Node.js Authentication and Data Security

Tim Messerschmidt
Head of Developer Relations, International
Braintree
@Braintree_Dev / @SeraAndroid
Node.js Authentication
and Data Security
#HTML5DevConf

@Braintree_Dev / @SeraAndroid#HTML5DevConf
+ Braintree
since 2013

1. Introduction_
2. Well-known security threats
3. Data Encryption
4. Hardening Express
5. Authentication middleware
6. Great resources
Content

The Human Element

1. 12345
2. password
3. 12345
4. 12345678
5. qwerty
bit.ly/1xTwYiA
Top 10 Passwords 2014
6. 123456789
7. 1234
8. baseball
9. dragon
10.football

superman
batman
Honorary Mention

Authentication
& Authorization

1. Introduction
2. Well-known security threats_
3. Data Encryption
6. Great resources
Content

OWASP Top 10bit.ly/1a3Ytvg

1. Injection

2. Broken Authentication

3. Cross-Site Scripting
XSS

4. Direct Object References

5. Application Misconfigured

6. Sensitive Data Exposed

7. Access Level Control

8. Cross-site Request Forgery
CSRF / XSRF

9. Vulnerable Code

10. REDIRECTS / FORWARDS

1. Introduction
3. Data Encryption_
6. Great resources
Content

HashingMD5, SHA-1, SHA-2, SHA-3

http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/

ishouldnotbedoingthis
arstechnica.com/security/2015/09/ashley-madison-passwords-like-
thisiswrong-tap-cheaters-guilt-and-denial

whyareyoudoingthis

whyareyoudoingthis
justtryingthisout

whyareyoudoingthis
justtryingthisout
thebestpasswordever

Efficient Hashingcrypt, scrypt, bcrypt, PBKDF2

10.000 iterations user system total
MD5 0.07 0.0 0.07
bcrypt 22.23 0.08 22.31
md5 vs bcrypt
github.com/codahale/bcrypt-ruby

abstrusegoose.com/296
http://abstrusegoose.com/296

Salted Hashingalgorithm(data + salt) = hash

1. Introduction
3. Data Encryption
4. Hardening Express_
6. Great resources
Content

use strict

Regexowasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

X-Powered-By

NODE-UUIDgithub.com/broofa/node-uuid

GET /pay?amount=20&currency=EUR&amount=1
HTTP Parameter Pollution
req.query.amount = ['20', '1'];
POST amount=20&currency=EUR&amount=1
req.body.amount = ['20', '1'];

bcryptgithub.com/ncb000gt/node.bcrypt.js

A bcrypt generated Hash
$2a$12$YKCxqK/QRgVfIIFeUtcPSOqyVGSorr1pHy5cZKsZuuc2g97bXgotS

bcrypt.hash('cronut', 12, function(err, hash) {
// store hash
});
bcrypt.compare('cronut', hash, function(err, res) {
if (res === true) {
// password matches
}
});
Generating a Hash using bcrypt

CSURFgithub.com/expressjs/csurf

Using Csurf as middleware
var csrf = require('csurf');
var csrfProtection = csrf({ cookie: false });
app.get('/form', csrfProtection, function(req, res) {
res.render('form', { csrfToken: req.csrfToken() });
});
app.post('/login', csrfProtection, function(req, res) {
// safe to continue
});

extends layout
block content
h1 CSRF protection using csurf
form(action="/login" method="POST")
input(type="text", name="username=", value="Username")
input(type="password", name="password", value="Password")
input(type="hidden", name="_csrf", value="#{csrfToken}")
button(type="submit") Submit
Using the token in your template

Helmetgithub.com/HelmetJS/Helmet

var helmet = require(‘helmet’);
app.use(helmet.noCache());
app.use(helmet.frameguard());
app.use(helmet.xssFilter());
…
// .. or use the default initialization
app.use(helmet());
Using Helmet with default options

Helmet for Koagithub.com/venables/koa-helmet

Luscagithub.com/krakenjs/lusca

var lusca = require('lusca');
app.use(lusca({
csrf: true,
csp: { /* ... */},
xframe: 'SAMEORIGIN',
p3p: 'ABCDEF',
xssProtection: true
}));
Applying Lusca as middleware

Lusca for Koagithub.com/koajs/koa-lusca

1. Introduction
3. Data Encryption
5. Authentication middleware_
6. Great resources
Content

1. Application-level
2. Route-level
3. Error-handling
Types of Express Middleware

var authenticate = function(req, res, next) {
// check the request and modify response
};
app.get('/form', authenticate, function(req, res) {
// assume that the user is authenticated
}
// … or use the middleware for certain routes
app.use('/admin', authenticate);
Writing Custom Middleware

Passportgithub.com/jaredhanson/passport

passport.use(new LocalStrategy(function(username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) {
return done(null, false, { message: 'Incorrect username.' });
}
if (!user.validPassword(password)) {
return done(null, false, { message: 'Incorrect password.' });
}
return done(null, user);
});
}));
Setting up a passport strategy

// Simple authentication
app.post('/login', passport.authenticate(‘local'), function(req, res) {
// req.user contains the authenticated user
res.redirect('/user/' + req.user.username);
});
// Using redirects
app.post('/login', passport.authenticate('local', {
successRedirect: ‘/',
failureRedirect: ‘/login’,
failureFlash: true
}));
Using Passport Strategies for Authentication

NSPnodesecurity.io/tools

1. Introduction
3. Data Encryption
6. Great resources_
Content

Passwordless Authmedium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb

OWASP Node Goatgithub.com/OWASP/NodeGoat

Node Securitynodesecurity.io/resources

Fast Identity Onlinefidoalliance.org

Security Beyond Current Mechanisms
1. Something you have
2. Something you know
3. Something you are

Favor security too much over the
experience and you’ll make the
website a pain to use.
smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form

@SeraAndroid
tim@getbraintree.com
slideshare.com/paypal
braintreepayments.com/developers
Thank You!

Node.js Authentication and Data Security

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to Node.js Authentication and Data Security (20)

More from Tim Messerschmidt (9)

Recently uploaded (20)

Node.js Authentication and Data Security