The document discusses security best practices for Node.js applications. It covers using packages like Helmet to set secure HTTP headers, encrypting sessions with packages like cookie-session, preventing XSS attacks with csurf, sanitizing user input with express-validator, and encrypting passwords with bcrypt. It also discusses building secure HTTPS servers, analyzing dependencies for vulnerabilities with tools like NSP and Snyk, and using the Node Goat project to intentionally introduce vulnerabilities for testing security.

1. Testing Node
Security
by @jmortegac
NOV 18-19 · 2016

2. Agenda
 Introduction nodejS security
 Npm security packages
 Node Goat project
 Tools

3. nodeJS introduction
 JavaScript in the backend
 Built on Chrome´s Javascript runtime(V8)
 NodeJs is based on event loop
 Designed to be asynchronous
 Single Thread
 Concurrent requests.

4. Security updates

5. Security updates

6. Find nodeJS vulnerabilities
 http://cve.mitre.org/find/

7. Last vulnerabilities
 https://nodesecurity.io/advisories

8. NPM modules install

9. Npm security packages
 Helmet
 express-session / cookie-session
 csurf
 express-validator
 bcrypt-node
 express-enforces-ssl

10. Security HTTP Headers
 Strict-Transport-Security
 X-Frame-Options
 X-XSS-Protection
 X-Content-Type-Options
 Content-Security-Policy

11. Helmet module
 https://www.npmjs.com/package/helmet

12. Helmet module
 https://github.com/helmetjs/helmet

13. Helmet module
 CSPContent-Security-Policy header
 hidePoweredBydeletes X-Powered-by header
 Hpkpprotection MITM
 Hstsforces https connections
 noCachedesactive client cache
 Frameguardprotection clickjacking
 xssFilterprotection XSS

14. Helmet module

15. Check headers security
 http://cyh.herokuapp.com/cyh
 https://securityheaders.io/

16. Express versions
 https://www.shodan.io/search?query=express

17. Disable x-powered-by
 Avoid framework fingerprinting

18. Disable x-powered-by
 Use Helmet and use “hide-powered-by” plugin

19. Sessions management
 https://www.npmjs.com/package/cookie-session
 secure
 httpOnly
 domain
 path
 expires

20. httpOnly & secure:true

21. Delete cookies from cache browser
// Set cache control header to eliminate cookies from cache
app.use(function (req, res, next) {
res.header('Cache-Control', 'no-cache="Set-Cookie, Set-Cookie2"');
next();
});

22. XSS attacks
 An attacker can exploit XSS vulnerability to:
 Steal session cookies/Sesion hijacking
 Redirect user to malicious sites
 Defacing and content manipulation
 Cross Site Request forgery

23. https://www.npmjs.com/package/csurf

24. CSRF
<form action="/process" method="POST">
<input type="hidden" name="_csrf" value="{{csrfToken}}">
<button type="submit">Submit</button>
</form>
app.use(function (request, response, next) {
response.locals.csrftoken = request.csrfToken();
next();
});

25. CSRF

26. Filter/sanitize user input
 Avoid XSS attacks
 https://www.npmjs.com/package/sanitizer
 Module express-validator
 https://www.npmjs.com/package/express-validator

27. Validator

28. Validator

29. Validator

30. Validator with reg exp

31. Regular expressions
 https://www.npmjs.com/package/safe-regex
 Detect vulnerable regular
expressions that can cause DoS

32. NodeJS Crypto
 http://nodejs.org/api/crypto.html
 Use require(‘crypto’) to access this module
 The crypto module requires OpenSSL
require("crypto")
.createHash("sha1") //algorithm
.update(“cOdEmOtiOn") //text
.digest("hex"); //hexadecimal result

33. Bcrypt-node
 https://github.com/kelektiv/node.bcrypt.js

34. Bcrypt-node

35. Bcrypt-node

36. Bcrypt-node

37. Building a secure HTTPS server

38. Building a secure HTTPS server
 https://www.npmjs.com/package/https-redirect-server
 https://www.npmjs.com/package/express-enforces-ssl
 Redirect all traffic to https and a
secure port

39. Building a secure HTTPS server

40. Building a secure HTTPS server
var helmet = require("helmet");
var ms = require("ms");
app.use(helmet.hsts({
maxAge: ms("1 year"),
includeSubdomains: true
}));
 Send hsts header for all requests

41. Node Goat
 http://nodegoat.herokuapp.com/tutorial

42. Node Goat
 https://github.com/OWASP/NodeGoat

43. EVAL()

44. EVAL() on github

45. EVAL() ATTACKS
res.end(require('fs').readdirSync('.').toString())
res.end(require('fs').readdirSync('..').toString())

46. Insecure Direct Object References
 Use session instead of request param
 var userId = req.session.userId;

47. Tools
 NSP
 Require Safe
 David
 KrakenJS / Lusca middleware
 Retire
 snyk.io

48. NSP
 https://github.com/nodesecurity/nsp
 npm install -g nsp
 Analyze package.json
 nsp check --output summary

49. NSP with Grunt
 npm install –g grunt-nsp-package

50. Nsp execution

51. Nsp execution

52. Project dependences
 https://david-dm.org/

53. Project dependences

54. Project dependences
 npm install –g david

55. https://snyk.io

56. http://krakenjs.com/

57. https://github.com/krakenjs/lusca

58. Retire.js
 http://retirejs.github.io/retire.js
 Detecting components and js libraries
with known vulnerabilities

59. Retire.js

60. Retire.js

61. Retire.js

62. Retire.js
 https://raw.githubusercontent.com/bekk/retire.js/master/repository/jsrepository.json

63. Retire.js execution

64. NodeJsScan
 https://github.com/ajinabraham/NodeJsScan
python NodeJsScan.py -d <dir>

65. NodeJsScan
https://github.com/jmortega/NodeJsScan/blob/master/rules.xml

66. NodeJsScan

67. Passport

68. Passport

69. https://github.com/jmortega/testing_nodejs_security

70. GitHub repositories
 https://github.com/cr0hn/vulnerable-node
 https://github.com/rdegges/svcc-auth
 https://github.com/strongloop/loopback-getting-started-
intermediate

71. References
 https://blog.risingstack.com/node-js-security-checklist/
 https://blog.risingstack.com/node-js-security-tips/
 https://groups.google.com/forum/#!forum/nodejs-sec
 https://nodejs.org/en/blog/vulnerability/september-2016-
security-releases/
 https://expressjs.com/en/advanced/security-updates.html
 http://opensecurity.in/nodejsscan/
 http://stackabuse.com/securing-your-node-js-app/

72. Node security learning
 https://www.udemy.com/nodejs-security-pentesting-and-exploitation/

73. Books