Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
?
0 likes?813 views
Liran is leading the core team for the MEAN.js JavaScript framework. He recently published Essential Node.js Security. Passionate about Open Source since an early age, he is continuously contributing to many projects on GitHub around Node.js, JavaScript, Docker, and Security. Being an avid supporter and contributor to the open source movement, in 2007 Liran has redefined network RADIUS management by establishing daloRADIUS, a world-recognized and industry-leading open source project (http://www.daloradius.com).
![? ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d
d?|2[0-4]d|25[0-5]).([01]?dd?|
2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d|
25[0-5])$](https://image.slidesharecdn.com/node-171206075402/85/Node-js-Security-XSS-Vulnerable-Dependencies-Snyk-OWASP-62-320.jpg)
![Matching an IP address
? ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d
d?|2[0-4]d|25[0-5]).([01]?dd?|
2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d|
25[0-5])$](https://image.slidesharecdn.com/node-171206075402/85/Node-js-Security-XSS-Vulnerable-Dependencies-Snyk-OWASP-63-320.jpg)
![^([a-zA-Z0-9])$
? Match words and numbers](https://image.slidesharecdn.com/node-171206075402/85/Node-js-Security-XSS-Vulnerable-Dependencies-Snyk-OWASP-65-320.jpg)
![^([a-zA-Z0-9]+s?)$
? Match words and numbers
? Allow spaces in between (duh)](https://image.slidesharecdn.com/node-171206075402/85/Node-js-Security-XSS-Vulnerable-Dependencies-Snyk-OWASP-66-320.jpg)
![^([a-zA-Z0-9]+s?)+$
? Match words and numbers
? Allow spaces in between (duh)
? Repeat](https://image.slidesharecdn.com/node-171206075402/85/Node-js-Security-XSS-Vulnerable-Dependencies-Snyk-OWASP-67-320.jpg)
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
- 1. Node.js Security: Breaking The Loop Liran Tal Engineering Manager @ Nielsen Marketing Cloud November 2017
- 10. Node.js is JavaScript? JavaScript is Everywhere
- 11. Security Horror Stories? in Node.JS
- 12. Fail #1
- 13. By January 2015 ¡ó rimrafall package published to npm
- 14. rimrafall ¡ó npm pre-install script: $ rm ¨Crf /*
- 16. Fail #2
- 17. validator.js ¡ó helps validate and sanitize strings
- 19. $ npm install validator.js --save
- 21. malicious modules of similar names
- 22. 3,500,000 socket.io 2,000 socketio malicious modules of similar names
- 24. Fail #3
- 26. seemingly innocent tutorial to learn from
- 30. Enough with the Horror!
- 33. Security by HTTP Headers1
- 34. The Big 3
- 35. The Big 3
- 36. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3
- 37. 1. Strict-Transport-Security The Big 3 Browsers enforce secure (HTTPS) connections to the server Security by HTTP Headers
- 38. 1. Strict-Transport-Security The Big 3 http://www.bank.com <a href=¡°https://bank.com/login"> http://www.bank.com/login Security by HTTP Headers
- 39. 1. Strict-Transport-Security The Big 3 http://www.bank.com https://www.bank.com Security by HTTP Headers
- 40. 2. X-Frame-Options The Big 3 Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on Security by HTTP Headers
- 41. 2. X-Frame-Options The Big 3 Security by HTTP Headers
- 42. 2. X-Frame-Options The Big 3 Security by HTTP Headers
- 43. 3. Content-Security-Policy The Big 3 Whitelist Trusted Content Security by HTTP Headers
- 44. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3 Security by HTTP Headers
- 45. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3 Security by HTTP Headers
- 47. Putting it all together? with Helmet and ExpressJS
- 52. What is going on here?
- 53. No HTTP body in ExpressJS it relies on bodyParser lib
- 54. ExpressJS uses bodyParser library to access HTTP body payload
- 55. ExpressJS uses bodyParser library to access HTTP body payload
- 58. Validate Input ¡ó Validate Length and Type ¡ó Validate & Sanitize input to expected type ¡ó Parameters Binding ¡ó Security in Depth
- 60. ReDoS 3 Regular Expressions DoS
- 63. Matching an IP address ? ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d d?|2[0-4]d|25[0-5]).([01]?dd?| 2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d| 25[0-5])$
- 64. Let¡¯s Match Song Titles Can you help with the regex?
- 65. ^([a-zA-Z0-9])$ ? Match words and numbers
- 66. ^([a-zA-Z0-9]+s?)$ ? Match words and numbers ? Allow spaces in between (duh)
- 67. ^([a-zA-Z0-9]+s?)+$ ? Match words and numbers ? Allow spaces in between (duh) ? Repeat
- 69. ReDoS Attacks ¡ó Catastrophic Backtracking ¡ó Exploits greedy quantifiers ¡ó Simple regex are vulnerable too:? /^(a+)+$/
- 70. Regex DoS is a Real Problem ¡ó2017 - ms ¡ó2016 - Hawk ¡ó2016 - Tough Cookie ¡ó2016 - Moment ¡ó2015 - Uglify ¡ó2014 - Marked ¡ó2013 - Validator.js
- 72. University of Birmingham UK http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf
- 73. Best Practice #1 ¡ó DO NOT WRITE YOUR OWN REGEX
- 74. Best Practice #2 ¡ó DO NOT WRITE YOUR OWN REGEX
- 75. Best Practice #3 ¡óValidator Node.js Module
- 77. Best Practice #4 ¡ó safe-regex node.js module ¡ó checks regex complexity/backtracking vulnerability
- 84. ¡ó Who takes care of the risk for those packages? ¡ó Can I code review every single package?
- 89. ¡ó 14% of npm packages compromised ->? 20% of npm total monthly downloads
- 90. ¡ó 14% of npm packages compromised ->? 20% of npm total monthly downloads ¡ó debug, react, electron, jasmine,? moment, express, gulp, request
- 92. ¡ó 662 users had password: 123456
- 93. ¡ó 662 users had password: 123456 ¡ó 124 users has password: password?
- 94. ¡ó 662 users had password: 123456 ¡ó 124 users has password: password? ¡ó 1409 users had their username as password?
- 95. ¡ó662 users had password: 123456 ¡ó124 users has password: password? ¡ó1409 users had their username as password? ¡ó11% of users re-used their leaked password
- 96. Are my dependencies vulnerable? ask yourself
- 100. snyk ¡ó check cve db for known issues ¡ó check installed node_modules dir ¡ó provides patch-level fix ¡ó provides interactive patch wizard
- 101. SecurityOps Integrated Security into your? build pipeline
- 102. 1 2 3 Employ Secure HTTP headers with Helmet Be mindful to NoSQL Injections Summary 4 Snyk to secure Your npm dependencies Avoid writing your own RegEx