Cluj JSHeroes 2017 - Liran Tal on Node.js Security

3 likes•463 views

This document discusses security issues with Node.js and best practices to address them. It describes security horror stories from malicious npm packages deleting files ("rimrafall") and packages with similar names to popular ones downloading instead. Other issues covered include NoSQL injections, regular expression denial of service attacks, and insecure dependencies. The document recommends using Helmet to set secure HTTP headers, avoiding writing your own regular expressions, using libraries like validator.js for validation, and integrating Snyk to check for vulnerabilities in dependencies. The key takeaway is the importance of secure development practices like input validation, output encoding, and dependency management for Node.js applications.

Software

Node.js Security:
Breaking The Loop
Liran Tal
Engineering Manager @ Nielsen Marketing Cloud
March 2017

Cluj JSHeroes 2017 - Liran Tal on Node.js Security

The Magical 2010
Backbone.js
Underscore.js
AngularJS
Knockout.js
Node.js
npm

Node.JS is JavaScript 
JavaScript is Everywhere

By January 2015
◇ rimrafall package published to npm

rimrafall
◇ npm pre-install script
$ rm –rf /*

validator.js
◇ helps validate and sanitize strings

3,500,000 socket.io
2,000 socketio
malicious modules of similar names

seemingly innocent tutorial to learn from

Essential Node.js Security
https://leanpub.com/nodejssecurity/c/jsheroes

1. Strict-Transport-Security
2. X-Frame-Options
3. Content-Security-Policy
The Big 3

1. Strict-Transport-Security
The Big 3
Browsers enforce secure
(HTTPS) connections to the
server
Security by HTTP Headers

1. Strict-Transport-Security
The Big 3
http://www.bank.com
<a href=“https://bank.com/login">
http://www.bank.com/login
Security by HTTP Headers

1. Strict-Transport-Security
The Big 3
http://www.bank.com
https://www.bank.com
Security by HTTP Headers

2. X-Frame-Options
The Big 3
Clickjacking (User Interface redress attack,
UI redress attack, UI redressing) is a
malicious technique of tricking a Web user
into clicking on something different from
what the user perceives they are clicking on
Security by HTTP Headers

2. X-Frame-Options
The Big 3
Security by HTTP Headers

3. Content-Security-Policy
The Big 3
Whitelist Trusted Content
Security by HTTP Headers

1. Strict-Transport-Security
2. X-Frame-Options
3. Content-Security-Policy
The Big 3
Security by HTTP Headers

Putting it all
together 
with Helmet and
ExpressJS

No HTTP body in ExpressJS
it relies on bodyParser
lib

ExpressJS uses
bodyParser
library to
access HTTP
body payload

Validate Input
◇ Validate Length and Type
◇ Validate & Sanitize input to expected
type
◇ Parameters Binding
◇ Security in Depth

• ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d
d?|2[0-4]d|25[0-5]).([01]?dd?|
2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d|
25[0-5])$

Matching an IP address
• ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d
d?|2[0-4]d|25[0-5]).([01]?dd?|
2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d|
25[0-5])$

Let’s Match Song Titles
Can you help with the regex?

^([a-zA-Z0-9])$
• Match words and numbers

^([a-zA-Z0-9]+s?)$
• Match words and numbers
• Allow spaces in between (duh)

^([a-zA-Z0-9]+s?)+$
• Match words and numbers
• Allow spaces in between (duh)
• Repeat

ReDoS Attacks
◇ Catastrophic Backtracking
◇ Exploits greedy quantifiers
◇ Simple regex are vulnerable too: 
/^(a+)+$/

Regex DoS is a Real Problem
◇2017 - ms
◇2016 - Hawk
◇2016 - Tough Cookie
◇2016 - Moment
◇2015 - Uglify
◇2014 - Marked
◇2013 - Validator.js

University of Birmingham UK
http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf

Best Practice #1
◇ DO NOT WRITE YOUR OWN REGEX

Best Practice #2
◇ DO NOT WRITE YOUR OWN REGEX

Best Practice #3
◇Validator Node.js Module

Best Practice #4
◇ safe-regex node.js module
◇ checks regex complexity/backtracking
vulnerability

Are my dependencies
vulnerable?
ask yourself

snyk
◇ check cve db for known issues
◇ check installed node_modules dir
◇ provides patch-level fix
◇ provides interactive patch wizard

SecurityOps
Integrated Security into your 
build pipeline

1
2
3
Employ Secure HTTP headers with Helmet
Be mindful to NoSQL Injections
Summary
4 Snyk to secure Your npm
dependencies
Avoid writing your own RegEx

Thank you!
liran.tal@nielsen.com
@liran_tal
https://leanpub.com/nodejssecurity/c/jsheroes

More Related Content

PDF

Analysis of an OSS supply chain attack - How did 8 millions developers downlo...Jarrod Overson

PDF

SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Research

PPTX

My Bro The ELKTripwire

PPTX

OpensslAdam Moravcik

PPTX

Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria

PDF

Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research

PDF

Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...Mail.ru Group

PPTX

Continuous Monitoring DeckBrian Fennimore

Analysis of an OSS supply chain attack - How did 8 millions developers downlo...Jarrod Overson

SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Research

My Bro The ELKTripwire

OpensslAdam Moravcik

Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria

Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research

Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...Mail.ru Group

Continuous Monitoring DeckBrian Fennimore

What's hot (9)

PPTX

Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE

PPTX

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE

PPTX

Open source security tools for Kubernetes.Michael Ducy

PPTX

Moby and kubernetes entitlementsMoby Project

PDF

Securing your Rails applicationclucasKrof

PPTX

ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.

PDF

JWT: jku x5usnyff

PDF

Adaptive Defense - Understanding Cyber AttacksJermund Ottermo

PDF

Intrigue Core: Scaling Assessment AutomationJonathan Cran

Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE

Open source security tools for Kubernetes.Michael Ducy

Moby and kubernetes entitlementsMoby Project

Securing your Rails applicationclucasKrof

ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.

JWT: jku x5usnyff

Adaptive Defense - Understanding Cyber AttacksJermund Ottermo

Intrigue Core: Scaling Assessment AutomationJonathan Cran

Similar to Cluj JSHeroes 2017 - Liran Tal on Node.js Security (20)

PDF

Node.js security - JS Day Italy 2018Liran Tal

PDF

Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP Liran Tal

PDF

Node.js Security Done Right - Tips and Tricks They Won't Teach You In SchoolLiran Tal

PDF

"Black Clouds and Silver Linings in Node.js Security" Liran TalJulia Cherniak

PDF

Fosdem10wremes

PDF

Kicking off with Zend Expressive and Doctrine ORM (ConFoo YVR 2017)James Titcumb

PDF

Config Management Camp 2017 - If it moves, give it a pipelineMark Rendell

PDF

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK

PDF

Secure WordPress Development PracticesBrandon Dove

PDF

PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA

PPTX

It's a Dangerous World MongoDB

PDF

Application Security around OWASP Top 10Sastry Tumuluri

PDF

Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold

PDF

Gartner Security & Risk Management Summit 2018Paula Januszkiewicz

PDF

Atelier Technique CISCO ACSS 2018African Cyber Security Summit

PDF

[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia

PPTX

SSRF For Bug BountiesOWASP Nagpur

PPTX

Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy

PPTX

Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB

PDF

The Sysdig Secure DevOps PlatformAshnikbiz

Node.js security - JS Day Italy 2018Liran Tal

Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP Liran Tal

Node.js Security Done Right - Tips and Tricks They Won't Teach You In SchoolLiran Tal

"Black Clouds and Silver Linings in Node.js Security" Liran TalJulia Cherniak

Fosdem10wremes

Kicking off with Zend Expressive and Doctrine ORM (ConFoo YVR 2017)James Titcumb

Config Management Camp 2017 - If it moves, give it a pipelineMark Rendell

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK

Secure WordPress Development PracticesBrandon Dove

PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA

It's a Dangerous World MongoDB

Application Security around OWASP Top 10Sastry Tumuluri

Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold

Gartner Security & Risk Management Summit 2018Paula Januszkiewicz

Atelier Technique CISCO ACSS 2018African Cyber Security Summit

[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia

SSRF For Bug BountiesOWASP Nagpur

Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy

Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB

The Sysdig Secure DevOps PlatformAshnikbiz

Recently uploaded (20)

PDF

Immersive experiences: what Pharo users do!ESUG

PDF

Exploring AI Agents in Process Industriesamoreira6

PPTX

AI-Ready Handoff: Auto-Summaries & Draft Emails from MQL to Slack in One Flowbbedford2

PDF

49785682629390197565_LRN3014_Migrating_the_Beast.pdfAbilash868456

PDF

Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025imang66g

PDF

Generating Union types w/ Static AnalysisK. Matthew Dupree

PDF

advancepresentationskillshdhdhhdhdhdhhfhfjasmenrojas249

PDF

Summary Of Odoo 18.1 to 18.4 : The Way For Odoo 19CandidRoot Solutions Private Limited

PDF

Salesforce Implementation Services Provider.pdfVALiNTRY360

PDF

WatchTraderHub - Watch Dealer software with inventory management and multi-ch...WatchDealer Pavel

PDF

49784907924775488180_LRN2959_Data_Pump_23ai.pdfAbilash868456

PDF

New Download FL Studio Crack Full Version [Latest 2025]imang66g

PDF

lesson-2-rules-of-netiquette.pdf.bshhsjdjjasmenrojas249

PDF

Balancing Resource Capacity and Workloads with OnePlan – Avoid Overloading Te...OnePlan Solutions

PDF

Bandai Playdia The Book - David GlotzBluePanther6

PPTX

Presentation about variables and constant.pptxsafalsingh810

DOCX

Can You Build Dashboards Using Open Source Visualization Tool.docxVarsha Nayak

PDF

Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...Q-Advise

PPTX

GALILEO CRS SYSTEM | GALILEO TRAVEL SOFTWAREphilipnathen82

PDF

10 posting ideas for community engagement with AI promptsPankaj Taneja

Immersive experiences: what Pharo users do!ESUG

Exploring AI Agents in Process Industriesamoreira6

AI-Ready Handoff: Auto-Summaries & Draft Emails from MQL to Slack in One Flowbbedford2

49785682629390197565_LRN3014_Migrating_the_Beast.pdfAbilash868456

Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025imang66g

Generating Union types w/ Static AnalysisK. Matthew Dupree

advancepresentationskillshdhdhhdhdhdhhfhfjasmenrojas249

Summary Of Odoo 18.1 to 18.4 : The Way For Odoo 19CandidRoot Solutions Private Limited

Salesforce Implementation Services Provider.pdfVALiNTRY360

WatchTraderHub - Watch Dealer software with inventory management and multi-ch...WatchDealer Pavel

49784907924775488180_LRN2959_Data_Pump_23ai.pdfAbilash868456

New Download FL Studio Crack Full Version [Latest 2025]imang66g

lesson-2-rules-of-netiquette.pdf.bshhsjdjjasmenrojas249

Balancing Resource Capacity and Workloads with OnePlan – Avoid Overloading Te...OnePlan Solutions

Bandai Playdia The Book - David GlotzBluePanther6

Presentation about variables and constant.pptxsafalsingh810

Can You Build Dashboards Using Open Source Visualization Tool.docxVarsha Nayak

Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...Q-Advise

GALILEO CRS SYSTEM | GALILEO TRAVEL SOFTWAREphilipnathen82

10 posting ideas for community engagement with AI promptsPankaj Taneja

Cluj JSHeroes 2017 - Liran Tal on Node.js Security

1. Node.js Security: Breaking The Loop Liran Tal Engineering Manager @ Nielsen Marketing Cloud March 2017

6. The Magical 2010

7. The Magical 2010 Backbone.js Underscore.js AngularJS Knockout.js Node.js npm

9. Node.JS is JavaScript  JavaScript is Everywhere

10. Security Horror Stories  in Node.JS

11. Fail #1

12. By January 2015 ◇ rimrafall package published to npm

13. rimrafall ◇ npm pre-install script $ rm –rf /*

15. Fail #2

16. validator.js ◇ helps validate and sanitize strings

18. $ npm install validator.js --save

19. validator.js  !=  validator

20. malicious modules of similar names

21. 3,500,000 socket.io 2,000 socketio malicious modules of similar names

22. Fail #3

24. seemingly innocent tutorial to learn from

29. Node.js  Security Mindset

30. Essential Node.js Security https://leanpub.com/nodejssecurity/c/jsheroes

31. Security by HTTP Headers1

32. The Big 3

33. The Big 3

34. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3

35. 1. Strict-Transport-Security The Big 3 Browsers enforce secure (HTTPS) connections to the server Security by HTTP Headers

36. 1. Strict-Transport-Security The Big 3 http://www.bank.com <a href=“https://bank.com/login"> http://www.bank.com/login Security by HTTP Headers

37. 1. Strict-Transport-Security The Big 3 http://www.bank.com https://www.bank.com Security by HTTP Headers

38. 2. X-Frame-Options The Big 3 Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on Security by HTTP Headers

39. 2. X-Frame-Options The Big 3 Security by HTTP Headers

40. 2. X-Frame-Options The Big 3 Security by HTTP Headers

41. 3. Content-Security-Policy The Big 3 Whitelist Trusted Content Security by HTTP Headers

42. 3. Content-Security-Policy The Big 3 Whitelist Trusted Content Security by HTTP Headers

43. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3 Security by HTTP Headers

44. 1. Strict-Transport-Security 2. X-Frame-Options 3. Content-Security-Policy The Big 3 Security by HTTP Headers

45. Helmet Securing ExpressJS

46. Putting it all together  with Helmet and ExpressJS

47. 2 noSQL Injections

50. What is going on here?

51. No HTTP body in ExpressJS it relies on bodyParser lib

52. ExpressJS uses bodyParser library to access HTTP body payload

53. ExpressJS uses bodyParser library to access HTTP body payload

56. Validate Input ◇ Validate Length and Type ◇ Validate & Sanitize input to expected type ◇ Parameters Binding ◇ Security in Depth

58. ReDoS 3 Regular Expressions DoS

59. Regular Expressions

60. • ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d d?|2[0-4]d|25[0-5]).([01]?dd?| 2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d| 25[0-5])$

61. Matching an IP address • ^([01]?dd?|2[0-4]d|25[0-5]).([01]?d d?|2[0-4]d|25[0-5]).([01]?dd?| 2[0-4]d|25[0-5]).([01]?dd?|2[0-4]d| 25[0-5])$

62. Let’s Match Song Titles Can you help with the regex?

63. ^([a-zA-Z0-9])$ • Match words and numbers

64. ^([a-zA-Z0-9]+s?)$ • Match words and numbers • Allow spaces in between (duh)

65. ^([a-zA-Z0-9]+s?)+$ • Match words and numbers • Allow spaces in between (duh) • Repeat

67. ReDoS Attacks ◇ Catastrophic Backtracking ◇ Exploits greedy quantifiers ◇ Simple regex are vulnerable too:  /^(a+)+$/

68. Regex DoS is a Real Problem ◇2017 - ms ◇2016 - Hawk ◇2016 - Tough Cookie ◇2016 - Moment ◇2015 - Uglify ◇2014 - Marked ◇2013 - Validator.js

69. Regex Best Practices?

70. University of Birmingham UK http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf

71. Best Practice #1 ◇ DO NOT WRITE YOUR OWN REGEX

72. Best Practice #2 ◇ DO NOT WRITE YOUR OWN REGEX

73. Best Practice #3 ◇Validator Node.js Module

75. Best Practice #4 ◇ safe-regex node.js module ◇ checks regex complexity/backtracking vulnerability

77. Secure Dependencies Management 4

79. Are my dependencies vulnerable? ask yourself

80. Secure Dependencies Management Snyk

82. snyk ◇ check cve db for known issues ◇ check installed node_modules dir ◇ provides patch-level fix ◇ provides interactive patch wizard

83. SecurityOps Integrated Security into your  build pipeline

84. 1 2 3 Employ Secure HTTP headers with Helmet Be mindful to NoSQL Injections Summary 4 Snyk to secure Your npm dependencies Avoid writing your own RegEx

85. Thank you! [email protected] @liran_tal https://leanpub.com/nodejssecurity/c/jsheroes