Hacking NodeJS applications for fun and profit
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Untertitel |
| |
| Serientitel | ||
| Anzahl der Teile | 561 | |
| Autor | ||
| Lizenz | CC-Namensnennung 2.0 Belgien: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/44312 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
ComputersicherheitSoftwaretestKnotenmengeThreadEinfache GenauigkeitInverser LimesDatenparallelitätGraphische BenutzeroberflächeEreignishorizontLoopKreisringDatenmodellDienst <Informatik>Cookie <Internet>Schreib-Lese-KopfE-MailInhalt <Mathematik>Konfiguration <Informatik>RahmenproblemDatentypDefaultBimodulKartesische KoordinatenBimodulUmwandlungsenthalpieKnotenmengeSoftwareentwicklerSchaltnetzProjektive EbeneSoftwareschwachstelleServerApp <Programm>Framework <Informatik>Konfiguration <Informatik>ComputersicherheitE-MailVersionsverwaltungSoftwaretestStandardabweichungEinfach zusammenhängender RaumStabilitätstheorie <Logik>DokumentenserverMailing-ListeArithmetischer AusdruckTelekommunikationGruppenoperationLokales MinimumKeller <Informatik>ChiffrierungSystemplattformCookie <Internet>SpeicherverwaltungPunktBetriebsmittelverwaltungMAPGüte der AnpassungLaufzeitsystemSichtenkonzeptWasserdampftafelSpezielle unitäre GruppeAutomatische HandlungsplanungForcingMinkowski-MetrikHackerSoftwareSkriptspracheMultiplikationsoperatorAutomatische IndexierungVerkehrsinformationComputerspielMathematikOrdnung <Mathematik>Cross-site scriptingFormation <Mathematik>UnrundheitEntscheidungsunterstützungssystemRechenwerkSystem FDienst <Informatik>Elektronischer ProgrammführerWeb SitePerkolationstheorieElektronisches ForumMultiplikationGesetz <Physik>Inklusion <Mathematik>KälteerzeugungÜberlagerung <Mathematik>MatchingARQ-VerfahrenDemo <Programm>Nichtlinearer Operatorp-BlockCAMSchreiben <Datenverarbeitung>HilfesystemFirewallSchnittmengeRechter WinkelRelativitätstheoriePixelElektronische PublikationSchießverfahrenWald <Graphentheorie>DatensatzMobiles InternetSymboltabelleDigitaltechnikComputeranimationFlussdiagramm
06:33
BimodulKraftClientCachingRahmenproblemDefaultE-MailComputersicherheitVersionsverwaltungArithmetischer AusdruckFunktion <Mathematik>Ein-AusgabeExogene VariableElektronischer FingerabdruckFramework <Informatik>DatenverwaltungRechenwerkZeitbereichCookie <Internet>Web SiteFunktionalCookie <Internet>UmwandlungsenthalpieVersionsverwaltungE-MailApp <Programm>Cross-site scriptingKartesische KoordinatenArithmetischer AusdruckServerTypentheorieFahne <Mathematik>Domain <Netzwerk>InformationSoftwareschwachstelleCASE <Informatik>Elektronischer FingerabdruckKlassische PhysikExogene VariableTaskAttributierte GrammatikDienst <Informatik>BrowserFramework <Informatik>ComputersicherheitBimodulDigital Rights ManagementInjektivitätVektorraumGesetz <Physik>CAN-BusPlastikkarteMiddlewareRelativitätsprinzipContent SyndicationHilfesystemExploitForcingObjekt <Kategorie>Digitales ZertifikatFigurierte ZahlDefaultSchnittmengeFlash-SpeicherMetropolitan area networkKategorie <Mathematik>Geschlecht <Mathematik>ProgrammverifikationDigitale PhotographieVolumenvisualisierungSchreib-Lese-KopfSpezielle unitäre GruppeGeradeMathematikMini-DiscBenutzerbeteiligungSchreiben <Datenverarbeitung>MAPLesen <Datenverarbeitung>Elektronisches ForumSoftwaretestSkriptspracheBasis <Mathematik>Überlagerung <Mathematik>ZahlenbereichStabilitätstheorie <Logik>SoftwareBildschirmmaskeLeistung <Physik>Formale SpracheComputerspiel
13:00
SoftwareschwachstelleCookie <Internet>Web SiteArithmetischer AusdruckToken-RingProzess <Informatik>GruppenoperationNormierter RaumEin-AusgabeExogene VariableBimodulDigitalfilterInverser LimesObjekt <Kategorie>Regulärer Ausdruck <Textverarbeitung>DifferenteCodeExogene VariableEin-AusgabeValiditätCross-site scriptingKartesische KoordinatenMiddlewareBimodulSoftwareschwachstelleInjektivitätCookie <Internet>Heegaard-ZerlegungArithmetischer AusdruckClientTemplateToken-RingWeb-ApplikationSchwellwertverfahrenAuthentifikationGruppenoperationSichtenkonzeptAdditionBeobachtungsstudieWasserdampftafelTaskForcingSoundverarbeitungSoftwareKraftMaschinenschreibenBenutzerbeteiligungDatensichtgerätGüte der AnpassungOffice-PaketMini-DiscMathematikDatensatzAggregatzustandRechenwerkAntwortfunktionSchreiben <Datenverarbeitung>Kategorie <Mathematik>Computeranimation
18:35
Hash-AlgorithmusPasswortDualitätstheorieKnotenmengeInjektivitätServerBenutzerprofilObjekt <Kategorie>Gerichtete MengeMiddlewarePasswortFehlermeldungComputersicherheitFunktionalDienst <Informatik>Formation <Mathematik>MultiplikationsoperatorE-MailPunktKartesische KoordinatenElektronische PublikationGamecontrollerVerschlingungServerBenutzerbeteiligungDokumentenserverMini-DiscBimodulSpiegelung <Mathematik>Physikalischer EffektKontextbezogenes SystemSoftwareIndexberechnungKommandospracheWeb SiteSoftwaretestt-TestGlättungProzess <Informatik>InformationCOMSkriptspracheCodierung <Programmierung>HydrostatikAnalysisValiditätWort <Informatik>Arithmetischer AusdruckEntscheidungstheorieInformationsspeicherungCodeElektronisches ForumRelativitätstheorieInjektivitätDifferenzkernTelekommunikationProgrammverifikationVersionsverwaltungMatchingCross-site scriptingSensitivitätsanalyseHash-AlgorithmusExogene VariableDoS-AttackeDatenbankTypentheorieKnotenmengeBrowserVerkehrsinformationBildschirmmaskeRegulärer Ausdruck <Textverarbeitung>Ein-AusgabeDruckspannungOpen SourceApp <Programm>DatenfeldSoftwareschwachstelleCracker <Computerkriminalität>ProgrammierumgebungMailing-ListeNabel <Mathematik>
24:10
DokumentenserverATMComputersicherheitKnotenmengeChi-Quadrat-VerteilungChecklisteDokumentenserverAuflösung <Mathematik>TelekommunikationMultiplikationsoperatorComputeranimation
24:39
PunktwolkeComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:08
Shh, you can talk. Okay, good morning, thank you for coming. Well, my name is Fernando Ortega, I'm from Spain. And in this talk, I'm trying to explain what are the main tools,
00:21
the main best practice that we have in Node applications for testing the security of Node applications, and for what are the main vulnerabilities that we can find in Node for explaining the main techniques that attacks that attackers use for hacking this kind of application.
00:50
This is the agenda, I will bring an introduction to the security of the platform. Later I will comment the main security package available in npm repository.
01:02
I will comment also a project for starting or learning for this kind of projects. This is called the Node-QL project. And finally, other tools related with Node ES for testing the applications.
01:25
Node, basically, is a multipurpose runtime environment that allows the creation of highly scalable applications. And in the last years, has reached a group of popularity by the known as Stack Min.
01:41
That is the combination of MongoDB Express, that is the most common framework where you are developing with Node ES, Angular, and Node ES, hopefully. In this tool, I will center mainly in Express framework because it's more or less the standard that all developers use.
02:04
But there are other solutions, like KoA, and other solutions that we can find for developing these kind of applications. From the security point of view,
02:22
it's important, otherwise, to use, for example, the last stable version of Node ES, and Express, and it's important also knowing the vulnerabilities published for them. We can, in the express.com site,
02:40
we can find what are the security updates in this platform. The list, for example, in this space, we can find the list of Express vulnerabilities that have been fixed in a specific version.
03:02
We can see, for example, in this repository, we can see the last test vulnerabilities discovered for specific versions of package, and the level of criticality. Basically, each package can expose a critical vulnerability in your application.
03:27
When you install this package in your application, your application can be exposed to the vulnerability that you can find in this kind of vulnerabilities.
03:40
Later, I will comment what are the main attacks, basically, attacks like cross-scripting, denial service, cross-request forwarding, later I will comment these attacks in depth. For example, it's very common to find news related with new vulnerabilities that have been discovered.
04:02
For example, this is related with denial of service, with large HTTP headers. This vulnerability is related to all versions of C, and later, algorithms, by using a combination of many requests with maximum size headers.
04:22
It's possible to cause the HTTP server to abort from heap allocation failure. These are the main security level modules that we can use, for example, for establishing minimal security,
04:41
for example, for establishing security headers, sending cookies in a secure way, and minimize attacks of type, cross-scripting, cross-scripting, and so on.
05:01
In this tool, I will center mainly in helmet module. Also, I will review others related with encryption and securing communication with SSL. Well, for securing,
05:23
there are some security-related HTTP headers that you should set. These headers are a strict approach security, that this header enforce the security connection to a server using HTTP or HTTP over SSL.
05:43
X-Frame options that provide class-acting project protection, and others related with protect, this kind of attacks, cross-scripting, and so on. And there are others that prevent, for example,
06:05
attacks or other kinds of attacks that are more advanced. This is the main module that we can find in NPM repository. In all of this, it's easy to set these headers
06:21
that we have seen before using the helmet module. The helmet module can help you protect your app for some vulnerabilities by setting the HTTP headers in a secure way. Basically, importing this module and over the main map,
06:45
the main object, the app object, use the methods that provide helmet.
07:01
Basically, helmet is a collection of middle-world functions that set HTTP response headers. It's the same for a specific attack vector. For each attack vector, we have a method header for protecting this type of attack.
07:24
Some of the headers that helmet provides, we can highlight, for example, a high-powered byte. Basically, this header removes the X-powered byte header in the browser.
07:41
Now, later we will see an example. And the other is that HTTP that prevents mounting the middle attacks with forward certificates and other related with preventing, for example, your website from being viewed on HTTP
08:01
and avoid, for example, classical attacks related with SSL stripping. For example, if we want to prevent cross-site scripting attacks and data injection attacks in our site, we can use the content security police header
08:23
in this way. We can use the helmet, the CSC policy, and establish the policy of our site. You want to check if headers are setting
08:44
in a secure way in your application. We can use, for example, these online checkers if you quickly want to check if your site has all the necessary headers checked out in a secure way. This is the first step when we are testing
09:04
this kind of topic, we can use this service for doing this task. Express framework, by default,
09:21
adds the X-powered byte express header which tells potential attackers what framework you are using. Therefore, how to exploit it based on public null vulnerabilities. For example, searching in Shodan, we can see information about servers
09:42
that contain a specific version of node. We can see that in this header, we can see the version that the server is using. Attackers can use this header to detect apps running express and then launch specifically touch attacks.
10:06
To disable these headers, we have two alternatives. Disable it manually or use the header module that already is for you. At this point, we can use the app.disable
10:21
for disabling this feature. And this basically avoids framework fingerprinting for an attacker. And also, we can use anti-fingerprinting attendance that allows us to hide that it's an expression of application.
10:43
For example, we can indicate in another language, like PHP in the header, for avoiding an attacker knowing the version of our application.
11:06
In node.js, you can easily manage cookies in a secure way also. For example, using the cookie session package, we can use specific attributes,
11:21
specific properties, that allows securing your cookies, that prevents an attacker from reading the cookies of your application. For example, the HTTP only. This attribute is used to help prevent attacks,
11:42
such as cross-site scripting, since it doesn't allow the cookie to be accessed via JavaScript. The other attributes, like domain and path, that basically the domain and path
12:02
are used for the application, what are the domain allows for reading these, for reading the cookies of the application. By default, cookies can be read by JavaScript
12:21
on the same domain, and this can be dangerous in case of a cross-site scripting attack, and any HTTP party, JavaScript library, can bring them with document.cookie, for example, and to prevent this behavior, you can set the flag that has come in before,
12:42
HTTP only, on cookies, which will make your cookies unreadable for JavaScript, and also you can use the security flag for ensuring cookies can only be sent over HTTPS.
13:03
When not in common, some attacks are very common for attackers, for injecting code in an application, for example, a cross-site scripting attack occurs when an attacker injects a executable code
13:22
to an HTTP response, and when an application is vulnerable to this kind of attack, it will send back a validated input to the client. There are also other attacks, for example, cross-site request forgery,
13:43
they are similar, the main difference between cross-site scripting and cross-site request forgery is that in cross-site request forgery, you need an authentication session
14:01
for applying the attack, while in cross-site scripting doesn't need an authentication session, and can be explored when the vulnerable website doesn't do the basic of validating or escaping input.
14:25
Cross-site request forgery is an attack which forces an end user to execute unwanted actions on a web application in which the user is currently authenticated, and it can happen because cookies are sent
14:43
by every request to our website. How can we mitigate this kind of vulnerability in Node? In Node, for example, we can mitigate this kind of vulnerability with the threshold module, this is basically an express middleware
15:02
for CS ref protection, and when a request is being served, you can check the idea is sent a CRF token when the user is making the request.
15:27
One of the ways to implement the validation, for example, is to use the custom middleware to pass the CRF token to all the templates using response.locas, for example.
15:44
And on the view layer, on the HTML code, you have to use this token in a hidden input
16:00
and define this token in this way. And when a user input is shown, make sure to add a hidden input with the CRF token value. To prevent this kind of attack,
16:20
it's also important to add the most critical data, so that requests are made through the pause since the data is sent in the body of the request, instead of the URL. And for doing this kind of issue,
16:49
you have to be aware of this. For phishing, for example, cross-scripting vulnerabilities
17:00
in all the ES applications, we can use some modules, like sanitizer and split validator. Also, we can use, for example, regular expressions. Regular expressions are very common to validating the user input, but these modules help us extract
17:21
the user input validation. Now, we will see an example. For example, we can use express validator to filter and sanitize the user input to protect, arrange cross-scripting and command injection attacks. The objective is to filter all those entries
17:44
that can result in an attack, filtering the HTML and JavaScript code that can cause this attack. This is a useful module for validating the user input and, in general,
18:05
filtering the input of the user and avoid that an attacker can use special characters for compromising the application.
18:25
Express validator also provides additional request handlers. For example, we can use request.assert and request.validation. Errors for validating required fields.
18:40
For example, we need to check an email. In our application, we can use the ismail method for mail validation without worrying about using regular expressions or something else. In an easy way, we can validate
19:01
our application form and send it in a secure way to the server, that information. If we are, for example, storing passwords in an database, this is one of the modules. There are others, but I commend this
19:21
because I think this is a good point to start in. The module is called BigCrypt. Basically, we have functions. This module provides functions to generate the hash that is stored later in the password and another function that allows to verify
19:42
that the password that the user recenters matches with the hash generated with that password. The idea with this module is to store the hash
20:01
in a database and then retrieve it to compare it with the password that the user introduced. To manage the store of passwords, we can do it by first generating the shell that will be applied to the password to obtain the hash.
20:22
To compile the password, the user takes a session. The password entered by the user is converted into the hash and compiled with the stored hash. All these attacks and vulnerabilities can be tested, for example, in a controlled environment.
20:41
This is called the Node-Go app application. It's a deployable website created by the old apps to teach and practice to identify all these tricks in Node applications. We can find a deployable... This application is deployable in node-go.europe.com
21:06
and you can find a tutorial for learning these kinds of attacks. You can practice with injection, process scripting, and other lattes with access controls,
21:22
and see data, and so on. For example, this application uses the val function that is very common to use for parsing data in JavaScript. If you use a value in your application, you are exposed that an attacker can inject code
21:45
when you are in that function. And a val is a vulnerable function if you don't use this function in a security way.
22:00
For example, if an attacker were able to manipulate the response of a service, it could inject arbitrary code by calling a val, which could execute the code in the context of the victims' browser. We could, for example, perform a denial-of-service attack
22:21
by simply sending commands like process.exit, process.kill to the val function. And this, what we do is shut down the server. And there are other types of attacks that could even get a list of files
22:41
from the server if we don't validate the input of the user. And finally, well, I'm going to comment, I'm going to comment on other tools. We are trying to student a variable in node.js ecosystem.
23:03
We have, for example, cracking.js. Basically, this provides some stress to express applications related with security and communication. This is an example for using this module in the same way that we have seen before
23:22
with the GEML module. This module provides the same functionality. This is another tool interesting for testing for static analysis tool that can detect security problems
23:40
in your applications. Node.js scan basically is a Python script that returns a report with everything it has found that can cause security problems in your application. Well, it's an open source you can find in GitHub repository. Well, it's a good tool
24:01
for introducing this kind of... for testing the security of your node applications. And that's all. These are the repositories and all the resources and reference. Thank you.
24:23
Thank you very much. So we don't have time for questions, but will you be outside the room? So if you have questions, please do get out of the room. If you are going out for any kind of reason, pick your trash, pick the plastic bottles.