Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Node.js Authentication and Data Security

This is an extended version of the talk I gave at Web European Conference in Milan. It covers basic web application security threats and simple tweaks to our applications that help dealing with them.

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo
  • Sé el primero en comentar

Node.js Authentication and Data Security

  1. 1. Tim Messerschmidt Head of Developer Relations, International Braintree @Braintree_Dev / @SeraAndroid Node.js Authentication and Data Security #HTML5DevConf
  2. 2. 3 That’s me
  3. 3. @Braintree_Dev / @SeraAndroid#HTML5DevConf + Braintree since 2013
  4. 4. @Braintree_Dev / @SeraAndroid#HTML5DevConf 1. Introduction_ 2. Well-known security threats 3. Data Encryption 4. Hardening Express 5. Authentication middleware 6. Great resources Content
  5. 5. @Braintree_Dev / @SeraAndroid#HTML5DevConf The Human Element
  6. 6. @Braintree_Dev / @SeraAndroid#HTML5DevConf 1. 12345 2. password 3. 12345 4. 12345678 5. qwerty bit.ly/1xTwYiA Top 10 Passwords 2014 6. 123456789 7. 1234 8. baseball 9. dragon 10.football
  7. 7. @Braintree_Dev / @SeraAndroid#HTML5DevConf superman batman Honorary Mention
  8. 8. @Braintree_Dev / @SeraAndroid#HTML5DevConf Authentication & Authorization
  9. 9. @Braintree_Dev / @SeraAndroid#HTML5DevConf 1. Introduction 2. Well-known security threats_ 3. Data Encryption 4. Hardening Express 5. Authentication middleware 6. Great resources Content
  10. 10. @Braintree_Dev / @SeraAndroid#HTML5DevConf OWASP Top 10bit.ly/1a3Ytvg
  11. 11. @Braintree_Dev / @SeraAndroid#HTML5DevConf 1. Injection
  12. 12. @Braintree_Dev / @SeraAndroid#HTML5DevConf 2. Broken Authentication
  13. 13. @Braintree_Dev / @SeraAndroid#HTML5DevConf 3. Cross-Site Scripting XSS
  14. 14. @Braintree_Dev / @SeraAndroid#HTML5DevConf 4. Direct Object References
  15. 15. @Braintree_Dev / @SeraAndroid#HTML5DevConf 5. Application Misconfigured
  16. 16. @Braintree_Dev / @SeraAndroid#HTML5DevConf 6. Sensitive Data Exposed
  17. 17. @Braintree_Dev / @SeraAndroid#HTML5DevConf 7. Access Level Control
  18. 18. @Braintree_Dev / @SeraAndroid#HTML5DevConf 8. Cross-site Request Forgery CSRF / XSRF
  19. 19. @Braintree_Dev / @SeraAndroid#HTML5DevConf 9. Vulnerable Code
  20. 20. @Braintree_Dev / @SeraAndroid#HTML5DevConf 10. REDIRECTS / FORWARDS
  21. 21. @Braintree_Dev / @SeraAndroid#HTML5DevConf 1. Introduction 2. Well-known security threats 3. Data Encryption_ 4. Hardening Express 5. Authentication middleware 6. Great resources Content
  22. 22. @Braintree_Dev / @SeraAndroid#HTML5DevConf HashingMD5, SHA-1, SHA-2, SHA-3
  23. 23. http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
  24. 24. @Braintree_Dev / @SeraAndroid#HTML5DevConf ishouldnotbedoingthis arstechnica.com/security/2015/09/ashley-madison-passwords-like- thisiswrong-tap-cheaters-guilt-and-denial
  25. 25. @Braintree_Dev / @SeraAndroid#HTML5DevConf ishouldnotbedoingthis whyareyoudoingthis arstechnica.com/security/2015/09/ashley-madison-passwords-like- thisiswrong-tap-cheaters-guilt-and-denial
  26. 26. @Braintree_Dev / @SeraAndroid#HTML5DevConf ishouldnotbedoingthis whyareyoudoingthis justtryingthisout arstechnica.com/security/2015/09/ashley-madison-passwords-like- thisiswrong-tap-cheaters-guilt-and-denial
  27. 27. @Braintree_Dev / @SeraAndroid#HTML5DevConf ishouldnotbedoingthis whyareyoudoingthis justtryingthisout thebestpasswordever arstechnica.com/security/2015/09/ashley-madison-passwords-like- thisiswrong-tap-cheaters-guilt-and-denial
  28. 28. @Braintree_Dev / @SeraAndroid#HTML5DevConf Efficient Hashingcrypt, scrypt, bcrypt, PBKDF2
  29. 29. @Braintree_Dev / @SeraAndroid#HTML5DevConf 10.000 iterations user system total MD5 0.07 0.0 0.07 bcrypt 22.23 0.08 22.31 md5 vs bcrypt github.com/codahale/bcrypt-ruby
  30. 30. abstrusegoose.com/296 http://abstrusegoose.com/296
  31. 31. @Braintree_Dev / @SeraAndroid#HTML5DevConf Salted Hashingalgorithm(data + salt) = hash
  32. 32. @Braintree_Dev / @SeraAndroid#HTML5DevConf 1. Introduction 2. Well-known security threats 3. Data Encryption 4. Hardening Express_ 5. Authentication middleware 6. Great resources Content
  33. 33. @Braintree_Dev / @SeraAndroid#HTML5DevConf use strict
  34. 34. @Braintree_Dev / @SeraAndroid#HTML5DevConf Regexowasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
  35. 35. @Braintree_Dev / @SeraAndroid#HTML5DevConf X-Powered-By
  36. 36. @Braintree_Dev / @SeraAndroid#HTML5DevConf NODE-UUIDgithub.com/broofa/node-uuid
  37. 37. @Braintree_Dev / @SeraAndroid#HTML5DevConf GET /pay?amount=20&currency=EUR&amount=1 HTTP Parameter Pollution req.query.amount = ['20', '1']; POST amount=20&currency=EUR&amount=1 req.body.amount = ['20', '1'];
  38. 38. @Braintree_Dev / @SeraAndroid#HTML5DevConf bcryptgithub.com/ncb000gt/node.bcrypt.js
  39. 39. @Braintree_Dev / @SeraAndroid#HTML5DevConf A bcrypt generated Hash $2a$12$YKCxqK/QRgVfIIFeUtcPSOqyVGSorr1pHy5cZKsZuuc2g97bXgotS
  40. 40. @Braintree_Dev / @SeraAndroid#HTML5DevConf bcrypt.hash('cronut', 12, function(err, hash) { // store hash }); bcrypt.compare('cronut', hash, function(err, res) { if (res === true) { // password matches } }); Generating a Hash using bcrypt
  41. 41. @Braintree_Dev / @SeraAndroid#HTML5DevConf CSURFgithub.com/expressjs/csurf
  42. 42. @Braintree_Dev / @SeraAndroid#HTML5DevConf Using Csurf as middleware var csrf = require('csurf'); var csrfProtection = csrf({ cookie: false }); app.get('/form', csrfProtection, function(req, res) { res.render('form', { csrfToken: req.csrfToken() }); }); app.post('/login', csrfProtection, function(req, res) { // safe to continue });
  43. 43. @Braintree_Dev / @SeraAndroid#HTML5DevConf extends layout block content h1 CSRF protection using csurf form(action="/login" method="POST") input(type="text", name="username=", value="Username") input(type="password", name="password", value="Password") input(type="hidden", name="_csrf", value="#{csrfToken}") button(type="submit") Submit Using the token in your template
  44. 44. @Braintree_Dev / @SeraAndroid#HTML5DevConf Helmetgithub.com/HelmetJS/Helmet
  45. 45. @Braintree_Dev / @SeraAndroid#HTML5DevConf var helmet = require(‘helmet’); app.use(helmet.noCache()); app.use(helmet.frameguard()); app.use(helmet.xssFilter()); … // .. or use the default initialization app.use(helmet()); Using Helmet with default options
  46. 46. @Braintree_Dev / @SeraAndroid#HTML5DevConf Helmet for Koagithub.com/venables/koa-helmet
  47. 47. @Braintree_Dev / @SeraAndroid#HTML5DevConf Luscagithub.com/krakenjs/lusca
  48. 48. @Braintree_Dev / @SeraAndroid#HTML5DevConf var lusca = require('lusca'); app.use(lusca({ csrf: true, csp: { /* ... */}, xframe: 'SAMEORIGIN', p3p: 'ABCDEF', xssProtection: true })); Applying Lusca as middleware
  49. 49. @Braintree_Dev / @SeraAndroid#HTML5DevConf Lusca for Koagithub.com/koajs/koa-lusca
  50. 50. @Braintree_Dev / @SeraAndroid#HTML5DevConf 1. Introduction 2. Well-known security threats 3. Data Encryption 4. Hardening Express 5. Authentication middleware_ 6. Great resources Content
  51. 51. @Braintree_Dev / @SeraAndroid#HTML5DevConf 1. Application-level 2. Route-level 3. Error-handling Types of Express Middleware
  52. 52. @Braintree_Dev / @SeraAndroid#HTML5DevConf var authenticate = function(req, res, next) { // check the request and modify response }; app.get('/form', authenticate, function(req, res) { // assume that the user is authenticated } // … or use the middleware for certain routes app.use('/admin', authenticate); Writing Custom Middleware
  53. 53. @Braintree_Dev / @SeraAndroid#HTML5DevConf Passportgithub.com/jaredhanson/passport
  54. 54. @Braintree_Dev / @SeraAndroid#HTML5DevConf passport.use(new LocalStrategy(function(username, password, done) { User.findOne({ username: username }, function (err, user) { if (err) { return done(err); } if (!user) { return done(null, false, { message: 'Incorrect username.' }); } if (!user.validPassword(password)) { return done(null, false, { message: 'Incorrect password.' }); } return done(null, user); }); })); Setting up a passport strategy
  55. 55. @Braintree_Dev / @SeraAndroid#HTML5DevConf // Simple authentication app.post('/login', passport.authenticate(‘local'), function(req, res) { // req.user contains the authenticated user res.redirect('/user/' + req.user.username); }); // Using redirects app.post('/login', passport.authenticate('local', { successRedirect: ‘/', failureRedirect: ‘/login’, failureFlash: true })); Using Passport Strategies for Authentication
  56. 56. @Braintree_Dev / @SeraAndroid#HTML5DevConf NSPnodesecurity.io/tools
  57. 57. @Braintree_Dev / @SeraAndroid#HTML5DevConf 1. Introduction 2. Well-known security threats 3. Data Encryption 4. Hardening Express 5. Authentication middleware 6. Great resources_ Content
  58. 58. @Braintree_Dev / @SeraAndroid#HTML5DevConf Passwordless Authmedium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb
  59. 59. @Braintree_Dev / @SeraAndroid#HTML5DevConf OWASP Node Goatgithub.com/OWASP/NodeGoat
  60. 60. @Braintree_Dev / @SeraAndroid#HTML5DevConf Node Securitynodesecurity.io/resources
  61. 61. @Braintree_Dev / @SeraAndroid#HTML5DevConf Fast Identity Onlinefidoalliance.org
  62. 62. @Braintree_Dev / @SeraAndroid#HTML5DevConf Security Beyond Current Mechanisms 1. Something you have 2. Something you know 3. Something you are
  63. 63. @Braintree_Dev / @SeraAndroid#HTML5DevConf Favor security too much over the experience and you’ll make the website a pain to use. smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form
  64. 64. @SeraAndroid tim@getbraintree.com slideshare.com/paypal braintreepayments.com/developers Thank You!

    Sé el primero en comentar

    Inicia sesión para ver los comentarios

  • braintree

    Nov. 12, 2015
  • JongjuLee

    Nov. 19, 2015
  • pp888

    Nov. 20, 2015
  • gasolin

    Nov. 20, 2015
  • ssuser43035c

    Nov. 20, 2015
  • virajs

    Dec. 3, 2015
  • Pimpona77

    Jan. 5, 2016
  • hhao99

    Jan. 10, 2016
  • GabidenAmanov

    Feb. 8, 2016
  • VijayR5

    Mar. 3, 2016
  • vershatrivedi

    Apr. 12, 2016
  • GautamAnand8

    Apr. 14, 2016
  • TabarekAyad

    Mar. 23, 2017
  • luisgcastillo

    Jun. 1, 2017
  • GopalaKR

    Jul. 23, 2017
  • BasriBasren2

    Aug. 16, 2017
  • FranciaFranco3

    Sep. 12, 2017
  • DashonHawkins

    Dec. 12, 2017
  • KrzysiekKondracki

    Jul. 18, 2018
  • anuragprasoon

    Sep. 16, 2020

This is an extended version of the talk I gave at Web European Conference in Milan. It covers basic web application security threats and simple tweaks to our applications that help dealing with them.

Vistas

Total de vistas

5.475

En Slideshare

0

De embebidos

0

Número de embebidos

521

Acciones

Descargas

70

Compartidos

0

Comentarios

0

Me gusta

27

×