As more node.js web applications are deployed into production, the high performance gains should never come at the expense of security, it’s crucial to validate your app against the common web application vulnerabilities like the top 10 risks defined by OWASP and know how they manifest in the node.js environment.

  1. Injection
  2. Broken authentication and session management
  3. Cross-site scripting (XSS)
  4. Insecure direct object references
  5. Security misconfiguration
  6. Sensitive data exposure
  7. Missing function level access
  8. Cross-site request forgery (CRSF)
  9. Using components with known vulnerabilities
  10. Unvalidated redirects and forwards

In this post I will cover the node.js specific mitigation and prevention techniques against the cross-site request forgery (CRSF). A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Before I get to the mitigation techniques used for node.js and express, let’s take a look at how to exploit a CRSF vulnerability. In this example I will use the node goat application as our target.

1

Assuming the victim is already logged in and the session cookie is available, an attacker that previously learned about the behavior of the authenticated areas in this application could take advantage of the victim’s session information to send a request using a forged form or using an image embedded in a linked HTML page.

2

For example, in this vulnerable application the victim has a form where the payroll contributions percent can be changed.

3

The attacker can change the victims contributions by hosting a forged form like the below. once the victim’s submits this form, a request with the user’s session information will be sent to the vulnerable application and lead to an unintended change to the victims contributions.

<html lang="en">
<head></head>
<body>
<form method="POST" action="http://TARGET_APP_URL_HERE/contributions">
<h1> You are about to win a brand new iPad!</h1>
<h2> Click on the win button to claim it...</h2>
<input type="hidden" name="pretax" value="30"/>
<input type="hidden" name="roth" value="0"/>
<input type="hidden" name="aftertax" value="0"/>
<input type="submit" value="Win !!!"/>
</form>
</body>
</html>

When this form is submitted, the vulnerable application will handle it as a legitimate request since it has no validation for the source of the request and it will update the victim’s contributions to the submitted values.

4

How to prevent this attack in Node.js web apps?

There are two easy approaches, one is using csrf middleware that’s provided with the Express (version 2 or 3) and the second is to using csurf directly as an external middleware from.

Add the CSRF module to the express app configuration, Then create a custom middleware to generate new token using req.csrfToken(); and exposes it to view by setting it in res.locals. The CSRF middleware depends on session support to save the CSRF token on the server so it has to be initialized after the session module.

app.configure(function(){
app.set('port', process.env.PORT || 3000);
app.set('views', __dirname + '/views');
app.set('view engine', 'jade');
app.use(express.favicon());
app.use(express.logger('dev'));
app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(express.cookieParser('your secret here'));
app.use(express.session());
// enable csrf protection
app.use(express.csrf());
app.use(function(req, res, next){
res.locals.token = req.session._csrf;
next();
});
 app.use(app.router);
app.use(express.static(path.join(__dirname, 'public')));
});

once this is complete, a variable will be available to the templates to set a hidden form field in the your view as below:

<input type="hidden" name="_csrf" value="{{ csrftoken }}">

An example for the hidden field in a form in a jade template:

form(action='/form',method='post')
input(type='hidden', name='_csrf', value=token)
label(for='color') Color:
input(type='text',name='color',size='50')
button(type='submit') Save

After we start the application and view the source of this basic form in the browser, we should see our request’s unique csrf value.

<form action="/form" method="post">
<input type="hidden" name="_csrf" value="Ju0W8XT1IZVERTf5NQrGpo3oc">
<label for="color">Color:</label>
<input type="text" name="color" size="50">
<button type="submit">Save</button>
</form>

The CSRF middleware will look for the CSRF token in three locations. First, it will check for a _csrf property in the request body (req.body._csrf), next it will check for it on the query string (req.query._csrf), and finally, it will check the request headers (req.headers[‘x-csrf-token’]). If any other request type is made and this csrf value is missing, the middleware will reject the request with an 403 – Forbidden status.

Express CSRF middleware ignores verifying tokens on HTTP GET, OPTIONS, and HEAD requests (which is correct) however there’s a caveat.

GET / HTTP/1.1
[..]
_method=POST

As a result, it is possible to bypass the security control by sending a GET request with a POST MethodOverride header or parameter like in the above code.

app.use(csrf()) // #1
app.use(methodOverride()) // #2
// vulnerable code!

If the methodoverride module was configured after the csrf module like above, it would lead to this vulnerability since the csrf module needs to know the method of the request first. The workaround is clearly to disable methodOverride or make sure that it takes precedence over other middleware declarations.

 

References:

Cross Site Request Forgery (CSRF) Tutorial

Always check CSRF token if request has body

Improves your security testing with fuzzdb

CSRF with NODEJS and EXPRESS 3

Using CSRF protection with Express and AngularJS

OWASP top ten web application risks

OWASP Node Goat Project

Top overlooked security threats to Node.js web applications

 

Read in 2013

December 31, 2013

1. Advanced Programming in the UNIX Environment SE – Richard Stevens and Stephen Rago – 5-Star
2. API Design for C++ – Martin Reddy – 5-Star
3. Founders at work – Jessica Livingston – 4-Star
4. Version Management with CVS – Per Cederqvist – 3-Star
5. The C Programming Language – Brian Kernighan, Dennis Ritchie – 5-Star
6. The power of habit – Charles Duhigg – 3-Star
7. Permission Marketing – Seth Godin – 3-Star
8. Built to Sell – John Warrilow – 5-Star
9. The sun also rises – Ernest Hemingway – 3-Star
10. Computer Security principles and practice – Stallings – 4-Star
11. Cryptography Engineering – Ferguson, Schneier, Kohno – 3-Star
12. Counter Hack Reloaded – Skoudis, Liston – 5-Star
13. HTML5 Game Development – Jesse Freemen – 3-Star
14. Moonwalking with Einstein – Joshua Foer – 4-Star
15. JQuery Mobile up and running – Maximiliano Firtman – 5-Star
16. The $100 Starup – Chris Guillebeau – 5-Star
17. Lean Startup – Eric Ries – 4-Star
18. 4-Star – الفيل الأزرق – أحمد مراد

Ratings: 5-Star: Must read; 1-Star: Don’t waste your time

I hope you find them inspiring and useful. I have the books available if anyone wants any of them.

Happy New Year!

Built to Sell

February 26, 2013

Built To Sell It’s been awhile since I was into a book that much. It’s not amazingly written but its story has kept me engaged from the beginning to end, every night after work, listening to its audio book on my commutes, and dedicate a full weekend for it – the weekend is priceless for a software engineer as you all might know. I highly recommend this book for all the value creators.

The book is a fictional story about Alex Stapleton, an advertising agency owner, and his struggle to convert his business into a sellable one. With the help of his friend Ted, he converts the business from a struggling one that relies too heavily upon him and a single, overly demanding client, to a highly-focused one that thrives without his constant low-level involvement.
If you’ve read many business books on the subject of entrepreneurship and management, these concepts will seem very familiar, but set in a slightly different context. Throughout the book, I felt that the content borrowed heavily from the E-Myth – who the author credits in the appendix. The important variation from E-Myth is that the owner is preparing to sell the business. Everything he does in terms of automating and streamlining the operations is done within the framework of the question: "How will this help me sell this company?"

After the story concludes, the author summarizes the key points, which seems a little redundant but helpful, along with some personal experiences. The greatest flaw of this book is that it never addresses the problems you might have at different points along this process. Again, I highly recommend this book and I hope I get the time to read again next year.

Two months ago I was invited to a meeting with the Egyptian activists and Aldostour party supporters Sherif Mansour, Zaid Salah, and Amgad Abdelhafez at one of the Egyptian cafes at the Arabic Steinway in Astoria. We were discussing our local plan, projects and activities for the upcoming months. Among other projects we agreed on initiating an effort to build a mobile app for the party and help provide another means of communication for a growing mobile user community.

wide_screenshot_2

The technical goals for the app development can simply be summarized in:

1. Cross platform mobile development: One codebase – easier development, testing and maintenance. The app should be Installed as a native app for as many devices as possible, this includes iOS, Android, Windows Phone, Blackberry, etc.

2. Wide contributor base: building a web-based app in a native wrapper would let us use existing expertise. Almost everyone can help with JavaScript, and web technologies.  It would make it very easy for the tech volunteers to join the app dev team, add new features and help with bug fixing.

wide_screenshot_1

The existence of many frameworks like RhoMobile, PhoneGap, Appcelerator, Mosync, Corona, etc. – more info here – made it a little hard to pick one in the limited time we had. Based on the online reviews and recommendations, I have narrowed this down to PhoneGap and Appcelerator.

wide_screenshot_3

Both have a good wide range of APIs – accelerometer, GPS/location, camera, sound, etc. PhoneGap was ready for almost all available platforms with an easy and smooth cloud-based build engine, where Appcelerator was ready to support iOS and Android with a promise to support others in the future. PhoneGap looked a lot simpler for this project as it takes the HTML/CSS/JavaScript as is into a web container, however the Appcelerator analyzes and compiles it into the representative symbols of the native code and the UI is built by using the phone’s native resources which might eventually lead to writing specific code for each platform.

small_screenshot_1 small_screenshot_2

The App is still a work-in-progress. We are planning to release a beta version by the end of March. Please contact me @waleedeg if you would like to join the development team or know more.

Read in 2011

December 31, 2011

  1. Voyage through time – Ahmed Zeweil – 3-Star
  2. Developer’s Workshop to COM and ATL 3.0 – Andrew W. Troelsen – 3-Star
  3. Advanced Windows Debugging – Hewardt and Pravat – 4-Star
  4. The Data Warehouse ToolKit – Margy Ross – 4-Star
  5. The Google Resume – Gayle McDowell – 5-Star
  6. Inside the Microsoft Build Engine – Sayed Hashimi – 4-Star
  7. Learning Perl (the llama book) – Randal Schwartz – 4-Star
  8. Large Scale C++ Software Design – John Lakos – 3-Star
  9. Exceptional C++ – Herb Sutter – 4-Star
  10. Into the wild – Jon Krakauer – 3-Star
  11. The big 5-oh – Sandra D. Bricker – 2-Star
  12. Be your own best publicist – Jessica Kleiman and Meryl Cooper – 3-Star
  13. Automating System Administration with Perl – David Blank-Edelman – 1-Star
  14. Windows Internals 5th edition – Mark Russinovish – 3-Star
  15. Emotional Intelligence 2.0 – Travis Bradberry and Jean Greaves – 2-Star
  16. Windows via C/C++ – Jeffrey M. Richter, Christophe Nasarre – 5-Star
  17. More Exceptional C++ – Herb Sutter – 3-Star
  18. Programming Windows Azure – Sriram Krishnan – 4-Star
  19. Azure in Action – Chris Hay and Brain Prince – 1-Star
  20. Introducing HTML5 – Bruce Lawson and Remy Sharp – 3-Star
  21. Outliers – Malcolm GladWell – 4-Star

Ratings: 5-Star: Must read; 1-Star: Don’t waste your time

This was the list of books I was fortunate to read last year, I hope you find them inspiring and useful, and maybe share yours too. I’ve the books available if you want any of them for free.

Happy New Year!

Writing shell extensions is one of those programming tasks in which C++ (with the help of a library like ATL) excels – an MSFT explained here why it is better to avoid .NET for writing shell extensions.

Michael Dunn (a former Visual C++ MVP) wrote a very interesting series of tutorials on CodeProject on developing shell extensions, they are worth listing and sharing:

  1. A step-by-step tutorial on writing shell extensions.
  2. A tutorial on writing a shell extension that operates on multiple files at once.
  3. A tutorial on writing a shell extension that shows pop-up info for files.
  4. A tutorial on writing a shell extension that provides custom drag and drop functionality.
  5. A tutorial on writing a shell extension that adds pages to the properties dialog of files.
  6. A tutorial on writing a shell extension that can be used on the Send To menu.
  7. A tutorial on using owner-drawn menus in a context menu shell extensions, and on making a context menu extension that responds to a right-click in a directory background.
  8. A tutorial on adding columns to Explorer’s details view via a column handler shell extension.
  9. A tutorial on writing an extension to customize the icons displayed for a file type.

I’ve been looking for an efficient way to delete all items in a list using the SharePoint list webservice, a few friends have helped me with some good references to get it done by using CAML (@AhmedIG) or by using CSOM (Haytham), you can check them out and see if they solve the problem under your constrains, the challenging part of the problem is you usually don’t produce the item IDs for a list and just allow the SP to do the job for you, you also might discard maintaining the item IDs in your newly created or loaded items in your items collection.

In order to create the below XML batch we will need to build the delete method tags using the existing items’ IDs, so additional IDs retrieval would be required to create a single delete batch (using the GetListItems web service method, as long as we are using the SP list web-service only in our context)

   1: <Batch>

   2:   <Method ID='1' Cmd='Delete'>

   3:     <Field Name='ID'> TheMissingID </Field>

   4:   </Method>

   5: </Batch>

The solution starts here, a method returns an ArrayList of item IDs, to be used by the batch delete method. The GetListIDs method uses the GetListItems web service method to retrieve one field only – the Item ID – of all the items in the list.

   1: public static ArrayList GetListIDs(String ListName)

   2: {

   3:     WS_TopDealLists.Lists listService = new WS_TopDealLists.Lists();

   4:     listService.Credentials =

   5:         new NetworkCredential("username", "PASS****", "domain");

   6:     listService.Url = 

   7:     "http://SPServer/sites/SiteCollection/sandbox/_vti_bin/Lists.asmx";

   8:  

   9:     XmlDocument xmlDoc = new System.Xml.XmlDocument();

  10:  

  11:     XmlNode ndViewFields =

  12:         xmlDoc.CreateNode(XmlNodeType.Element, "ViewFields", "");

  13:     ndViewFields.InnerXml = "<FieldRef Name='ID' />";

  14:  

  15:     XmlNode ndListItems =

  16:         listService.GetListItems(ListName, null, null,

  17:         ndViewFields, null, null, null);

  18:  

  19:     //convert String to XMLReader

  20:     XmlReaderSettings settings = new XmlReaderSettings();

  21:     settings.ConformanceLevel = ConformanceLevel.Fragment;

  22:     settings.IgnoreWhitespace = true;

  23:     settings.IgnoreComments = true;

  24:     XmlReader xmlReader = 

  25:     XmlReader.Create(new StringReader(ndListItems.OuterXml), settings);

  26:  

  27:     ArrayList IDsList = new ArrayList();

  28:  

  29:     while (xmlReader.Read())

  30:     {

  31:         if (xmlReader.Name == "z:row")

  32:             IDsList.Add(xmlReader.GetAttribute("ows_ID").ToString());

  33:     }

  34:  

  35:     return IDsList;

  36: }

And here’s the Delete method which already takes the IDs ArrayList returned by the GetListIDs method then constructs one delete XML batch, and we’re done, all items are deleted in one shot.

   1: public static void DeleteItems(String ListName, ArrayList IDs)

   2: {

   3:     if (IDs.Count == 0)

   4:         return;

   5:  

   6:     WS_TopDealLists.Lists listService = new WS_TopDealLists.Lists();

   7:     listService.Credentials = 

   8:     new NetworkCredential("username", "PASS****", "domain");

   9:     listService.Url = 

  10:     "http://SPServer/sites/SiteCollection/sandbox/_vti_bin/Lists.asmx";

  11:  

  12:     string strBatch = "";

  13:  

  14:     foreach (String ID in IDs)

  15:     {

  16:         strBatch += "<Method ID='1' Cmd='Delete'>" +

  17:             "<Field Name='ID'>" + ID + "</Field></Method>";

  18:     }

  19:  

  20:     XmlDocument xmlDoc = new System.Xml.XmlDocument();

  21:     XmlElement elBatch = xmlDoc.CreateElement("Batch");

  22:  

  23:     elBatch.InnerXml = strBatch;

  24:  

  25:     listService.UpdateListItems(ListName, elBatch);

  26: }

Follow

Get every new post delivered to your Inbox.

Join 148 other followers