Best IT Recipes

Node.js Express Framework Security Concerns

I am looking for modules that should be added to a Node / Express application that addresses common security issues listed below:

  • Injection Vulnerabilities (JavaScript, SQL, Mongo, HTML)
  • Fixation and capture of a session
  • Vulnerabilities between sites (scripts, fake request)
  • Mass assignment
  • Paste relevant concern here.

Thanks for your help!

----------

Some resources I found:

Great conversation (11/2012): http://lanyrd.com/2012/asfws/sxzbm/ (see slides)

ServerFault Question (2011-2012): https://serverfault.com/questions/285123/is-node-js-mature-for-enterprise-security

Related blog post (9/2012): http://codefol.io/posts/29-Why-Rails-and-not-Sinatra-or-Node-js-

Exploit tester: https://code.google.com/p/skipfish/

Passport module: https://github.com/jaredhanson/passport

EveryAuth Module: https://github.com/bnoguchi/everyauth

+56
security express
Jan 30 '13 at 19:30
source share
4 answers

I wrote a blog post that provides an excellent starting point in Writing Secure Express.js Applications . It covers several other things besides csrf and helmet, as mentioned by zeMirco.

Another thing is that you cannot compare express.js with rails. These are apples and oranges. For example, there is no ORM that comes with Express, the implementation or use of a third-party module is up to you.

I will try to give you a breakdown of each of your problems.

-Injection Vulnerabilities (JavaScript, SQL, Mongo, HTML)

Again, these are things not built into the expression. The closest thing is XSS to take care of the injection into the templates. Jade or EJS templates that are commonly used with express coding are> "and default, but remember that there are other contexts, such as user input in JavaScript or CSS, that you will need to worry about.

 -Session fixation and hijacking

Again, see the blog post above, but Express is based on the use of connect , and one of these is session middleware. The most important thing here is to set cookies flags correctly.

 -Cross-Site Vulnerabilities (Scripting, Request Forgery)

See above. It also comes with express.csrf () middleware. The mentioned blog shows how to implement it.

 -Mass Assignment

Not a problem with express.js, because it has no concepts in which this type of vulnerability is applicable, however, the custom logic you write may actually be vulnerable to this problem, so again, the problem of checking whether it is vulnerable or if you are using a third-party module, ...

+45
Jan 31 '13 at 3:11
source share

Two modules that I can immediately think of:

  • csrf : middleware for protecting CRSF.
  • helmet : middleware implementing various security headers
+9
Jan 30 '13 at 19:47
source share

One thing to watch out for is BodyParser. See http://andrewkelley.me/post/do-not-use-bodyparser-with-express-js.html

+7
Sep 06 '13 at
source share

You should know that if you specify a catch-all error handler, you should not restart the server or do anything blocking in this handler in response to USER errors (range 4xx ), as this could lead to a DOS vulnerability. This vulnerability is automatically addressed in express-error-handler , and the service will be disconnected as soon as it is possible (when active connections are discharged or a timeout occurs), so restarting should not matter much. Implementing this behavior has greatly changed my exploit tests.

BTW, it is NOT safe to simply ignore all raw errors. This will leave your application in an undefined state, which simply represents a different type of DOS vulnerability.

+1
Oct 21 '13 at 9:21
source share


More articles:


All Articles