How attacks works? Learn how XSS, CSRF and NoSQL injection are working and secure your app on MEAN (MongoDB, Express.js, Angular.js, Node,js) stack.

1. JAVASCRIPT SECURITY
RAN BAR-ZIK, HPE 2016

2. RAN BAR-ZIK Blogger an
writer @
internet-
Israel.com
[Hebrew]
Software
developer
at HPE
Father of 4
children
Marathoner
Expert in
PowerPoint
:P
Connect
with me
on
LinkedIn

3. HACKERS - MYTH
Source: https://commons.wikimedia.org/wiki/File:Hacker_-_Hacking_-_Symbol.jpg

4. HACKERS - REALITY
Source: https://pixabay.com/static/uploads/photo/2014/04/03/11/55/robot-312566_960_720.png

5. HACKS CYCLE
Security hole
created
Someone finds it
(Vulnerability test,
penetration testing etc.)
Patch is
being issues
Hackers track the patch list
and create bot
Programmer
create code

6. YOU DON’T NEED TO BE A HACKER TO PROTECT
YOURSELF
• You don’t need to be a professional burglar in order to know how to lock doors.
• First know about the attack, and then learn how to deal with it.
• Implementing security in JavaScript is easy, fun and can win you true love!

7. XSS – CROSS SIDE SCRIPTING
XSS is very simple:
Attacker can
insert custom
JavaScript to the
site.

8. TWO MAIN WAYS TO HELL XSS
• By not validating the input before insertion to the DataBase.
• By not sanitizing the output before showing it to the user.

9. VALIDATE
Input validation on server side.
Making sure that the input is what you want.
Using node.js? Great! Use validate.js module, this is what we do.

10. VALIDATE.JS EXAMPLE
var express = require("express");
var validation = require("validator");
var bodyParser = require("body-parser");
var app = express();
app.use(bodyParser.urlencoded({ extended: false }));
app.get('/',function(req,res){
res.sendFile(__dirname + '/form.html');
});
/* Form will redirect here with Input data */
app.post('/validateform',function(req,res){
if(!validation.isEmail(req.body.email)) {
//True or false return by this function.
res.send("Email is Bad");
} else if(!validation.isAlpha(req.body.user_name)) {
res.send("Name is Bad");
} else {
res.send("Form submitted");
}
});
app.listen(4000);

11. WHY HASSLE? USE EXPRESS.JS MIDDLEWARE
Express.js entry
point
express-
validator middle
ware
All your strings
are validated
See for yourself! https://github.com/ctavan/express-validator

12. SANITIZATION
Simple: Do not allow running
JavaScript code in the output.

13. DOING SANITIZATION
• Using angular.js? It comes free without charge!
Even ngBindHtml is not allowing <script> tag.
• Using another platform? Use the sanitization tools that come with it.

14. There are more ways to insert JavaScript to
elements!
Meet the wonderful world of HTML5
vulnerabilities!
Allowing users to insert <videos> elements?
<video><source onerror="alert(1)">
Will work on ChromeFirefox
Check https://html5sec.org/

15. CROSS SITE REQUEST FORGERY (CSRF)
• Every site operation is REST API request. For example:
• GET /users
• DELETE user/123
• PUT user/123 {role: admin}

16. <a href="https://most-secured-site.com/delete-
all-users">
Click here to see the model naked!
<img src="hot_model_almost_naked" />
</a>

17. SOLUTION TO CSRF
Use tokens!
Server generated unique strings that is based on
some hash value + time and generated every time
the form is outputted and submitted along the
form.
No valid token? Get out!

18. HOW TO IMPLEMENT CSRF?
In node.js Express.js just use csurf middleware!
https://github.com/expressjs/csurf
Make sure to implement it both on client and server side!

19. SQL INJECTION IN NOSQL DATABASENODE.JS
• SQL Injection can be performed on any database.
• The Database can be MongoDB, the server can be Node.js, but the method is the same.

20. NOSQL INJECTION IN MONGODB
db.users.find({username: username, password: password});
app.post('/', function (req, res) {
db.users.find({username: req.body.username, password: req.body.password}, function (err,
users) {
// if it is True, run the following code.
});
});
POST http://target/ HTTP/1.1
Content-Type: application/json
{
"username": {"$gt": ""},
"password": {"$gt": ""}
}

21. SOLUTION TO SQL INJECTION
• Sanitize and validate, the same as XSS.

22. FINAL WORDS OF WISDOM