If you can't read please download the document
Upload
wearefractal
View
8.569
Download
7
Embed Size (px)
DESCRIPTION
Security that fights back.
Citation preview
2. Comparisons
3. Better than when Mork Zoonerberg invented Fezbook 4. Cooler than existing NodeJS security frameworks Mac Zerkerberg 5. WUTS DAT? THERE ARE NO SECURITY FRAMEWORKS 6. Why is Fusker so hot?
7. Modular design 8. Flexible 9. Easy integration 10. Written in Coffeescript 11. Funny as hell 12. Integration/Support
13. Can wrap Socket.IO 14. Compatible with UselessJS 15. Can be used as Connect/Express middleware 16. Easy to modify and integrate with any other frameworks 17. All your logs are belong to us Logs are saved any time a request is detected. Socket and HTTP attacks are saved in separate files. [- ATTACK DETAILS FOR Fri Aug 12 2011 19:28:33 GMT-0700 (MST) -] --> Detective: SQLi-0 --> Request: GET /index.html?id=1'%20OR%20'1'='1' --> IP: 127.0.0.1 [- END ATTACK DETAILS -] 18. Before switching to Fusker var http = require('http'); var url = require('url'); var sys = require('sys'); var fs = require('fs'); var path = require('path'); var serv = http.createServer(function (req, res) { var file = url.parse(req.url).pathname; if (file === '/') { file = '/index.html'; } fs.readFile(file, function (err, data) { if (!err) { res.writeHead(200); res.write(data, 'utf8'); res.end(); } }); }); serv.listen(8080); io = socketio.listen(serv); 19. After switching to Fusker var fusker = require('fusker'); var server = fusker.http.createServer(8080); var io = fusker.socket.listen(server); 20. Slick Diagram 21. Detectives
22. If a pattern matches the module can call the attack manager
23. Fusker can also treat 404s as a threat to punish people who are snooping around your server 24. Payloads
25. Payloads have access to the request and response objects so you can do fun stuff like redirects or even send back browser exploits
26. The blacklist payload will add users to a blacklist and drop all future incoming requests 27. Configuration fusker.config.dir = process.cwd(); fusker.config.banLength = 1; fusker.config.verbose = true; fusker.http.detectives.push('csrf', 'xss', 'sqli', 'lfi', '404'); fusker.http.payloads.push('blacklist', 'bush'); fusker.socket.detectives.push('xss', 'sqli', 'lfi'); fusker.socket.payloads.push('blacklist'); 28. DIY Detectives exports.check = function (req, res) { for (var i = fusker.patterns.lfi.length - 1; i >= 0; --i) { if (fusker.patterns.lfi[i].test(req.url)) { fusker.http.handleAttack('LFI-' + i, req, res); return; } } };
29. Loop through them and test against incoming data 30. Call handleAttack if a test is positive 31. DIY Payloads
32. Lots of fun to be had messing with people trying to hack you exports.run = function (req, res) { res.writeHead(302, {'Location': 'http://nyan.cat/'}); res.end(); }; 33. Take a HWAK at it You think you're a raw dog? You think you can beat fusker? fusker.nodester.com Come at me bro. 34. Links Fusker: https://github.com/wearefractal/Fusker Other Projects: https://github.com/Contra Twitter: @wearefractal