O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Securing Node Applications

Book Description

Security incidents are indeed on the rise, but according to one authoritative analysis, 85% of all successful exploits focus on the top ten security vulnerabilities. In this report, author Chetan Karande—an active member of the Open Web Application Security Project (OWASP)—covers the latest OWASP Top 10 security risks as they affect Node.js web applications.

This report acts as a quick reference guide to help Node developers secure their applications against these top ten threats. Karande devotes a chapter to each risk, covering both the attack mechanics in use as well as specific measures to guard against them. With these guidelines, you’ll be able to bake in security during design, development, code reviews, and testing.

Table of Contents

  1. Preface
    1. How This Book Is Organized
    2. Conventions Used in This Book
    3. Using Code Examples
    4. O’Reilly Safari
    5. How to Contact Us
    6. Acknowledgments
  2. 1. Injection Attacks
    1. Command Injection
      1. Attack Mechanics
      2. Preventing Command Injection
    2. Database Injection
      1. SQL Injection Attack Mechanics
      2. Preventing SQL Injection
      3. NoSQL Injection Attack Mechanics
      4. Preventing NoSQL Injection
    3. Conclusion
    4. Additional Resources
  3. 2. Broken Authentication and Session Management
    1. Securing the Authentication Mechanism
      1. Password Cracking
      2. Preventing Password Cracking
      3. Rainbow Tables Attack
      4. Protecting Against Rainbow-Table Attacks
    2. Securing Session Management
      1. Session Hijacking Attack
      2. Protecting Against Session Hijacking
      3. Session Fixation
      4. Protecting Against Session Fixation Attack
    3. Conclusion
    4. Additional Resources
  4. 3. Cross-Site Scripting
    1. Attack Mechanics
      1. Reflected XSS
      2. Stored XSS
    2. How to Prevent XSS
      1. Applying the HttpOnly Flag on Session Cookies
    3. Conclusion
    4. Additional Resources
  5. 4. Insecure Direct Object References
    1. Attack Mechanics
    2. Preventing Insecure Direct Object References
      1. Avoid Exposing Direct Object References
      2. Use an Indirect Reference Map
      3. Check User Access at the Data-Object Level
    3. Directory Traversal
    4. Protecting Against Directory Traversal
    5. Conclusion
    6. Additional Resources
  6. 5. Security Misconfiguration
    1. Attack Mechanics
      1. Attacks from Browsers
      2. Attacks on the Network
      3. Attacks on Application Servers
    2. Preventing Security Misconfiguration
      1. Apply the Principle of Least Privileges
      2. Disable Any Development-Specific Features and Default Users
      3. Apply Security Headers on Response
      4. Protect Cookies by Using the httpOnly and Secure Flags
      5. Use Application Logs Effectively for Incident Detection and Response
      6. Keep Versions of Node.js and npm Modules Up to Date
      7. Securely Deploy the SSL/TLS
    3. Conclusion
    4. Additional Resources
  7. 6. Sensitive Data Exposure
    1. Attack Mechanics
      1. Stealing Sensitive Data from a Client
      2. Stealing Sensitive Data from a Network
      3. Stealing Sensitive Data at Rest
    2. Protecting Against Sensitive Data Exposure
      1. Securing Data in the Browser
      2. Securing Data in Transit
      3. Securing Data at Rest
    3. Conclusion
  8. 7. Missing Function-Level Access Control
    1. Attack Mechanics
    2. Preventing Missing Function-Level Access Control
      1. Scaling the Authorization Logic
    3. Conclusion
    4. Additional Resources
  9. 8. Cross-Site Request Forgery
    1. Attack Mechanics
    2. Protecting Against CSRF
      1. Support Only AJAX APIs and Disable Cross-Origin Resource Sharing (CORS)
      2. Use an Anti-CSRF Token
    3. Conclusion
    4. Additional Resources
  10. 9. Using Components with Known Vulnerabilities
    1. Attack Mechanics
      1. Exploit Publicly Known Vulnerabilities
      2. Publishing Malicious Modules to npm
      3. Exploit Unpublished Zero-Day Vulnerabilities
    2. Protecting Against Unsecured External Components
      1. Vet npm Modules Before Using Them
      2. Keep Versions of Node.js, and npm Modules Up to Date
      3. Apply the Principle of Least Privilege
    3. Conclusion
    4. Additional Resources
  11. 10. Unvalidated Redirects and Forwards
    1. Attack Mechanics
      1. Scenario 1: Redirect to an External Web Page
      2. Scenario 2: Redirect to a Fake Login Page
    2. Protecting Against Unvalidated Redirects and Forwards
      1. Avoid Using User Inputs to Calculate the Destination URLs
      2. Use Mapped Redirect Values
      3. Validate and Sanitize Redirect URLs
      4. Check the Referrer Header to Prevent Misuse of the Redirect Page from Outside the Application
    3. Conclusion