Hacking Node.js web services

Hacking Node.js web services

shodan. “X-Powered-By: Express”

shodan + exploitsearch

whoami

sysadmin, VoIP dev, pentester ...

@jesusprubio

Emergent Solutions Team
(Backend Developer)

a1 - injection

http://nodegoat.herokuapp.com/tutorial/a1

Server side JS

SQL

NoSQL

db.users.findOne({“userName”: “admin”, “password”: { “$gt”: “” } } )

rules

Use mature stuff

About rolling your own crypto, session management ...

Cleanup

a2 - broken auth

http://nodegoat.herokuapp.com/tutorial/a2

Session Management: encrypt user credentials in DB, secure cookies, sessions timeout ...

Password Guessing Attack: username/passwords enumeration, password complexity, length ...

ZAP. creds brute-force

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

ZAP. creds brute-force

a3 - XSS. reflected

Ref: http://apprize.info/linux/penetration/7.html

http://nodegoat.herokuapp.com/tutorial/a3

XSS. persistent

XSS. DOM based

a4 - insecure DOR

http://nodegoat.herokuapp.com/tutorial/a4

a5 - security misconfig

http://nodegoat.herokuapp.com/tutorial/a5

https://github.com/helmetjs/helmet

a6 - sensitive data

http://nodegoat.herokuapp.com/tutorial/a6

a7 - access controls

http://nodegoat.herokuapp.com/tutorial/a7

Ref: https://www.youtube.com/watch?v=XfaRbV9WZ5o

a8 - CSRF

http://nodegoat.herokuapp.com/tutorial/a8

Ref: http://blog.evidaliahost.com/2015/09/16/cross-site-request-forgery-csrf

CSRF. solution

Ref: https://devnet.kentico.com/articles/protection-against-cross-site-request-forgery-(csrf-xsrf)

a9 - insecure components. vulns

http://nodegoat.herokuapp.com/tutorial/a9

insecure components. nsp client

insecure components. malware

insecure components. real case

https://github.com/Gattermeier/nodejs-virus

https://github.com/contolini/pizza-party

a10 - unvalidated redirects

http://nodegoat.herokuapp.com/tutorial/a10

more ZAP. auto-scan

My 2 cts. checklist

:) ¿?

Hacking Node.js web services

Made with Slides.com BESbswyBESbswyBESbswyBESbswy