Upgrade to Pro — share decks privately, control downloads, hide ads and more …

node_security_pdf.pdf

 node_security_pdf.pdf

Tamar Twena-Stern

October 23, 2019
Tweet

More Decks by Tamar Twena-Stern

Other Decks in Technology

Transcript

  1. Tamar Twena-Stern • Software Engineer - manager and architect •

    Architect @PaloAltoNetworks • Was a CTO of my own startup • Passionate about Node.js ! • Twitter: @SternTwena
  2. Tamar Twena-Stern • Just Finished My Maternity Leave • Have

    3 kids • Loves to play my violin • Javascript Israel community leader
  3. Node.js Framework •Server side platform for developing servers • Web

    • Mobile • Enterprise •Open source, cross platform •Enables to build fast and scalable network applications
  4. What Is An Attack ? • An attack launched from

    one or more computers • The attack is against another computer, multiple computers or networks • Two broad types : • Denial of service attack • Get target computer’s data
  5. Eval Function • JavaScript function which is used for evaluate

    code. • Evaluate an expression \ code • You will get the result of the evaluation
  6. Denial Of Service Attack • Attacker seeks to make the

    service unavailable to it’s intended users • For Eval function, the most common attack type is achieved by : • Inject a script that will cause a CPU intensive operation and cause the server to be too busy in performing it
  7. Don’t Use Eval • Makes your application vulnerable to multiple

    kind of attacks: • injection attacks. • Denial of service attacks • And more
  8. But I Did Not See A Lot Of Code With

    Eval In Node.js Echo System …
  9. Cross Language Solutions • If you do use eval /setImmediate

    /setTimeout: • The expression is not come from the user input • Use escaping techniques on the expression • Use blacklist / whitelist approach on the expression
  10. ESLint Security PlugIn • Hard to detect a user input

    that directly arrives to eval on big repositories • ESLint security plugin comes to the rescue
  11. What Else ESLint Security PlugIn Detects ? • File Injection

    - variables inside file paths • Allow the attacker to Access everything in your system • RegExp Injection - variables inside regex • Allow an attacker to DOS your server with a long-running regular expression
  12. Flooding The Server With Requests • Each server has a

    limited amount of requests it can handle • Depends on hardware + cluster size • When too many requests arrived - the server cannot serve any of them
  13. Defence - Rate Limiting • Rate Limiting : • Recognise

    the request’s source ip • Block the requests if too many requests are coming from the same IP within specific time window • Can also help in preventing brute force password guessing attacks – • multiple requests are sent to a specific endpoint to guess the password
  14. Rate Limit Support In Cluster - Cloud Services • Cloudflare

    - Cloud services for rate limit • AWS - support of rate limit on the API gateway layer • Configuring rate limit in Google Cloud Platform
  15. Preventing Password Brute Force Attacks By Username • You can

    limit login routes per request ip, and also per username and password. • Limiting login routes per username can be very helpful to prevent password brute force attacks • In many attacks, using only IP parameter is not enough – since requests can come from multiple IPs.
  16. Node.js Request Input Validation • The most common use of

    Node.js is to build a REST api using express library. • Most developers writing the REST layer using Express library. • Usually, input is taken from request body or url query . • In most cases, input is transferred to the next layer in the pipeline as it received from user.
  17. Injection Attack • Allows the attacker to supply untrusted input

    to a program • The input will get processed as part of the execution of the software • The input can cause damage to the software • Example : • SQL injection • Command injection
  18. Defend This Attack • In Express - Almost all functionalities

    are added with middlewares. • It is crucial to add a middleware that performs input validations on the requests that arrives to the server. • You can write one yourself – or use one of the known middlewares exists.
  19. Other Capabilities Of Express Validator • Multiple built in functionality

    : • Optional parameters • Validating hex colors • Matching a url or a constant value • Validating numbers • Provide a schema to the validator to create any rule based validation required to your application
  20. Escape Native JavaScript Function • Native JavaScript function • Encodes

    special characters • Can be used to sanitize the input you give to the DB • You can wrap each parameter to protect from query injections. • Can be used for escaping HTMLs , JavaScript scripts and too.
  21. Child Process Module • Ability to spawn a child process

    • Enables to access operating system functionality by running system commands in a child process • Control child process’s input stream • Listen to the child process’s output stream
  22. Defend This Attack • Prefer Using Spawn Or execFile methods

    – that limit you to execute one command • Always validate and sanitise user input. • Limit permissions of parent and child process , by using the appropriate identities in your system.