book

Securing Node Applications

Name: Securing Node Applications
Author: Chetan Karande
ISBN: 9781491952412

by Chetan Karande

May 2017

Intermediate to advanced

91 pages

1h 40m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
How This Book Is OrganizedConventions Used in This BookUsing Code ExamplesO’Reilly SafariHow to Contact UsAcknowledgments
1. Injection Attacks
Command InjectionAttack MechanicsPreventing Command InjectionDatabase InjectionSQL Injection Attack MechanicsPreventing SQL InjectionNoSQL Injection Attack MechanicsPreventing NoSQL InjectionConclusionAdditional Resources
2. Broken Authentication and Session Management
Securing the Authentication MechanismPassword CrackingPreventing Password CrackingRainbow Tables AttackProtecting Against Rainbow-Table AttacksSecuring Session ManagementSession Hijacking AttackProtecting Against Session HijackingSession FixationProtecting Against Session Fixation AttackConclusionAdditional Resources
3. Cross-Site Scripting
Attack MechanicsReflected XSSStored XSSHow to Prevent XSSApplying the HttpOnly Flag on Session CookiesConclusionAdditional Resources
4. Insecure Direct Object References
Attack MechanicsPreventing Insecure Direct Object ReferencesAvoid Exposing Direct Object ReferencesUse an Indirect Reference MapCheck User Access at the Data-Object LevelDirectory TraversalProtecting Against Directory TraversalConclusionAdditional Resources
5. Security Misconfiguration
Attack MechanicsAttacks from BrowsersAttacks on the NetworkAttacks on Application ServersPreventing Security MisconfigurationApply the Principle of Least PrivilegesDisable Any Development-Specific Features and Default UsersApply Security Headers on ResponseProtect Cookies by Using the httpOnly and Secure FlagsUse Application Logs Effectively for Incident Detection and ResponseKeep Versions of Node.js and npm Modules Up to DateSecurely Deploy the SSL/TLSConclusionAdditional Resources
6. Sensitive Data Exposure
Attack MechanicsStealing Sensitive Data from a ClientStealing Sensitive Data from a NetworkStealing Sensitive Data at RestProtecting Against Sensitive Data ExposureSecuring Data in the BrowserSecuring Data in TransitSecuring Data at RestConclusion
7. Missing Function-Level Access Control
Attack MechanicsPreventing Missing Function-Level Access ControlScaling the Authorization LogicConclusionAdditional Resources
8. Cross-Site Request Forgery
Attack MechanicsProtecting Against CSRFSupport Only AJAX APIs and Disable Cross-Origin Resource Sharing (CORS)Use an Anti-CSRF TokenConclusionAdditional Resources
9. Using Components with Known Vulnerabilities
Attack MechanicsExploit Publicly Known VulnerabilitiesPublishing Malicious Modules to npmExploit Unpublished Zero-Day VulnerabilitiesProtecting Against Unsecured External ComponentsVet npm Modules Before Using ThemKeep Versions of Node.js, and npm Modules Up to DateApply the Principle of Least PrivilegeConclusionAdditional Resources

10. Unvalidated Redirects and Forwards
Attack MechanicsScenario 1: Redirect to an External Web PageScenario 2: Redirect to a Fake Login PageProtecting Against Unvalidated Redirects and ForwardsAvoid Using User Inputs to Calculate the Destination URLsUse Mapped Redirect ValuesValidate and Sanitize Redirect URLsCheck the Referrer Header to Prevent Misuse of the Redirect Page from Outside the ApplicationConclusion

Overview

Security incidents are indeed on the rise, but according to one authoritative analysis, 85% of all successful exploits focus on the top ten security vulnerabilities. In this report, author Chetan Karande—an active member of the Open Web Application Security Project (OWASP)—covers the latest OWASP Top 10 security risks as they affect Node.js web applications.

This report acts as a quick reference guide to help Node developers secure their applications against these top ten threats. Karande devotes a chapter to each risk, covering both the attack mechanics in use as well as specific measures to guard against them. With these guidelines, you’ll be able to bake in security during design, development, code reviews, and testing.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781491982426

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills