-m4530nd m4530nx PC v01
No ratings yet
sl-m4530nd m4530nx PC v01
32 pages
Os Unit-3 (Bca)
No ratings yet
Os Unit-3 (Bca)
19 pages
Proj 2. Basic Static Techniques (20 Pts + 20 Pts Extra)
No ratings yet
Proj 2. Basic Static Techniques (20 Pts + 20 Pts Extra)
8 pages
Hik-Connect For Teams Portal: User Manual
No ratings yet
Hik-Connect For Teams Portal: User Manual
274 pages
Hand Programming Apollo Al924
No ratings yet
Hand Programming Apollo Al924
2 pages
Amarisoft Software Install Guide
No ratings yet
Amarisoft Software Install Guide
21 pages
Network Programming Paradigm Notes
No ratings yet
Network Programming Paradigm Notes
14 pages
Price
No ratings yet
Price
152 pages