Phillip Chaffee

July 7th, 2015

Node.js Security
Security for web servers written in Javascript
Node.js Overview

 Javascript interpreter for writing servers

 Built on Google Chrome’s Javascript Runtime – V8
 Event driven
 Non-blocking I/O model
 Written in C
OWASP Node Goat

What is it? How to use it

 Node Goat is a  Either

purposefully flawed  Fork and deploy (Heroku)
application developed  Fork, clone, and run locally
using Node.js.
 Open the source code
 Made to be hacked/fixed
to learn the OWASP top 10  Follow the walkthrough
for Node.js.
 Source code comments
are very helpful
Main Libraries Used in Node Goat

 ExpressJS
 Node.js framework
 Node is very low level
 Needs a framework to sit on top of it to handle routing

 MongoDB
 A NoSQL database that uses a Javascript console
 Stores data in JSON objects

 Swig
 A front end framework for injecting Javascript into the browser
OWASP Top 10
A1 - Injection
A2 – Broken Auth

 Password field needs encryptions

 NPM to the rescue
 Bcrypt
A3 - XSS

 Not much different then in a non Node.js app

 Validate all inputs
 Use correct output encoding
 HTTP only on session cookies not needed by JS
 Use built in Express middleware session management
 app.use(express.session({});
A4 – Insecure Direct Object References

 Use session instead of request parameters

 Also
 Check access
 Use indirect session/user object references
A5 - Misconfiguration

 Node.js configurations tips

 Use the latest and most stable versions of node.js and all major
packages being used
 Lock all npm packages versions
 Use HTTP request body limiting middleware
 Never run an application with root privileges

 Helmet
 Helmet is a great node package that bundles together a lot of the
security configuration you will need
A6 – Sensitive Data

 Use secure HTTPS protocol

 https.createserver()

 Encrypt all sensitive data

 var crypto = require(“crypto”);

 Don’t store sensitive data longer than you need to

 Verify algorithms strength
 Disable autocomplete
A7 – Mission Function Level Access Control

 Verifythat the current user has sufficient rights to view

restricted areas
 ExpressJS middleware
A8 – Cross-Site Request Forgery

 Malicious web pages

 ExpressJS provides middleware specifically for this
 app.use(express.csrf());
 app.use(function(req, res, next) {
 res.locals.csrftoken = req.csrftoken();
 next();
 });
A9 - Using Components with Known
Vulnerabilities

 Do not run any modules with root privileges

 Use the Node Security Project
 npm install nsp –g
 Nsp package

 This
scans the package.json file and alerts you to any
packages with known vulnerabilities
A10-Unvalidated Redirects and Forwards

 Avoid using redirects and forwards altogether

 If used, don’t include user parameters
 Otherwise, validate destination and current user
Conclusion

 ZAProxy still works great for testing

 It has it’s own npm package
 npm install zaproxy
 var options = { proxy : ‘http://localhost:4000’ };
 var ZapClient = require(‘zaproxy’);
 var zaproxy = new ZapClient(options);

 Node.jsis very low level, so security can be built as

middleware
 Further reading/information
 https://github.com/PhillipChaffee/nodejs-
security/blob/master/reading.md
Questions & Discussion