Discuss any four of the top Web Application Security Risks as they apply to node.js, and describe their countermeasures using code examples and/or packages that exist to protect against them.
I will try to explain the most 4 important security needs for nodeJS, (as far as I am concerned)
Prevent automated attack :
Any webpage will be affected by the automated attacks, and it cause severe problms like the traffic flooding and can lead to the shutdown of the server.
This can be prevented using a " multi-factor authentication "
Instead of using the normal passwords in the database, it is always recommetned to use the existing solutions like Firebase Auth, OAuth, etc.
Also in node js, use the npm package , Speakeasy , which helps in implementing 2FA for application by generating one-time tokens.
var speakeasy = require("speakeasy");
var secret = speakeasy.generateSecret({length: 20});// generate ascii, hex, base32, otpauth_url
// generate 6 digit code based on base32 secret
var token = speakeasy.totp({
secret: secret.base32,
encoding: 'base32'
});
// verify token coming from client, will return True if tokens match
var tokenValidates = speakeasy.totp.verify({
secret: secret.base32,
encoding: 'base32',
token: req.query.token,
window: 6
});
// Calculate time step difference in seconds
var tokenDelta = speakeasy.totp.verifyDelta({
secret: secret.base32,
encoding: 'base32',
token: req.query.token
});
Discard Sensitive Data After Use :
According to OWASP, sensitive data exposure has been the vulnerability with the common impact.
To avoid sensitive data exposure, making sure passwords are being encrypted with strong hashing functions such as Argon2.
Enforcing HTTP strict transport security (HSTS) on TLS will prevent packet sniffing and man-in-the-middle attacks by allowing access to your app on HTTPS only.
configure HSTS for node applications as follows :
install hsts library before this
const hsts = require('hsts')
const sixtyDaysInSeconds = 5184000
app.use(hsts({
maxAge: sixtyDaysInSeconds,
includeSubDomains: false
}))
Patch Old XML Processors :
Older XML processors by default allow the specification of an external entity. A successful XXE injection attack can seriously compromise the application which it's performed on and its underlying server. For example, consider the normal and simple xml code below;
<?xml version="1.0" encoding="ISO-8859-1"?>
<email>[email protected]</email>
</xml>
Instead of this if an attacker uses the below code,
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY bar SYSTEM "file:///etc/passwd" >]>
<email>[email protected]</email>
<foo>&bar;</foo>
</xml>
He can easily get the password file. to solve this problem, use the package named libxmljs
For example cosidet the code below,
(You need to install this npm package)
var libxml = require("libxmljs");
var parserOptions = {
noblanks: true,
noent: false,
nocdata: true
};
try {
var doc = libxml.parseXmlString(data, parserOptions);
}
catch (e) {
return Promise.reject('Xml parsing error');
}Enforce Access Control on Every Request
A not good functional testing can cause the Broken access to the application , which helps the attacker to easily get into our system.
One way to stay ahead of this vulnerability is by manually testing application modules which require specific user permissions.
for example, if a normal regular user , who is signed in can access the admin page, then the whole system has to be tested again, as a major problem is there
Get Answers For Free
Most questions answered within 1 hours.