book

Securing Node Applications

by Chetan Karande

May 2017

Intermediate to advanced

91 pages

1h 40m

English

O'Reilly Media, Inc.

Read now

Unlock full access

How This Book Is OrganizedConventions Used in This BookUsing Code ExamplesO’Reilly SafariHow to Contact UsAcknowledgments
Command InjectionAttack MechanicsPreventing Command InjectionDatabase InjectionSQL Injection Attack MechanicsPreventing SQL InjectionNoSQL Injection Attack MechanicsPreventing NoSQL InjectionConclusionAdditional Resources
Securing the Authentication MechanismPassword CrackingPreventing Password CrackingRainbow Tables AttackProtecting Against Rainbow-Table AttacksSecuring Session ManagementSession Hijacking AttackProtecting Against Session HijackingSession FixationProtecting Against Session Fixation AttackConclusionAdditional Resources
Attack MechanicsReflected XSSStored XSSHow to Prevent XSSApplying the HttpOnly Flag on Session CookiesConclusionAdditional Resources
Attack MechanicsPreventing Insecure Direct Object ReferencesAvoid Exposing Direct Object ReferencesUse an Indirect Reference MapCheck User Access at the Data-Object LevelDirectory TraversalProtecting Against Directory TraversalConclusionAdditional Resources
Attack MechanicsAttacks from BrowsersAttacks on the NetworkAttacks on Application ServersPreventing Security MisconfigurationApply the Principle of Least PrivilegesDisable Any Development-Specific Features and Default UsersApply Security Headers on ResponseProtect Cookies by Using the httpOnly and Secure FlagsUse Application Logs Effectively for Incident Detection and ResponseKeep Versions of Node.js and npm Modules Up to DateSecurely Deploy the SSL/TLSConclusionAdditional Resources
Attack MechanicsStealing Sensitive Data from a ClientStealing Sensitive Data from a NetworkStealing Sensitive Data at RestProtecting Against Sensitive Data ExposureSecuring Data in the BrowserSecuring Data in TransitSecuring Data at RestConclusion
Attack MechanicsPreventing Missing Function-Level Access ControlScaling the Authorization LogicConclusionAdditional Resources
Attack MechanicsProtecting Against CSRFSupport Only AJAX APIs and Disable Cross-Origin Resource Sharing (CORS)Use an Anti-CSRF TokenConclusionAdditional Resources
Attack MechanicsExploit Publicly Known VulnerabilitiesPublishing Malicious Modules to npmExploit Unpublished Zero-Day VulnerabilitiesProtecting Against Unsecured External ComponentsVet npm Modules Before Using ThemKeep Versions of Node.js, and npm Modules Up to DateApply the Principle of Least PrivilegeConclusionAdditional Resources

Attack MechanicsScenario 1: Redirect to an External Web PageScenario 2: Redirect to a Fake Login PageProtecting Against Unvalidated Redirects and ForwardsAvoid Using User Inputs to Calculate the Destination URLsUse Mapped Redirect ValuesValidate and Sanitize Redirect URLsCheck the Referrer Header to Prevent Misuse of the Redirect Page from Outside the ApplicationConclusion

Content preview from Securing Node Applications

Chapter 4. Insecure Direct Object References

The insecure direct object references vulnerability allows an attacker to steal other users’ data of a specific type. Beyond just the data in a database, an attacker can exploit it to access restricted files or directories on the server. According to the Open Web Application Security Project (OWASP), an insecure direct object references vulnerability is commonplace and easy to exploit.

So, what makes an application vulnerable to this attack? As the name indicates, it is caused when a direct reference (such as a database ID or a filename) to a restricted object is exposed to users as part of the URL parameter. In addition, the application fails to verify whether the user is authorized to access the requested object for which the reference is present in the request URL.

Let’s examine some specific attack vectors and ways to mitigate them.

Attack Mechanics

In this exploit, attackers manipulate the identifier in the request URL to access other records in the database that do not belong to them. For example, consider this URL on a vulnerable application:

www.example.com/profile/3032

In this URL, 3032 is an ID of a profile record in the database. Because it is exposed in the URL and predictable, an attacker can simply change it to some other value and access other users’ restricted profiles.

Here is an another example of using a URL to retrieve a filesystem resource:

www.example.com/reports?name=feb2016report.pdf

The name parameter in this ...