Node.jsSecurity

…trolololol

about.me

• break things for fun and profit

• sometimes I talk about stuff

• involved in various groups

• <3 ROC hacker community

most importantly

node.js

• a JavaScript runtime built on Google’s V8 JavaScript engine

• uses an event-driven, non-blocking I/O model

• npm package repo claims to be the largest ecosystem of open source libraries in the world

V8 engine runtime

• written in C++

• implements ECMA script standard ECMA-262

• same engine the chrome browser uses for JavaScript processing

installation

• don’t apt-get install

• download the tarball

• untar it $someplace

• add $someplace/<nodedir>/bin to your path

starting a project

• npm init<demo>

• or don’t

things to know

• node.js is NOT a web framework.

• It’s an application server• think Tomcat or Zend• not rails or Django

• you know that, devops don’t care

express.js web framework

• modeled after the ruby ‘Sinatra’ project

• most widely used node framework

• easy to work with, lots of examples

• creating servers is easy

sample hello

var express = require('express');var app = express();

app.get('/', function (req, res) { res.send('Hello World!');});

var server = app.listen(3000, function () { console.log('app listening on port 3000’);});

other frameworks?

• koaonly framework that embraces ES6 fullyless robust than express, and not as tested

• hapibuilt for complex apps, has big.corp support (walmart)less mature than express, heavier dev investment requirements

what about $myFavorite.js?

• express / koa / hapi server sidedesigned to manage the application engine

• angular / ember / backbone / omgsomany

client-side JavaScript frameworksimplement MVC or PAC methods

moar demo

security risks

• npm makes it easy to add thingstough to track dependenciesrepo is open, anyone can add modulesvulns in vendor libs == app.pwnd

• package.json may get staleas libs are updated, version info may not changelib patches that you ignore == app.pwnd

OMG! XSS! ONTHASERVER!

• we can inject commands & stuff right?

• not really a concern, because this is server-side

• client input isn’t parsed in the server code• not shelling out to command line

• options that get parsed come from:• env vars• config files• sometimes eval() but that’s very uncommon

node security tools

• helmet.jsframework makes it easy to remove common vectors like XSS, CSRF, cache snarfing, and clickjacking

helmet = require(‘helmet’);app.use(helmet.xssFilter());app.use(helmet.noCache());app.use(helmet.xssnoSniff());app.use(helmet.xssframeguard());app.use(helmet.xsshidePoweredBy());

helmet makes us safer

nodesecurity.io

• flags included packages with known vulnerabilities

• can be used automagically with grunt

grunt.loadNpmTasks('grunt-nsp-package');grunt.loadNpmTasks('grunt-nsp-shrinkwrap');

grunt.registerTask('nsp-package', 'Validates package.json with nodesecurity.io','validate-package');

grunt.registerTask('nsp-shrinkwrap','Validates shrinkwrap.json with

nodesecurity.io','validate-shrinkwrap');

nsp-package example

NodeJs Scan

• python tool to scan node.js static code

• problem: node is JavaScript, and is dynamic

• that makes it tough to analyze code

• still does a decent job of trying

demo++;

preso.quit();