An overview of the Node.JS platform from a security perspective. Offers guidance on how to secure node apps, as well as ways to test them as an infosec professional. Presented at Rochester Security Summit 2015.
4. node.js
• a JavaScript runtime built
on Google’s V8
JavaScript engine
• uses an event-driven,
non-blocking I/O model
• npm package repo
claims to be the largest
ecosystem of open
source libraries in the
world
5. V8 engine runtime
• written in C++
• implements ECMA
script standard
ECMA-262
• same engine the
chrome browser
uses for JavaScript
processing
6. installation
• don’t apt-get install
• download the tarball
• untar it $someplace
• add
$someplace/<nodedir>/bin
to your path
8. things to know
• node.js is NOT a web framework.
• It’s an application server
• think Tomcat or Zend
• not rails or Django
• you know that, devops don’t care
9. express.js web framework
• modeled after the ruby ‘Sinatra’
project
• most widely used node framework
• easy to work with, lots of examples
• creating servers is easy
10. sample hello
var express = require('express');
var app = express();
app.get('/', function (req, res) {
res.send('Hello World!');
});
var server = app.listen(3000,
function () {
console.log('app listening on port
3000’);
});
11. other frameworks?
• koa
only framework that embraces ES6 fully
less robust than express, and not as tested
• hapi
built for complex apps, has big.corp support
(walmart)
less mature than express, heavier dev
investment requirements
12. what about $myFavorite.js?
• express / koa / hapi
server side
designed to manage the
application engine
• angular / ember /
backbone /
omgsomany
client-side JavaScript
frameworks
implement MVC or PAC
methods
14. security risks
• npm makes it easy to add things
tough to track dependencies
repo is open, anyone can add modules
vulns in vendor libs == app.pwnd
• package.json may get stale
as libs are updated, version info may not change
lib patches that you ignore == app.pwnd
15. OMG! XSS! ONTHASERVER!
• we can inject commands & stuff
right?
• not really a concern, because this is
server-side
• client input isn’t parsed in the server code
• not shelling out to command line
• options that get parsed come from:
• env vars
• config files
• sometimes eval() but that’s very uncommon
16. node security tools
• helmet.js
framework makes it easy to remove common
vectors like XSS, CSRF, cache snarfing, and
clickjacking
helmet = require(‘helmet’);
app.use(helmet.xssFilter());
app.use(helmet.noCache());
app.use(helmet.xssnoSniff());
app.use(helmet.xssframeguard());
app.use(helmet.xsshidePoweredBy());
18. nodesecurity.io
• flags included packages with known vulnerabilities
• can be used automagically with grunt
grunt.loadNpmTasks('grunt-nsp-package');
grunt.loadNpmTasks('grunt-nsp-shrinkwrap');
grunt.registerTask('nsp-package',
'Validates package.json with nodesecurity.io',
'validate-package');
grunt.registerTask('nsp-shrinkwrap',
'Validates shrinkwrap.json with nodesecurity.io',
'validate-shrinkwrap');
20. NodeJs Scan
• python tool to scan node.js static
code
• problem: node is JavaScript, and is
dynamic
• that makes it tough to analyze code
• still does a decent job of trying