hacking nodejs applications for fun and profit
play

Hacking NodeJS applications for fun and profit Testing NodeJS - PowerPoint PPT Presentation

May 13, 2023 •316 likes •762 views

Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac Agenda Introduction nodejS security Npm security packages Node Goat project Tools Node JS JavaScript in the backend Built on

  1. Hacking NodeJS applications for fun and profit Testing NodeJS Security by @jmortegac

  2. Agenda ▪ Introduction nodejS security ▪ Npm security packages ▪ Node Goat project ▪ Tools

  3. Node JS ▪ JavaScript in the backend ▪ Built on Chrome´s Javascript runtime(V8) ▪ NodeJs is based on event loop ▪ Designed to be asynchronous ▪ Single Thread ▪ Node.js is resilient to flooding attacks since there’s no limit on the number of concurrent requests.

  4. Security https://expressjs.com/en/advance d/security-updates.html updates

  5. Package https://www.npmjs.com/advisories vulnerabilities

  6. ▪ Helmet Npm ▪ express-session security ▪ cookie-session packages ▪ csurf ▪ express-validator ▪ bcrypt-node ▪ express-enforces-ssl

  7. Security HTTP Headers ▪ Strict-Transport-Security ▪ X-Frame-Options ▪ X-XSS-Protection ▪ X-Content-Type-Options ▪ Content-Security-Policy

  8. ▪ https://www.npmjs.com/package Helmet module /helmet

  9. ▪ https://github.com/helmetjs/helmet Helmet module

  10. ▪ hidePoweredBy Helmet module ▪ Hpkp → protection MITM ▪ Hsts → forces https connections ▪ noCache → desactive client cache ▪ Frameguard → protection clickjacking ▪ xssFilter → protection XSS

  11. Helmet CSP

  12. ▪ http://cyh.herokuapp.com/cyh Check headers ▪ https://securityheaders.io/ security

  13. Express ▪ https://www.shodan.io/ search?query=express versions

  14. Disable x-powered-by

  15. Disable ▪ Avoid framework x-powered-by fingerprinting

  16. Disable ▪ Use Helmet and use “hide-powered-by” plugin x-powered-by

  17. ▪ https://www.npmjs.com/pack Sessions age/cookie-session management ▪ secure ▪ httpOnly ▪ domain ▪ path ▪ expires

  18. httpOnly & secure:true

  19. XSS attacks ▪ An attacker can exploit XSS vulnerability to: ▪ Steal session cookies/Sesion hijacking ▪ Redirect user to malicious sites ▪ Defacing and content manipulation ▪ Cross Site Request forgery

  20. CSRF attacks

  21. https://www.npmjs.com/package/csurf

  22. app.use(function (request, response, next) { CSRF response.locals.csrftoken = request.csrfToken(); next(); }); <form action="/process" method=" POST "> <input type="hidden" name="_csrf" value="{{csrfToken}}"> <button type="submit">Submit</button> </form>

  23. CSRF

  24. Filter/sanitize user input ▪ Fixing XSS attacks ▪ https://www.npmjs.com/package/sanitizer ▪ Module express-validator ▪ https://www.npmjs.com/package/express-validator

  25. Express Validator

  27. ▪ https://github.com/kelektiv/node.bcrypt.js Bcrypt-node

  30. ▪ http://nodegoat.herokuapp.com Node Goat /tutorial

  31. ▪ https://github.com/OWASP/Node Node Goat Goat

  32. res.end(require('fs').read EVAL() dirSync('.').toString()) ATTACKS

  33. Insecure Direct ▪ Use session instead of Object request param References ▪ var userId = req.session.userId;

  34. Tools ▪ KrakenJS ▪ Lusca middleware ▪ NodeJsScan

  35. http://krakenjs.com/

  36. https://github.com/krakenjs/lusca

  37. ▪ https://github.com/ajinabra NodeJsScan ham/NodeJsScan

  38. https://github.com/jmorteg NodeJsScan a/NodeJsScan/blob/maste r/rules.xml

  39. NodeJsScan

  40. GitHub repositories ▪ https://github.com/jmortega/testing_nodejs_security ▪ https://github.com/cr0hn/vulnerable-node ▪ https://github.com/rdegges/svcc-auth ▪ https://github.com/strongloop/loopback-getting-start ed-intermediate ▪ https://github.com/Feeld/strong-node

  41. Node security ▪ https://www.udemy.com/nodejs-security- pentesting-and-exploitation/ learning

  42. Books

  43. References ▪ https://blog.risingstack.com/node-js-security-checklist/ ▪ https://blog.risingstack.com/node-js-security-tips/ ▪ https://www.npmjs.com/package/helmet ▪ https://expressjs.com/en/advanced/best-practice-security.html https://expressjs.com/en/advanced/security-updates.html ▪ http://nodegoat.herokuapp.com/tutorial ▪ https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goa ▪ t_Project

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lab 0: Dev Env Setup Rizky Wellyanto (wellyan2) NodeJS + NPM Download here:

Lab 0: Dev Env Setup Rizky Wellyanto (wellyan2) NodeJS + NPM Download here:

Lab 0: Dev Env Setup Rizky Wellyanto (wellyan2) NodeJS + NPM Download here: https://nodejs.org/en/download/ NPM tutorial: https://docs.npmjs.com/about-npm/ NodeJS Documentation: https://nodejs.org/docs/latest-v9.x/api/ Terminal Example setup

120 views • 8 slides
Web Hacking 101: Burping for fun and maybe some profit Magno (Logan) Rodrigues magnologan at

Web Hacking 101: Burping for fun and maybe some profit Magno (Logan) Rodrigues magnologan at

Web Hacking 101: Burping for fun and maybe some profit Magno (Logan) Rodrigues magnologan at gmail dot com WHO AM I? ARE YOU SURE YOU WANNA KNOW? - Parker, Peter (Spider Man 2002) InfoSec/AppSec Specialist / CompTIA Instructor Focusing

702 views • 44 slides
T8: NodeJS CPSC 513 Dr. P. Federl University of Calgary Arshia Hosseini T01/T02 What is

T8: NodeJS CPSC 513 Dr. P. Federl University of Calgary Arshia Hosseini T01/T02 What is

T8: NodeJS CPSC 513 Dr. P. Federl University of Calgary Arshia Hosseini T01/T02 What is NodeJS Open source JavaScript framework Event-driven Cross-platform Server-side 2 Installing and Running Node

690 views • 15 slides
Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source

Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source

Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source Project Rod Whitby &lt;rod@whitby.id.au&gt; NSLU2-Linux Project Lead Hacking Consumer Devices for Fun and Profit 5. Official Kernel Support 1.

285 views • 26 slides
Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at

Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at

Intro Hardware Security Platform Security Hacking Q&amp;A Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at Hamburg &amp; Dublin City University 2010-12-16 1 / 54 Intro Hardware Security

974 views • 79 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
MOVING AWAY FROM NODEJS TO A PURE PYTHON SOLUTION FOR ASSETS Alessandro Molina @__amol__

MOVING AWAY FROM NODEJS TO A PURE PYTHON SOLUTION FOR ASSETS Alessandro Molina @__amol__

MOVING AWAY FROM NODEJS TO A PURE PYTHON SOLUTION FOR ASSETS Alessandro Molina @__amol__ amol@turbogears.org Why? NodeJS has a rich toolkit, but using it has some serious drawbacks. People really dont know there are very good or

410 views • 24 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Hacking Your Own Virtual and Augmented Hacking Your Own Virtual and Augmented Reality Apps for

Hacking Your Own Virtual and Augmented Hacking Your Own Virtual and Augmented Reality Apps for

Hacking Your Own Virtual and Augmented Hacking Your Own Virtual and Augmented Reality Apps for Fun and Profit! Reality Apps for Fun and Profit! Tutorial Presentation Tutorial Presentation Linux Conf Au - Adelaide, SA Linux Conf Au - Adelaide,

621 views • 61 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
Welcome to my rump :) Introduction : why am I here ? Psychology student interested in hacking

Welcome to my rump :) Introduction : why am I here ? Psychology student interested in hacking

Welcome to my rump :) Introduction : why am I here ? Psychology student interested in hacking Applications : social engineering, but also politics, marketing, religious sects, etc. Introduce you to manipulation techniques 1. Same

451 views • 7 slides
Deep Reinforcement Learning Applications + Hacking Arjun Chandra Research Scientist Telenor

Deep Reinforcement Learning Applications + Hacking Arjun Chandra Research Scientist Telenor

Deep Reinforcement Learning Applications + Hacking Arjun Chandra Research Scientist Telenor Research / Telenor-NTNU AI Lab arjun.chandra@telenor.com @boelger 21 November 2017 https://join.slack.com/t/deep-rl-tutorial/signup The Plan Few

258 views • 24 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Who am I? Nathaniel T. Schutta Hacking Your Brain For http://www.ntschutta.com/jat/

Who am I? Nathaniel T. Schutta Hacking Your Brain For http://www.ntschutta.com/jat/

Who am I? Nathaniel T. Schutta Hacking Your Brain For http://www.ntschutta.com/jat/ @ntschutta Fun and Profit Foundations of Ajax &amp; Pro Ajax and Java Nathaniel T. Schutta Frameworks UI guy Author, speaker, teacher

844 views • 58 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits &amp; Demos Q&amp;A Why? Wrights Law

485 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Express-Node Back-end Building a simple back-end application with Express, Node, and MongoDB

Express-Node Back-end Building a simple back-end application with Express, Node, and MongoDB

Express-Node Back-end Building a simple back-end application with Express, Node, and MongoDB Need for back-end Back-end will connect to a DB, get some results, and do some processing with those results Back-end will save data to the DB

360 views • 17 slides
1 Agenda Quick'Intro' Node.js:'The'Beginning' What'Is'Node.js? Why'Use'Node.js?

1 Agenda Quick'Intro' Node.js:'The'Beginning' What'Is'Node.js? Why'Use'Node.js?

1 Agenda Quick'Intro' Node.js:'The'Beginning' What'Is'Node.js? Why'Use'Node.js? Installing'Node.js 2 Node.js is a platform for building applications What%makes%Node.js%so%special?

808 views • 33 slides
Liz Keogh @lunivore http://lizkeogh.com @lunivore @lunivore Forbes: Top 10 qualities that

Liz Keogh @lunivore http://lizkeogh.com @lunivore @lunivore Forbes: Top 10 qualities that

Liz Keogh @lunivore http://lizkeogh.com @lunivore @lunivore Forbes: Top 10 qualities that make a great leader Honesty Positive Attitude Delegate Creativity Communication Intuition Confidence Inspire Commitment Approach Roger Trapp

587 views • 57 slides
E. Janet Warren Alice: Theres no use trying, one cant believe impossible things. The

E. Janet Warren Alice: Theres no use trying, one cant believe impossible things. The

E. Janet Warren Alice: Theres no use trying, one cant believe impossible things. The Queen: I daresay you havent had much practice. When I was your age, I always did it for half-an-hour a day. Why sometimes Ive believe as

670 views • 44 slides
Graph Neural Networks Prof. Srijan Kumar http://cc.gatech.edu/~srijan 1 Srijan Kumar, Georgia

Graph Neural Networks Prof. Srijan Kumar http://cc.gatech.edu/~srijan 1 Srijan Kumar, Georgia

CSE 6240: Web Search and Text Mining. Spring 2020 Graph Neural Networks Prof. Srijan Kumar http://cc.gatech.edu/~srijan 1 Srijan Kumar, Georgia Tech, CSE6240 Spring 2020: Web Search and Text Mining Todays Lecture Introduction to deep

653 views • 39 slides
Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1

Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1

Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1 mmer Scalable Server-Side Code with JavaScript Who is Tom? Wrote W3C Standards 10+ years in the web industry Node Worked on projects

705 views • 58 slides
Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan

Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan

Adversarial Attacks on Node Embeddings via Graph Poisoning Aleksandar Bojchevski, Stephan Gnnemann Technical University of Munich ICML 2019 Node embeddings are used to Classify scientific papers Recommend items Classify proteins

336 views • 21 slides
Dev Lab: Node + Express What is Node? Node.js = JavaScript + File I/O + A Package Manager or:

Dev Lab: Node + Express What is Node? Node.js = JavaScript + File I/O + A Package Manager or:

Dev Lab: Node + Express What is Node? Node.js = JavaScript + File I/O + A Package Manager or: Node.js = JavaScript - A Web Browser Whats it like? Single-threaded Asynchronous &amp; non-blocking Great for real-time applications

493 views • 24 slides

More recommend