Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

JSConf Asia: Node.js Authentication and Data Security

This talk is an extended version of my session at HTML5DevConf. It was held on Friday Nov. 20th 2015 at DevFest Asia / JSConf Asia in Singapore.

The arena of proper authentication and data security standards is often some of the most misunderstood, confusing, and tricky aspects of building any Node site, app, or service, and the fear of data breaches with unencrypted or poorly encrypted data doesn’t make it any better.

We’re going to tackle this field, exploring the proper methodologies for building secure authentication and data security standards. We’ll run through:

- Building on top of OAuth 2 and OpenID Connect
- Node middleware services for authentication
- Working with proper hashing and salting algorithms, and avoiding others, for private user data
- Common auth and security pitfalls and solutions

In the end, we’re going to see that by understanding proper data security and authentication standards, pitfalls, and reasons for choosing one solution over another, we can make intelligent decisions on creating a solid infrastructure to protect our users and data.

  • Sé el primero en comentar

JSConf Asia: Node.js Authentication and Data Security

  1. 1. Tim Messerschmidt Head of Developer Relations, International Braintree @Braintree_Dev / @SeraAndroid Node.js Authentication and Data Security #JSConfAsia
  2. 2. @SeraAndroid Developer Author Evangelist
  3. 3. <3 Berlin
  4. 4. 4 That’s me
  5. 5. @Braintree_Dev / @SeraAndroid#JSConfAsia + Braintree since 2013
  6. 6. @Braintree_Dev / @SeraAndroid#JSConfAsia 1. Introduction 2. Well-known security threats 3. Data Encryption 4. Hardening Express 5. Authentication middleware 6. Great resources Content
  7. 7. @Braintree_Dev / @SeraAndroid#JSConfAsia The Human Element
  8. 8. @Braintree_Dev / @SeraAndroid#JSConfAsia 1. 12345 2. password 3. 12345 4. 12345678 5. qwerty bit.ly/1xTwYiA Top 10 Passwords 2014 6. 123456789 7. 1234 8. baseball 9. dragon 10.football
  9. 9. @Braintree_Dev / @SeraAndroid#JSConfAsia superman batman Honorary Mention
  10. 10. @Braintree_Dev / @SeraAndroid#JSConfAsia Authentication & Authorization
  11. 11. @Braintree_Dev / @SeraAndroid#JSConfAsia OWASP Top 10bit.ly/1a3Ytvg
  12. 12. @Braintree_Dev / @SeraAndroid#JSConfAsia 1. Injection
  13. 13. @Braintree_Dev / @SeraAndroid#JSConfAsia 2. Broken Authentication
  14. 14. @Braintree_Dev / @SeraAndroid#JSConfAsia 3. Cross-Site Scripting XSS
  15. 15. @Braintree_Dev / @SeraAndroid#JSConfAsia 4. Direct Object References
  16. 16. @Braintree_Dev / @SeraAndroid#JSConfAsia 5. Application Misconfigured
  17. 17. @Braintree_Dev / @SeraAndroid#JSConfAsia 6. Sensitive Data Exposed
  18. 18. @Braintree_Dev / @SeraAndroid#JSConfAsia 7. Access Level Control
  19. 19. @Braintree_Dev / @SeraAndroid#JSConfAsia 8. Cross-site Request Forgery CSRF / XSRF
  20. 20. @Braintree_Dev / @SeraAndroid#JSConfAsia 9. Vulnerable Code
  21. 21. @Braintree_Dev / @SeraAndroid#JSConfAsia 10. REDIRECTS / FORWARDS
  22. 22. @Braintree_Dev / @SeraAndroid#JSConfAsia Exploit Prevalence Detectability Impact Exploitability Injection Common Medium Very High Easy Broken Auth Very High Medium Very High Average XSS Very High Easy Medium Average Insecure DOR Common Easy Medium Easy Misconfiguration Common Easy Medium Easy Exposed Data Common Medium Very High Difficult ACL Common Medium Medium Easy CSRF Common Easy Medium Average Vulnerable Code Very High Difficult Medium Average Redirects Common Easy Medium Average
  23. 23. @Braintree_Dev / @SeraAndroid#JSConfAsia HashingMD5, SHA-1, SHA-2, SHA-3
  24. 24. http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
  25. 25. http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
  26. 26. @Braintree_Dev / @SeraAndroid#JSConfAsia ishouldnotbedoingthis arstechnica.com/security/2015/09/ashley-madison-passwords-like- thisiswrong-tap-cheaters-guilt-and-denial
  27. 27. @Braintree_Dev / @SeraAndroid#JSConfAsia ishouldnotbedoingthis whyareyoudoingthis arstechnica.com/security/2015/09/ashley-madison-passwords-like- thisiswrong-tap-cheaters-guilt-and-denial
  28. 28. @Braintree_Dev / @SeraAndroid#JSConfAsia ishouldnotbedoingthis whyareyoudoingthis justtryingthisout arstechnica.com/security/2015/09/ashley-madison-passwords-like- thisiswrong-tap-cheaters-guilt-and-denial
  29. 29. @Braintree_Dev / @SeraAndroid#JSConfAsia ishouldnotbedoingthis whyareyoudoingthis justtryingthisout thebestpasswordever arstechnica.com/security/2015/09/ashley-madison-passwords-like- thisiswrong-tap-cheaters-guilt-and-denial
  30. 30. @Braintree_Dev / @SeraAndroid#JSConfAsia Efficient Hashingcrypt, scrypt, bcrypt, PBKDF2
  31. 31. @Braintree_Dev / @SeraAndroid#JSConfAsia 10.000 iterations user system total MD5 0.07 0.0 0.07 bcrypt 22.23 0.08 22.31 md5 vs bcrypt github.com/codahale/bcrypt-ruby
  32. 32. @Braintree_Dev / @SeraAndroid#JSConfAsia Salted Hashingalgorithm(data + salt) = hash
  33. 33. @Braintree_Dev / @SeraAndroid#JSConfAsia use strict
  34. 34. @Braintree_Dev / @SeraAndroid#JSConfAsia Regexowasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
  35. 35. @Braintree_Dev / @SeraAndroid#JSConfAsia Character Encodingw3schools.com/html/html_entities.asp
  36. 36. @Braintree_Dev / @SeraAndroid#JSConfAsia X-Powered-By
  37. 37. @Braintree_Dev / @SeraAndroid#JSConfAsia NODE-UUIDgithub.com/broofa/node-uuid
  38. 38. @Braintree_Dev / @SeraAndroid#JSConfAsia GET /pay?amount=20&currency=EUR&amount=1 HTTP Parameter Pollution req.query.amount = ['20', '1']; POST amount=20&currency=EUR&amount=1 req.body.amount = ['20', '1'];
  39. 39. @Braintree_Dev / @SeraAndroid#JSConfAsia bcryptgithub.com/ncb000gt/node.bcrypt.js
  40. 40. @Braintree_Dev / @SeraAndroid#JSConfAsia A bcrypt generated Hash $2a$12$YKCxqK/QRgVfIIFeUtcPSOqyVGSorr1pHy5cZKsZuuc2g97bXgotS
  41. 41. @Braintree_Dev / @SeraAndroid#JSConfAsia bcrypt.hash('cronut', 12, function(err, hash) { // store hash }); bcrypt.compare('cronut', hash, function(err, res) { if (res === true) { // password matches } }); Generating a Hash using bcrypt
  42. 42. @Braintree_Dev / @SeraAndroid#JSConfAsia CSURFgithub.com/expressjs/csurf
  43. 43. @Braintree_Dev / @SeraAndroid#JSConfAsia Using Csurf as middleware var csrf = require('csurf'); var csrfProtection = csrf({ cookie: false }); app.get('/form', csrfProtection, function(req, res) { res.render('form', { csrfToken: req.csrfToken() }); }); app.post('/login', csrfProtection, function(req, res) { // safe to continue });
  44. 44. @Braintree_Dev / @SeraAndroid#JSConfAsia extends layout block content h1 CSRF protection using csurf form(action="/login" method="POST") input(type="text", name="username=", value="Username") input(type="password", name="password", value="Password") input(type="hidden", name="_csrf", value="#{csrfToken}") button(type="submit") Submit Using the token in your template
  45. 45. @Braintree_Dev / @SeraAndroid#JSConfAsia Helmetgithub.com/HelmetJS/Helmet
  46. 46. @Braintree_Dev / @SeraAndroid#JSConfAsia var helmet = require(‘helmet’); app.use(helmet.noCache()); app.use(helmet.frameguard()); app.use(helmet.xssFilter()); … // .. or use the default initialization app.use(helmet()); Using Helmet with default options
  47. 47. @Braintree_Dev / @SeraAndroid#JSConfAsia Helmet for Koagithub.com/venables/koa-helmet
  48. 48. @Braintree_Dev / @SeraAndroid#JSConfAsia Luscagithub.com/krakenjs/lusca
  49. 49. @Braintree_Dev / @SeraAndroid#JSConfAsia var lusca = require('lusca'); app.use(lusca({ csrf: true, csp: { /* ... */}, xframe: 'SAMEORIGIN', p3p: 'ABCDEF', xssProtection: true })); Applying Lusca as middleware
  50. 50. @Braintree_Dev / @SeraAndroid#JSConfAsia Lusca for Koagithub.com/koajs/koa-lusca
  51. 51. @Braintree_Dev / @SeraAndroid#JSConfAsia 1. Application-level 2. Route-level 3. Error-handling Types of Express Middleware
  52. 52. @Braintree_Dev / @SeraAndroid#JSConfAsia var authenticate = function(req, res, next) { // check the request and modify response }; app.get('/form', authenticate, function(req, res) { // assume that the user is authenticated } // … or use the middleware for certain routes app.use('/admin', authenticate); Writing Custom Middleware
  53. 53. @Braintree_Dev / @SeraAndroid#JSConfAsia Passportgithub.com/jaredhanson/passport
  54. 54. @Braintree_Dev / @SeraAndroid#JSConfAsia passport.use(new LocalStrategy(function(username, password, done) { User.findOne({ username: username }, function (err, user) { if (err) { return done(err); } if (!user) { return done(null, false, { message: 'Incorrect username.' }); } if (!user.validPassword(password)) { return done(null, false, { message: 'Incorrect password.' }); } return done(null, user); }); })); Setting up a passport strategy
  55. 55. @Braintree_Dev / @SeraAndroid#JSConfAsia // Simple authentication app.post('/login', passport.authenticate(‘local'), function(req, res) { // req.user contains the authenticated user res.redirect('/user/' + req.user.username); }); // Using redirects app.post('/login', passport.authenticate('local', { successRedirect: ‘/', failureRedirect: ‘/login’, failureFlash: true })); Using Passport Strategies for Authentication
  56. 56. @Braintree_Dev / @SeraAndroid#JSConfAsia NSPnodesecurity.io/tools
  57. 57. @Braintree_Dev / @SeraAndroid#JSConfAsia Passwordless Authmedium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb
  58. 58. @Braintree_Dev / @SeraAndroid#JSConfAsia OWASP Node Goatgithub.com/OWASP/NodeGoat
  59. 59. @Braintree_Dev / @SeraAndroid#JSConfAsia Node Securitynodesecurity.io/resources
  60. 60. @Braintree_Dev / @SeraAndroid#JSConfAsia Fast Identity Onlinefidoalliance.org
  61. 61. @Braintree_Dev / @SeraAndroid#JSConfAsia Security Beyond Current Mechanisms 1. Something you have 2. Something you know 3. Something you are
  62. 62. @Braintree_Dev / @SeraAndroid#JSConfAsia Favor security too much over the experience and you’ll make the website a pain to use. smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form
  63. 63. @SeraAndroid tim@getbraintree.com slideshare.com/paypal braintreepayments.com/developers Thank You!

    Sé el primero en comentar

    Inicia sesión para ver los comentarios

  • braintree

    Nov. 20, 2015
  • FGRibreau

    Jan. 4, 2016
  • HoussemYahiaoui1

    Feb. 3, 2016

This talk is an extended version of my session at HTML5DevConf. It was held on Friday Nov. 20th 2015 at DevFest Asia / JSConf Asia in Singapore. The arena of proper authentication and data security standards is often some of the most misunderstood, confusing, and tricky aspects of building any Node site, app, or service, and the fear of data breaches with unencrypted or poorly encrypted data doesn’t make it any better. We’re going to tackle this field, exploring the proper methodologies for building secure authentication and data security standards. We’ll run through: - Building on top of OAuth 2 and OpenID Connect - Node middleware services for authentication - Working with proper hashing and salting algorithms, and avoiding others, for private user data - Common auth and security pitfalls and solutions In the end, we’re going to see that by understanding proper data security and authentication standards, pitfalls, and reasons for choosing one solution over another, we can make intelligent decisions on creating a solid infrastructure to protect our users and data.

Vistas

Total de vistas

1.871

En Slideshare

0

De embebidos

0

Número de embebidos

100

Acciones

Descargas

85

Compartidos

0

Comentarios

0

Me gusta

3

×