Hacking NodeJS

applications for fun

and profit
Testing NodeJS Security

by @jmortegac
Agenda

▪ Introduction nodejS security

▪ Npm security packages
▪ Node Goat project
▪ Tools
Node JS
▪ JavaScript in the backend
▪ Built on Chrome´s Javascript runtime(V8)
▪ NodeJs is based on event loop
▪ Designed to be asynchronous
▪ Single Thread
▪ Node.js is resilient to flooding attacks since
there’s no limit on the number of concurrent requests.
Security https://expressjs.com/en/advance
d/security-updates.html
updates
Package https://www.npmjs.com/advisories
vulnerabilities
 ▪ Helmet
Npm ▪ express-session
security ▪ cookie-session
packages ▪ csurf
▪ express-validator
▪ bcrypt-node
▪ express-enforces-ssl
Security HTTP
Headers ▪ Strict-Transport-Security
▪ X-Frame-Options
▪ X-XSS-Protection
▪ X-Content-Type-Options
▪ Content-Security-Policy
 ▪ https://www.npmjs.com/package
Helmet module /helmet
 ▪ https://github.com/helmetjs/helmet

Helmet module
 ▪ hidePoweredBy
Helmet module ▪ Hpkp→protection MITM
▪ Hsts→forces https
connections
▪ noCache→desactive client
cache
▪ Frameguard→protection
clickjacking
▪ xssFilter→protection XSS
Helmet CSP
 ▪ http://cyh.herokuapp.com/cyh
Check headers ▪ https://securityheaders.io/
security
Express ▪ https://www.shodan.io/
versions search?query=express
Disable
x-powered-by
Disable ▪ Avoid framework
x-powered-by fingerprinting
Disable ▪ Use Helmet and use
“hide-powered-by” plugin
x-powered-by
 ▪ https://www.npmjs.com/pack
Sessions
age/cookie-session
management
▪ secure
▪ httpOnly
▪ domain
▪ path
▪ expires
httpOnly &
secure:true
XSS attacks
▪ An attacker can exploit XSS vulnerability to:
▪ Steal session cookies/Sesion hijacking
▪ Redirect user to malicious sites
▪ Defacing and content manipulation
▪ Cross Site Request forgery
CSRF attacks
https://www.npmjs.com/package/csurf
 app.use(function (request, response, next) {
CSRF response.locals.csrftoken =
request.csrfToken();
next();
});

<form action="/process" method="POST">

<input type="hidden" name="_csrf"
value="{{csrfToken}}">
<button type="submit">Submit</button>
</form>
CSRF
Filter/sanitize user input

▪ Fixing XSS attacks

▪ https://www.npmjs.com/package/sanitizer

▪ Module express-validator
▪ https://www.npmjs.com/package/express-validator
Express
Validator
 ▪ https://github.com/kelektiv/node.bcrypt.js

Bcrypt-node
 ▪ http://nodegoat.herokuapp.com
Node Goat /tutorial
 ▪ https://github.com/OWASP/Node
Node Goat Goat
 res.end(require('fs').read
EVAL() dirSync('.').toString())
ATTACKS
Insecure Direct ▪ Use session instead of
Object request param
References ▪ var userId =
req.session.userId;
Tools
▪ KrakenJS
▪ Lusca
middleware
▪ NodeJsScan
http://krakenjs.com/
https://github.com/krakenjs/lusca
 ▪ https://github.com/ajinabra
NodeJsScan ham/NodeJsScan
NodeJsScan https://github.com/jmorteg
a/NodeJsScan/blob/maste
r/rules.xml
NodeJsScan
GitHub repositories

▪ https://github.com/jmortega/testing_nodejs_security
▪ https://github.com/cr0hn/vulnerable-node
▪ https://github.com/rdegges/svcc-auth
▪ https://github.com/strongloop/loopback-getting-start
ed-intermediate
▪ https://github.com/Feeld/strong-node
Node security ▪ https://www.udemy.com/nodejs-security-
pentesting-and-exploitation/
learning
Books
References
▪ https://blog.risingstack.com/node-js-security-checklist/
▪ https://blog.risingstack.com/node-js-security-tips/
▪ https://www.npmjs.com/package/helmet
▪ https://expressjs.com/en/advanced/best-practice-security.html
▪ https://expressjs.com/en/advanced/security-updates.html
▪ http://nodegoat.herokuapp.com/tutorial
▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa
t_Project