book

Securing Node Applications

Name: Securing Node Applications
Author: Chetan Karande
ISBN: 9781491952412

by Chetan Karande

May 2017

Intermediate to advanced

91 pages

1h 40m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
How This Book Is OrganizedConventions Used in This BookUsing Code ExamplesO’Reilly SafariHow to Contact UsAcknowledgments
1. Injection Attacks
Command InjectionAttack MechanicsPreventing Command InjectionDatabase InjectionSQL Injection Attack MechanicsPreventing SQL InjectionNoSQL Injection Attack MechanicsPreventing NoSQL InjectionConclusionAdditional Resources
2. Broken Authentication and Session Management
Securing the Authentication MechanismPassword CrackingPreventing Password CrackingRainbow Tables AttackProtecting Against Rainbow-Table AttacksSecuring Session ManagementSession Hijacking AttackProtecting Against Session HijackingSession FixationProtecting Against Session Fixation AttackConclusionAdditional Resources
3. Cross-Site Scripting
Attack MechanicsReflected XSSStored XSSHow to Prevent XSSApplying the HttpOnly Flag on Session CookiesConclusionAdditional Resources
4. Insecure Direct Object References
Attack MechanicsPreventing Insecure Direct Object ReferencesAvoid Exposing Direct Object ReferencesUse an Indirect Reference MapCheck User Access at the Data-Object LevelDirectory TraversalProtecting Against Directory TraversalConclusionAdditional Resources
5. Security Misconfiguration
Attack MechanicsAttacks from BrowsersAttacks on the NetworkAttacks on Application ServersPreventing Security MisconfigurationApply the Principle of Least PrivilegesDisable Any Development-Specific Features and Default UsersApply Security Headers on ResponseProtect Cookies by Using the httpOnly and Secure FlagsUse Application Logs Effectively for Incident Detection and ResponseKeep Versions of Node.js and npm Modules Up to DateSecurely Deploy the SSL/TLSConclusionAdditional Resources
6. Sensitive Data Exposure
Attack MechanicsStealing Sensitive Data from a ClientStealing Sensitive Data from a NetworkStealing Sensitive Data at RestProtecting Against Sensitive Data ExposureSecuring Data in the BrowserSecuring Data in TransitSecuring Data at RestConclusion
7. Missing Function-Level Access Control
Attack MechanicsPreventing Missing Function-Level Access ControlScaling the Authorization LogicConclusionAdditional Resources
8. Cross-Site Request Forgery
Attack MechanicsProtecting Against CSRFSupport Only AJAX APIs and Disable Cross-Origin Resource Sharing (CORS)Use an Anti-CSRF TokenConclusionAdditional Resources
9. Using Components with Known Vulnerabilities
Attack MechanicsExploit Publicly Known VulnerabilitiesPublishing Malicious Modules to npmExploit Unpublished Zero-Day VulnerabilitiesProtecting Against Unsecured External ComponentsVet npm Modules Before Using ThemKeep Versions of Node.js, and npm Modules Up to DateApply the Principle of Least PrivilegeConclusionAdditional Resources

10. Unvalidated Redirects and Forwards
Attack MechanicsScenario 1: Redirect to an External Web PageScenario 2: Redirect to a Fake Login PageProtecting Against Unvalidated Redirects and ForwardsAvoid Using User Inputs to Calculate the Destination URLsUse Mapped Redirect ValuesValidate and Sanitize Redirect URLsCheck the Referrer Header to Prevent Misuse of the Redirect Page from Outside the ApplicationConclusion

Content preview from Securing Node Applications

Chapter 6. Sensitive Data Exposure

The frequent news about data-breach incidents in recent years made it evident that sensitive information such as personal, financial, or health records is a lucrative target for attackers due to the associated monetary gains. A single data-breach incident could cause catastrophic losses for an organization. As published in a research study, Figure 6-1 shows the cost of data breaches in the year 2015 for 64 benchmarked companies, sorted by the number of breached records.

Often, costs of sensitive data exposure span over incident investigation efforts, notifications to users, fines, lawsuits, settlements, as well as indirect costs such as loss of employee productivity, brand reputation, and user’s trust. In some cases, they result in businesses actually closing.

This Open Web Application Security Project (OWASP) risk primarily focuses on mitigating attacks that target web applications in an attempt to steal sensitive data. In this chapter, we go over related attack mechanics and ways to protect Node applications against it.

Attack Mechanics

There are three sources from which an attacker can steal the sensitive data managed by applications: a client such as a browser, a network, or application servers. Let’s review each.

Stealing Sensitive Data from a ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781491982426

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business