Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat modelling node.js applications

Threat modelling node.js applications

Threat modelling is the process of identifying potential threats in a prioritized way. When it comes to Node.js and JavaScript there are lots of specific security issues that can arise.

Presented at FullStack London, 2017

Gergely Nemeth

July 14, 2017
Tweet

More Decks by Gergely Nemeth

Other Decks in Programming

Transcript

  1. • Threat modelling methodologies ◦ Attack trees ◦ STRIDE ◦

    DREAD • Building more secure Node.js applications ◦ HTTP Headers ◦ Regex DDOS ◦ XSS / CSRF attacks Agenda
  2. Attack trees “A formal, methodical way of describing the security

    of systems, based on varying attacks.” Bruce Schneier
  3. Attack trees Get Access Modify Credentials Learn Password Bypass Access

    Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies
  4. Attack trees Get Access Modify Credentials Learn Password Bypass Access

    Control Get Access to Database Social Engineering Get Access to DMZ Listen on Transport Layer Guessing Insecure Dependencies Get Access Learn Password Guessing
  5. Classification scheme for characterizing known threats: • Spoofing of user

    identity • Tampering • Repudiation • Information disclosure (privacy breach or data leak) • Denial of service • Elevation of privilege STRIDE
  6. An attacker sending modified information, which the application may use

    and store without checking. STRIDE: Tampering
  7. Users getting rights that they should not have (like admin

    rights) STRIDE: Elevation of privilege
  8. ( DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS +

    DISCOVERABILITY ) / 5 Calculating Risk:
  9. The DREAD calculation always produces a number between 0 and

    10; the higher the number, the more serious the risk.
  10. DAMAGE: If a threat exploit occurs, how much damage will

    be caused? 0 = None 5 = Individual user data is compromised or affected. 10 = Complete system or data destruction
  11. REPRODUCIBILITY: How easy is it to reproduce the exploit? 0

    = Very hard or impossible, even for administrators. 5 = One or two steps required, may need to be an authorized user. 10 = Even a web browser is sufficient, without authentication.
  12. EXPLOITABILITY: What is needed to exploit this threat? 0 =

    Advanced programming and networking knowledge, with custom or advanced tool. 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. 10 = Just a web browser
  13. AFFECTED USERS: How many users will be affected? 0 =

    None 5 = Some users, but not all 10 = All users
  14. DISCOVERABILITY: How easy is it to discover this threat? 10

    - Just assume it is always discoverable
  15. DREAD Example: SQL injection Damage: 10 (DROP TableName) Reproducibility: 5

    (logged in state is needed) Exploitability: 10 (using forms) Affected users: 10 (everyone) Score: (10 + 5 + 10 + 10 + 10) / 5 = 9
  16. DREAD Example: XSS attack Damage: 5 (Individual user data is

    affected) Reproducibility: 5 Exploitability: 10 (using forms) Affected users: 10 (everyone) Score: (5 + 5 + 10 + 10 + 10) / 5 = 8
  17. Strict-Transport-Security enforces secure (HTTP over SSL/TLS) connections to the server

    X-Frame-Options provides clickjacking protection X-XSS-Protection enables the Cross-site scripting (XSS) filter built into most recent web browsers Content-Security-Policy prevents a wide range of attacks, including Cross-site scripting and other cross-site injections Security HTTP headers
  18. Use the helmet npm package - It automatically adds security

    headers. If you are building an express application, start the project with adding helmet. Security HTTP headers
  19. T R A C E T R A C E

    1st iteration TIMING ATTACKS
  20. T R A C E T R A C E

    2nd iteration TIMING ATTACKS
  21. T R A C E T R A C E

    5th iteration TIMING ATTACKS
  22. T R A C E T R I C K

    1th iteration TIMING ATTACKS
  23. T R A C E T R I C K

    2nd iteration TIMING ATTACKS
  24. T R A C E T R I C K

    3rd iteration mismatch - no more iterations TIMING ATTACKS
  25. DoS attackers seek to make a machine or network unavailable

    to its intended users. Denial of Service attacks
  26. Regex Denial of Service 1 ^(a+)+$ 2 3 4 5

    a a a a a a a a Nondeterministic finite automaton
  27. - Grouping with repetition (a+)+ - Inside the repeated group:

    - Repetition (a+)+ - Alternation with overlapping (a|aa)+ Evil Regexes
  28. Us