SFNode meetup talk (November 2018)
Security happens in layers. Node.js is part of an ecosystem. There are many tools that will help you code quickly but still remain secure. Just because you add security doesn't mean vulnerabilities disappear. Good security should give you more time to react and counter active attacks.
-
OWASP is a public group focused on security
- The “Open Web Application Security Project” (OWASP)
- Their official website ( https://www.owasp.org/ )
- OWASP meetups in San Francisco Bay Area ( https://www.meetup.com/Bay-Area-OWASP/ )
- OWASP Twitter ( https://twitter.com/owasp )
-
npm has security features everyone should know about
- There are automatic security Audits in npm. Act on the audits with
npm audit fix
ornpm audit fix --force
. Read the docs found here ( https://docs.npmjs.com/getting-started/running-a-security-audit ) - Enable Two Factor Authentication (2fa). Read the docs found here ( https://docs.npmjs.com/getting-started/using-two-factor-authentication ).
- For 2fa you will need to use a One Time Password (OTP) Generators (Authy, Google Authenticator, not sure if it works with Microsoft Authenticator)
- It is important to research how-to backup/recover your OTP and 2fa. Just in case something happens to the device that you have the application installed on.
- npm 2fa works with yarn
- There are automatic security Audits in npm. Act on the audits with
-
Linter security rules
- Source article for more details ( https://github.com/i0natan/nodebestpractices/blob/master/sections/security/lintrules.md )
- we have tools let’s use them. These security plugins will help you avoid vulnerable coding patterns.
- TSLint security plugin found here ( https://www.npmjs.com/package/tslint-config-security )
- ESLint security plugin found here ( https://github.com/nodesecurity/eslint-plugin-security )
-
Node.js Security Patches
- Please use even number Node.js releases for enterprise applications. Even number realeases are supported under LTS. Which last 3 years from Current release to End of Life (EOL).
- Long-Term Support (LTS) will support Node.js with patches to security flaws as they are discovered.
- Bug fixes, security updates, non-semver-major npm updates
- Please do not use EOL versions of Node.js because there is no support. Even if there is a known security vulnerability it will not be patched in EOL versions.
- note odd number releases will be EOL once the next major “SemVer” is realeased.
- Node Security Roadmap from Google ( https://nodesecroadmap.fyi/ )
- Please use even number Node.js releases for enterprise applications. Even number realeases are supported under LTS. Which last 3 years from Current release to End of Life (EOL).
-
Semantic Versioning ( SemVer )
- ( https://semver.org/ )
- Given a version number MAJOR.MINOR.PATCH, increment the:
- MAJOR version when you make incompatible API changes,
- MINOR version when you add functionality in a backwards-compatible manner, and
- PATCH version when you make backwards-compatible bug fixes.
-
Node.js Vulnerability Disclosure
- “If you See something Say something”
- Report Node.js issues by email ( [email protected] )
- Or use Hackerone Bug Bounty Progam ( https://hackerone.com/nodejs )
- Read the main bug page for Node.js security details ( https://nodejs.org/en/security/ )
- "Security.md" security ReadMe file should be added to all open source repos. This ReadMe contains security disclosure policy and responsible disclosure practice. I am recommending this as a new standard. Read more here (https://3waters.org/?p=250&preview=true)
-
- NodeGoat is an OWASP initiative
- This app can be exploited. It also guides for devs about ways to fix the issues/vulnerabilities that are in it.
- Meant to be deployed to Heroku.
-
scan your application code constantly and automatically to inspect for vulnerabilities with tools like:
- npm audit
- snyk
- NodeJsScan
npm-check
which is different thannpm audit fix
Threats by category, Top 10 Threats 2017
- "tl;dr" Solution: make sure to validate the data you get from users.
- Prevent query injection vulnerabilities by using ORM/ODM libraries like Mongoose have this feature. Below is an video of an academic example of this vulnerability.
- “Node.js Applicative DoS Through MongoDB Injection” on YouTube, by Vladimir de Turckheim
- Avoid JavaScript
eval
statements andnew Function
- Avoid module loading
require(someVariable)
using a variable
- "tl;dr" Solution: use 2fa whenever possible.
- Avoid using the Node.js crypto library for handling passwords because it is too predictable. Instead use bcrypt
- Thomas Hunter II wrote about this in The Dangers of Malicious Modules
- Support blacklisting and expiring JWT tokens.
- I highly suggest this talk JWTs Suck (and are stupid), by Randall Degges, slides here, and on YouTube.
- Limit the allowed login request of each user by using express-brute.
- "tl;dr" Solution: encrypt sensitive data.
- Extract secrets from config files or use packages to encrypt them
- Pass secrets wtih environment variables and save the secrets in a file on your server.
- use
cryptr
- "tl;dr" Solution: use JSON and avoid serializing sensitive data.
- Run unsafe code in a sandbox
- Take extra care when working with child processes
- use the
child_process.execFile
if you are unsure
- use the
- "tl;dr" Solution: deny access by default.
- Run Node.js as non-root user
- "tl;dr" Solution: review default settings to secure installation.
- Adjust the HTTP response headers for enhanced security
- use helmet to protect express servers
- Hide error details from clients
- set
NODE_ENV
toproduction
- set
- Modify session middleware settings, don't use the defaults.
- "tl;dr" Solution: separate untrusted data from browser content.
- Escape HTML, JS, and CSS output
- use escape-html
- use node-esapi
- "tl;dr" Solution: no serialized data from untrusted sources.
- Validate incoming JSON schemas
- use jsonschema
- use joi
- Limit payload size using a reverse proxy or middleware. - configure express bodyparser to accept small-size payloads
- "tl;dr" Solution: institute patch management process.
npm audit fix
npm-check
- "tl;dr" Solution: read the logs for unusual activity.
- use due diligence. Check logs, write scripts, use things like linkerd or splunk to monitor possible intrusions.
- Limit concurrent requests using a middleware. Cloud load balancers and firewalls can be configured to help with this.
- Avoid DOS attacks by explicitly setting when a process should crash
- Prevent RegEx from overloading your single thread execution with an overly complex query.
User input is a major vulnerability, please treat it like hostile code and sanitize it. Filter and validate user input.
- Electron exploit (THIS IS WHAT GAVE ME THE IDEA FOR THE TALK)
- This exploit was fixed in Electron version 2 so upgrade this dependency.
- Electron also list other security recommendations
- CVE Details "Common Vulnerabilities and Exploits"
- "Reverse Shell" exploit
- This has been patched and it is very specific. There is an interesting article on it here
- “i0natan” - Their GitHub site with a list of security best practices ( https://github.com/i0natan/nodebestpractices ).
- Thomas Hunter II - has written articles about crypto ( https://medium.com/intrinsic/common-node-js-attack-vectors-the-dangers-of-malicious-modules-863ae949e7e8 )