Upload
jason-ross
View
59
Download
0
Embed Size (px)
Citation preview
Node.jsSecurity
…trolololol
about.me
• break things for fun and profit
• sometimes I talk about stuff
• involved in various groups
• <3 ROC hacker community
most importantly
node.js
• a JavaScript runtime built on Google’s V8 JavaScript engine
• uses an event-driven, non-blocking I/O model
• npm package repo claims to be the largest ecosystem of open source libraries in the world
V8 engine runtime
• written in C++
• implements ECMA script standard ECMA-262
• same engine the chrome browser uses for JavaScript processing
installation
• don’t apt-get install
• download the tarball
• untar it $someplace
• add $someplace/<nodedir>/bin to your path
starting a project
• npm init<demo>
• or don’t
things to know
• node.js is NOT a web framework.
• It’s an application server• think Tomcat or Zend• not rails or Django
• you know that, devops don’t care
express.js web framework
• modeled after the ruby ‘Sinatra’ project
• most widely used node framework
• easy to work with, lots of examples
• creating servers is easy
sample hello
var express = require('express');var app = express();
app.get('/', function (req, res) { res.send('Hello World!');});
var server = app.listen(3000, function () { console.log('app listening on port 3000’);});
other frameworks?
• koaonly framework that embraces ES6 fullyless robust than express, and not as tested
• hapibuilt for complex apps, has big.corp support (walmart)less mature than express, heavier dev investment requirements
what about $myFavorite.js?
• express / koa / hapi server sidedesigned to manage the application engine
• angular / ember / backbone / omgsomany
client-side JavaScript frameworksimplement MVC or PAC methods
moar demo
security risks
• npm makes it easy to add thingstough to track dependenciesrepo is open, anyone can add modulesvulns in vendor libs == app.pwnd
• package.json may get staleas libs are updated, version info may not changelib patches that you ignore == app.pwnd
OMG! XSS! ONTHASERVER!
• we can inject commands & stuff right?
• not really a concern, because this is server-side
• client input isn’t parsed in the server code• not shelling out to command line
• options that get parsed come from:• env vars• config files• sometimes eval() but that’s very uncommon
node security tools
• helmet.jsframework makes it easy to remove common vectors like XSS, CSRF, cache snarfing, and clickjacking
helmet = require(‘helmet’);app.use(helmet.xssFilter());app.use(helmet.noCache());app.use(helmet.xssnoSniff());app.use(helmet.xssframeguard());app.use(helmet.xsshidePoweredBy());
helmet makes us safer
nodesecurity.io
• flags included packages with known vulnerabilities
• can be used automagically with grunt
grunt.loadNpmTasks('grunt-nsp-package');grunt.loadNpmTasks('grunt-nsp-shrinkwrap');
grunt.registerTask('nsp-package', 'Validates package.json with nodesecurity.io','validate-package');
grunt.registerTask('nsp-shrinkwrap','Validates shrinkwrap.json with
nodesecurity.io','validate-shrinkwrap');
nsp-package example
NodeJs Scan
• python tool to scan node.js static code
• problem: node is JavaScript, and is dynamic
• that makes it tough to analyze code
• still does a decent job of trying
demo++;
preso.quit();