See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/338825372

Hacking NodeJS applications for fun and profit

Presentation · February 2019

DOI: 10.13140/RG.2.2.34059.44322

CITATIONS READS

0 4,963

1 author:

José Manuel Ortega

University of Alicante
54 PUBLICATIONS 16 CITATIONS

SEE PROFILE

All content following this page was uploaded by José Manuel Ortega on 25 January 2020.

The user has requested enhancement of the downloaded file.

Hacking NodeJS
applications for fun
and profit
Testing NodeJS Security

by @jmortegac
Agenda

▪ Introduction nodejS security

▪ Npm security packages
▪ Node Goat project
▪ Tools
Node JS
▪ JavaScript in the backend
▪ Built on Chrome´s Javascript runtime(V8)
▪ NodeJs is based on event loop
▪ Designed to be asynchronous
▪ Single Thread
▪ Node.js is resilient to flooding attacks since
there’s no limit on the number of concurrent requests.
Security https://expressjs.com/en/advance
d/security-updates.html
updates
Package https://www.npmjs.com/advisories
vulnerabilities
 ▪ Helmet
Npm ▪ express-session
security ▪ cookie-session
packages ▪ csurf
▪ express-validator
▪ bcrypt-node
▪ express-enforces-ssl
Security HTTP
Headers ▪ Strict-Transport-Security
▪ X-Frame-Options
▪ X-XSS-Protection
▪ X-Content-Type-Options
▪ Content-Security-Policy
 ▪ https://www.npmjs.com/package
Helmet module /helmet
 ▪ https://github.com/helmetjs/helmet

Helmet module
 ▪ hidePoweredBy
Helmet module ▪ Hpkp→protection MITM
▪ Hsts→forces https
connections
▪ noCache→desactive client
cache
▪ Frameguard→protection
clickjacking
▪ xssFilter→protection XSS
Helmet CSP
 ▪ http://cyh.herokuapp.com/cyh
Check headers ▪ https://securityheaders.io/
security
Express ▪ https://www.shodan.io/
versions search?query=express
Disable
x-powered-by
Disable ▪ Avoid framework
x-powered-by fingerprinting
Disable ▪ Use Helmet and use
“hide-powered-by” plugin
x-powered-by
 ▪ https://www.npmjs.com/pack
Sessions
age/cookie-session
management
▪ secure
▪ httpOnly
▪ domain
▪ path
▪ expires
httpOnly &
secure:true
XSS attacks
▪ An attacker can exploit XSS vulnerability to:
▪ Steal session cookies/Sesion hijacking
▪ Redirect user to malicious sites
▪ Defacing and content manipulation
▪ Cross Site Request forgery
CSRF attacks
https://www.npmjs.com/package/csurf
 app.use(function (request, response, next) {
CSRF response.locals.csrftoken =
request.csrfToken();
next();
});

<form action="/process" method="POST">

<input type="hidden" name="_csrf"
value="{{csrfToken}}">
<button type="submit">Submit</button>
</form>
CSRF
Filter/sanitize user input

▪ Fixing XSS attacks

▪ https://www.npmjs.com/package/sanitizer

▪ Module express-validator
▪ https://www.npmjs.com/package/express-validator
Express
Validator
 ▪ https://github.com/kelektiv/node.bcrypt.js

Bcrypt-node
 ▪ http://nodegoat.herokuapp.com
Node Goat /tutorial
 ▪ https://github.com/OWASP/Node
Node Goat Goat
 res.end(require('fs').read
EVAL() dirSync('.').toString())
ATTACKS
Insecure Direct ▪ Use session instead of
Object request param
References ▪ var userId =
req.session.userId;
Tools
▪ KrakenJS
▪ Lusca
middleware
▪ NodeJsScan
http://krakenjs.com/
https://github.com/krakenjs/lusca
 ▪ https://github.com/ajinabra
NodeJsScan ham/NodeJsScan
NodeJsScan https://github.com/jmorteg
a/NodeJsScan/blob/maste
r/rules.xml
NodeJsScan
GitHub repositories

▪ https://github.com/jmortega/testing_nodejs_security
▪ https://github.com/cr0hn/vulnerable-node
▪ https://github.com/rdegges/svcc-auth
▪ https://github.com/strongloop/loopback-getting-start
ed-intermediate
▪ https://github.com/Feeld/strong-node
Node security ▪ https://www.udemy.com/nodejs-security-
pentesting-and-exploitation/
learning
Books
References
▪ https://blog.risingstack.com/node-js-security-checklist/
▪ https://blog.risingstack.com/node-js-security-tips/
▪ https://www.npmjs.com/package/helmet
▪ https://expressjs.com/en/advanced/best-practice-security.html
▪ https://expressjs.com/en/advanced/security-updates.html
▪ http://nodegoat.herokuapp.com/tutorial
▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa
t_Project

View publication stats