NodeJS 安全

1 NodeJS 基础

1.1 定义与原理

is an open source, cross-platform runtime environment. With it, developers can use JavaScript to create a variety of server-side tools and applications. This runtime is to be used outside the browser context (i.e. it can be run directly on the computer or server operating system).

1.2 常见框架

Express is the most popular Node framework and is the underlying library for many other popular Node frameworks. Although Express itself is minimalist, developers solve almost all web development problems by creating various compatible middleware packages. These libraries can implement cookies, sessions, user login, URL parameters, POST data, security header and other functions.

Features:

Write handlers for requests (routing) using different HTTP verbs in different URL paths.

Integrated "View" rendering engine to generate responses by inserting data into templates.

Set common web application settings, such as the ports used to connect, and where the response template is rendered.

Add additional request processing "middleware" anywhere in the request processing pipeline.

1.3 Node 环境

1.3.1 基础环境

Download address: https://nodejs.org/en/

Start with the HelloWorld program

1

2

3

4

5

const http=require('http');

http.createServer((req, res)={

res.writeHead(200, {'Content-Type': 'text/plain'});

res.end('Hello World\n');

}).listen(80);

1.3.2 Express 环境简介

Installation

1

npm install express

Start with the HelloWorld program

1

2

3

4

5

6

7

8

9

10

const express=require('express');

const app=express();

app.get('/hello', (req, res)={

res.send('Hello World');

});

app.listen(80, ()={

console.log('listen on 80');

});

2 Express 及其组件

2.1 路由模块

The function of routing is to parse the URL, call the corresponding controller (method, and pass parameters).

The client's request is passed to the server as a URL. In traditional WEB development, the URL corresponds to a file in a directory on the server. MVC development has changed this correspondence. The WEB server will intercept all requests, do not perform resource existence checks, and directly forward them to the website's routing program.

The router then calls the relevant controller. The controller calls the related service and returns the view object. The router then extracts the generated web page code from the view object and returns it to the web server, and finally returns it to the client.

For example:

download.js

1

2

3

4

5

6

7

8

9

10

11

const express=require('express');

const router=express.Router();

router.get('/', (req, res)={

res.send('download page');

});

router.get('/docs', (req, res)={

res.send('download page docs');

});

module.exports=router;

main.js

1

2

3

4

5

6

7

8

9

10

11

12

13

14

const express=require('express');

const app=express();

const download=require(__dirname + '/download.js');

app.use('/download', download);

app.get('/', (req, res)={

res.send('Hello World');

});

app.get('/news', (req, res)={

res.send('news page');

});

app.listen(80, ()={

console.log('listen on 80');

});

app.use means that intermediate functions are called for all routes and all methods.

app.get (’/’) means calling an intermediate function to the URL at the beginning of the get method

app.use(’/download’) means to call the intermediate function on the /download header.

2.1 中间件

Middleware has been widely used in Express applications. Most applications use third-party middleware to simplify common web development tasks such as cookies, sessions, user authentication, access request POST and JSON data, logging, compressed HTTP responses, and more.

The order in which some middleware is introduced is important (for example, if the session middleware depends on the cookie middleware, a cookie processor must be added first). In most cases, the middleware must be called first and then set up the routing, otherwise the routing processor will not be able to access the functions of the middleware. morgan is a logging middleware.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

const express=require('express');

const app=express();

const download=require(__dirname + '/download.js');

const logger=require('morgan');

app.use(logger('dev'));

app.listen(80, ()={

console.log('listen on 80');

});

app.use('/download', download);

app.get('/', (req, res)={

res.send('Hello World');

});

app.get('/news', (req, res)={

res.send('news page');

});

中间件和路由函数是按照声明顺序调用的

2.2 渲染

PUG Template Engine is a robust, flexible and feature-rich HTML Template Engine specially developed for the Node platform. PUG was renamed by Jade.

The process of writing code through indentation (representing the nested relationship between labels). During the compilation process, there is no need to consider whether the label is closed.

pugDemo:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

const express=require('express');

const app=express();

const path=require('path');

app.listen(80, ()={

console.log('listening on 80');

});

app.set('views', path.join(__dirname, 'views'));

app.set('view engine', 'pug');

app.get('/', function(req, res) {

res.render('index', {title: 'Hello', message: 'hello world pug engine'})

})

views/index.pug

1

2

3

4

5

html

head

title=title

Body

h1=message

3 威胁分析

3.1 常见漏洞

Code execution, command execution, XSS, SQL injection, SSRF, file upload

nodejs has certain protection against some classic web vulnerabilities, and some vulnerabilities are not obvious in other languages. But it is more prominent in nodejs.

require Chain hijacking (software poisoning), regular expression denial of service (ReDoS), unsafe packages.

3.2 代码审计

3.2.1 项目结构

3.2.2 审计依赖

nsp is a tool to detect package dependencies. After being acquired, in npm=6.0.0, use the following instructions:

1

2

npm audit

npm audit fix

3.2.3 不安全的对象直接引用

1

2

3

4

5

6

7

8

9

function isAdmin(req, res, next) {

if(req.user.role=='admin') //Check whether the account user is admin

return next();

//If not, an error

res.redirect('/403');

}

app.get('/admin', isAdmin, function(req, res) {

res.send('secret');

});

3.2.4 敏感信息泄露

1

2

3

app.use(function(err, req, res, next) {

res.status(500).send(err.stack);

})

3.2.5 未经验证的重定向和转发

SSRF

1

2

3

4

5

6

7

app.use('/redirect', function(req, res) {

request(req.query.url, function(error, response, body){

if(err) {

return res.send(body);

}

})

})

3.3 安全配置

HelmetStrict-Transport-Security Enforces security (http over SSL/TLS) connection to the server

X-Frame-Options provides click hijacking protection

XSS-Protection supports cross-site scripting (XSS) filters built into the latest web browsers

X-Content-Type-Options prevents browsers from sniffing responses from declared content types

Content-Security-Policy prevents various attacks, including cross-site scripting and other cross-site injections

4 常见问题

4.1 XSS

1

2

3

sudo docker pull registry.cn-shanghai.aliyuncs.com/yhskc/chatsys:latest

sudo docker run -d -p 0.0.0.0:32888:80 registry.cn-shanghai.aliyuncs.com/yhskc/chatsys

Pug XSS

练习一：

Escaped output, so it cannot be bypassed

练习二：

Use unescaped methods, so just use regular payload directly

练习三：

In the script tag, you can use the method of stitching in the line by directly using XSS, payload: 1;alert(1)

练习四：

It is still unescaped, just splice it directly

练习五：

It was found that it filtered out sensitive characters such as angle brackets, alerts, and semicolons.

Bypass filtering with JSFuck

1

[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[+[]]+(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[ ]])[+!+[]+[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+[]]+[])[!+[]+[]]+ [+!+[]+[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+[]]+(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]+]+(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]+ ![]+[])[+[]]+(![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[]]+[]]+(![]+[])[+!+[]+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]+ (![]+[])[+!+[]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+[]+[]]+(![]+[])[+[]+[]]+(![]]+[]+[])[+[]+[]]+(![]]+[])[+!+[]+[]]+(![]+[])[! +!+[]+!+[]]+(![]+[])[+!+[]])[+!+[]]+(![]+[])[+!+[]]]+(![]+[])[+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]+ ]+(![]+[][(![]+[])[+[]]+[]]+([![]]+[]])[+!+[]+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+]+[]+[]]+(![]+[])[!+[]+!+[]]+ []]+(![]+[][(![]+[])[+[]]+([![]]+[][]])[+!+[]+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+[]+]+(![]+[])[!+[]+!+[]+]+(![]+[])[!+[]+!+[]])[!+[]+!+[]+[])[!+[]+]+[])[!+[]+!+[]])[!+[]+!+[]+[])[!+[]+!+[]])[!+[]+!+[]+[])()