book

Securing Node Applications

Name: Securing Node Applications
Author: Chetan Karande
ISBN: 9781491952412

by Chetan Karande

May 2017

Intermediate to advanced

91 pages

1h 40m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
How This Book Is OrganizedConventions Used in This BookUsing Code ExamplesO’Reilly SafariHow to Contact UsAcknowledgments
1. Injection Attacks
Command InjectionAttack MechanicsPreventing Command InjectionDatabase InjectionSQL Injection Attack MechanicsPreventing SQL InjectionNoSQL Injection Attack MechanicsPreventing NoSQL InjectionConclusionAdditional Resources
2. Broken Authentication and Session Management
Securing the Authentication MechanismPassword CrackingPreventing Password CrackingRainbow Tables AttackProtecting Against Rainbow-Table AttacksSecuring Session ManagementSession Hijacking AttackProtecting Against Session HijackingSession FixationProtecting Against Session Fixation AttackConclusionAdditional Resources
3. Cross-Site Scripting
Attack MechanicsReflected XSSStored XSSHow to Prevent XSSApplying the HttpOnly Flag on Session CookiesConclusionAdditional Resources
4. Insecure Direct Object References
Attack MechanicsPreventing Insecure Direct Object ReferencesAvoid Exposing Direct Object ReferencesUse an Indirect Reference MapCheck User Access at the Data-Object LevelDirectory TraversalProtecting Against Directory TraversalConclusionAdditional Resources
5. Security Misconfiguration
Attack MechanicsAttacks from BrowsersAttacks on the NetworkAttacks on Application ServersPreventing Security MisconfigurationApply the Principle of Least PrivilegesDisable Any Development-Specific Features and Default UsersApply Security Headers on ResponseProtect Cookies by Using the httpOnly and Secure FlagsUse Application Logs Effectively for Incident Detection and ResponseKeep Versions of Node.js and npm Modules Up to DateSecurely Deploy the SSL/TLSConclusionAdditional Resources
6. Sensitive Data Exposure
Attack MechanicsStealing Sensitive Data from a ClientStealing Sensitive Data from a NetworkStealing Sensitive Data at RestProtecting Against Sensitive Data ExposureSecuring Data in the BrowserSecuring Data in TransitSecuring Data at RestConclusion
7. Missing Function-Level Access Control
Attack MechanicsPreventing Missing Function-Level Access ControlScaling the Authorization LogicConclusionAdditional Resources
8. Cross-Site Request Forgery
Attack MechanicsProtecting Against CSRFSupport Only AJAX APIs and Disable Cross-Origin Resource Sharing (CORS)Use an Anti-CSRF TokenConclusionAdditional Resources
9. Using Components with Known Vulnerabilities
Attack MechanicsExploit Publicly Known VulnerabilitiesPublishing Malicious Modules to npmExploit Unpublished Zero-Day VulnerabilitiesProtecting Against Unsecured External ComponentsVet npm Modules Before Using ThemKeep Versions of Node.js, and npm Modules Up to DateApply the Principle of Least PrivilegeConclusionAdditional Resources

10. Unvalidated Redirects and Forwards
Attack MechanicsScenario 1: Redirect to an External Web PageScenario 2: Redirect to a Fake Login PageProtecting Against Unvalidated Redirects and ForwardsAvoid Using User Inputs to Calculate the Destination URLsUse Mapped Redirect ValuesValidate and Sanitize Redirect URLsCheck the Referrer Header to Prevent Misuse of the Redirect Page from Outside the ApplicationConclusion

Content preview from Securing Node Applications

Chapter 5. Security Misconfiguration

Security misconfiguration risk encompasses a broad category of configuration issues originated at any level of an application stack, including OS, network, application server, database, framework, or the application code itself.

Depending on the misconfiguration, the impact of vulnerability could range from an attacker identifying the platform and frameworks used to build the app to gaining a full control of the enterprise network and the application server.

As published in the HPE Cyber Risk Report 2016, Figure 5-1 shows the most commonly found vulnerabilities by analyzing more than 7,000 web applications. Incidentally, most of these vulnerabilities could be attributed to the security misconfiguration issues.

This chapter covers related attack mechanics and ways to protect against them in Node applications.

Attack Mechanics

There are a variety of attack mechanics to exploit security misconfiguration, each affecting distinct attack surfaces. The subsections that follow present some examples.

Attacks from Browsers

An attacker can exploit the following security misconfigurations by using a browser or a browser-equivalent tool:

Any server configuration information leaked to the browser aids an attacker to build the security ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781491982426

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business