SlideShare une entreprise Scribd logo

Fusker - A NodeJS Security Framework

Télécharger en tant que ODP, PDF
W
wearefractal

Fusker is a Node.js security framework that detects and logs various types of attacks like SQL injection, XSS, and LFI. It includes modules called "detectives" that analyze incoming data for attack patterns. If an attack is detected, payloads can execute to handle the response like blacklisting IP addresses. Fusker is lightweight, modular, and easy to integrate into servers and frameworks. It also makes it fun to secure Node.js applications.

TechnologieDesign
1  sur  16
Fusker – NodeJS Security Fusker Security that fights back Eric Schoffstall @wearefractal
Comparisons ,[object Object]
Better than when Mork Zoonerberg invented Fezbook
Cooler than existing NodeJS security frameworks Mac Zerkerberg
WUTS DAT? THERE ARE NO SECURITY FRAMEWORKS
Why is Fusker so hot? ,[object Object]
Modular design
Flexible
Easy integration
Written in Coffeescript
Funny as hell
Integration/Support ,[object Object]
Can wrap Socket.IO
Compatible with UselessJS
Can be used as Connect/Express middleware
Easy to modify and integrate with any other frameworks

Recommandé

Presentation_On_25June09
Presentation_On_25June09Presentation_On_25June09
Presentation_On_25June09
Sanjay Kumar
 
HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020
Yossi Sassi
 
Powershell-hacking-1nTh35h311-BSidesTLV2019
Powershell-hacking-1nTh35h311-BSidesTLV2019Powershell-hacking-1nTh35h311-BSidesTLV2019
Powershell-hacking-1nTh35h311-BSidesTLV2019
Yossi Sassi
 
FIWARE Tech Summit - How To Deploy Context Broker in 10 Minutes
FIWARE Tech Summit - How To Deploy Context Broker in 10 MinutesFIWARE Tech Summit - How To Deploy Context Broker in 10 Minutes
FIWARE Tech Summit - How To Deploy Context Broker in 10 Minutes
FIWARE
 
Powershell dcpp
Powershell dcppPowershell dcpp
Powershell dcpp
artisriva
 
Running OpenStack and Midonet - Nobuyuki Tamaoki, Virtual Tech Japan
Running OpenStack and Midonet - Nobuyuki Tamaoki, Virtual Tech JapanRunning OpenStack and Midonet - Nobuyuki Tamaoki, Virtual Tech Japan
Running OpenStack and Midonet - Nobuyuki Tamaoki, Virtual Tech Japan
MidoNet
 
Running OpenStack + MidoNet (Using Orizuru)
Running OpenStack + MidoNet (Using Orizuru)Running OpenStack + MidoNet (Using Orizuru)
Running OpenStack + MidoNet (Using Orizuru)
VirtualTech Japan Inc.
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 

Recommandé

Presentation_On_25June09
Presentation_On_25June09Presentation_On_25June09
Presentation_On_25June09
Sanjay Kumar
 
HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020
Yossi Sassi
 
Powershell-hacking-1nTh35h311-BSidesTLV2019
Powershell-hacking-1nTh35h311-BSidesTLV2019Powershell-hacking-1nTh35h311-BSidesTLV2019
Powershell-hacking-1nTh35h311-BSidesTLV2019
Yossi Sassi
 
FIWARE Tech Summit - How To Deploy Context Broker in 10 Minutes
FIWARE Tech Summit - How To Deploy Context Broker in 10 MinutesFIWARE Tech Summit - How To Deploy Context Broker in 10 Minutes
FIWARE Tech Summit - How To Deploy Context Broker in 10 Minutes
FIWARE
 
Powershell dcpp
Powershell dcppPowershell dcpp
Powershell dcpp
artisriva
 
Running OpenStack and Midonet - Nobuyuki Tamaoki, Virtual Tech Japan
Running OpenStack and Midonet - Nobuyuki Tamaoki, Virtual Tech JapanRunning OpenStack and Midonet - Nobuyuki Tamaoki, Virtual Tech Japan
Running OpenStack and Midonet - Nobuyuki Tamaoki, Virtual Tech Japan
MidoNet
 
Running OpenStack + MidoNet (Using Orizuru)
Running OpenStack + MidoNet (Using Orizuru)Running OpenStack + MidoNet (Using Orizuru)
Running OpenStack + MidoNet (Using Orizuru)
VirtualTech Japan Inc.
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 
Data At Rest Encryption
Data At Rest EncryptionData At Rest Encryption
Data At Rest Encryption
Steven Aiello
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
John Kinsella
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken Tools
NotSoSecure Global Services
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
Micah Hoffman
 
Jenkins X on AKS
Jenkins X on AKSJenkins X on AKS
Jenkins X on AKS
Ryo Fujita
 
Secure from the start : The changing landscape
Secure from the start : The changing landscapeSecure from the start : The changing landscape
Secure from the start : The changing landscape
Kieran O'Shea
 
Puppet Camp New York Keynote
Puppet Camp New York KeynotePuppet Camp New York Keynote
Puppet Camp New York Keynote
Puppet
 
PuppetConf 2016: Puppet and UCS: Policy-Based Management All the Way Down – C...
PuppetConf 2016: Puppet and UCS: Policy-Based Management All the Way Down – C...PuppetConf 2016: Puppet and UCS: Policy-Based Management All the Way Down – C...
PuppetConf 2016: Puppet and UCS: Policy-Based Management All the Way Down – C...
Puppet
 
ElasticSearch Meetup 30 - 10 - 2014
ElasticSearch Meetup 30 - 10 - 2014ElasticSearch Meetup 30 - 10 - 2014
ElasticSearch Meetup 30 - 10 - 2014
Alberto Paro
 
SQL Server 2017 CLR
SQL Server 2017 CLRSQL Server 2017 CLR
SQL Server 2017 CLR
Eduardo Piairo
 
OpenStack Manila 紹介
OpenStack Manila 紹介OpenStack Manila 紹介
OpenStack Manila 紹介
Takeshi Kuramochi
 
Aegir presentation
Aegir presentationAegir presentation
Aegir presentation
Mindtrades
 
How (not) to kill your MySQL infrastructure
How (not) to kill your MySQL infrastructureHow (not) to kill your MySQL infrastructure
How (not) to kill your MySQL infrastructure
Miklos Szel
 
15th Athens Big Data Meetup - 1st Talk - Running Spark On Mesos
15th Athens Big Data Meetup - 1st Talk - Running Spark On Mesos15th Athens Big Data Meetup - 1st Talk - Running Spark On Mesos
15th Athens Big Data Meetup - 1st Talk - Running Spark On Mesos
Athens Big Data
 
Instructions
InstructionsInstructions
Instructions
ds5ysm
 
SSL self signed deployment on Ubuntu 16.04
SSL self signed deployment on Ubuntu 16.04SSL self signed deployment on Ubuntu 16.04
SSL self signed deployment on Ubuntu 16.04
MH Qapandaran
 
Puppet Camp DC 2014: Keynote
Puppet Camp DC 2014: KeynotePuppet Camp DC 2014: Keynote
Puppet Camp DC 2014: Keynote
Puppet
 
iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理
iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理
iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理
Hao Peiqiang
 
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Ansible Automation - Enterprise Use Cases | Juncheng Anthony LinAnsible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Vietnam Open Infrastructure User Group
 
Powershell'in Karanlık Yüzü
Powershell'in Karanlık YüzüPowershell'in Karanlık Yüzü
Powershell'in Karanlık Yüzü
Halil Dalabasmaz
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
Gianluca Varisco
 

Contenu connexe

Tendances

Instructions
InstructionsInstructions
Instructions
ds5ysm
 
iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理
iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理
iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理
Hao Peiqiang
 

Tendances (20)

Data At Rest Encryption
Data At Rest EncryptionData At Rest Encryption
Data At Rest Encryption
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken Tools
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
 
Jenkins X on AKS
Jenkins X on AKSJenkins X on AKS
Jenkins X on AKS
 
Secure from the start : The changing landscape
Secure from the start : The changing landscapeSecure from the start : The changing landscape
Secure from the start : The changing landscape
 
Puppet Camp New York Keynote
Puppet Camp New York KeynotePuppet Camp New York Keynote
Puppet Camp New York Keynote
 
PuppetConf 2016: Puppet and UCS: Policy-Based Management All the Way Down – C...
PuppetConf 2016: Puppet and UCS: Policy-Based Management All the Way Down – C...PuppetConf 2016: Puppet and UCS: Policy-Based Management All the Way Down – C...
PuppetConf 2016: Puppet and UCS: Policy-Based Management All the Way Down – C...
 
ElasticSearch Meetup 30 - 10 - 2014
ElasticSearch Meetup 30 - 10 - 2014ElasticSearch Meetup 30 - 10 - 2014
ElasticSearch Meetup 30 - 10 - 2014
 
SQL Server 2017 CLR
SQL Server 2017 CLRSQL Server 2017 CLR
SQL Server 2017 CLR
 
OpenStack Manila 紹介
OpenStack Manila 紹介OpenStack Manila 紹介
OpenStack Manila 紹介
 
Aegir presentation
Aegir presentationAegir presentation
Aegir presentation
 
How (not) to kill your MySQL infrastructure
How (not) to kill your MySQL infrastructureHow (not) to kill your MySQL infrastructure
How (not) to kill your MySQL infrastructure
 
15th Athens Big Data Meetup - 1st Talk - Running Spark On Mesos
15th Athens Big Data Meetup - 1st Talk - Running Spark On Mesos15th Athens Big Data Meetup - 1st Talk - Running Spark On Mesos
15th Athens Big Data Meetup - 1st Talk - Running Spark On Mesos
 
Instructions
InstructionsInstructions
Instructions
 
SSL self signed deployment on Ubuntu 16.04
SSL self signed deployment on Ubuntu 16.04SSL self signed deployment on Ubuntu 16.04
SSL self signed deployment on Ubuntu 16.04
 
Puppet Camp DC 2014: Keynote
Puppet Camp DC 2014: KeynotePuppet Camp DC 2014: Keynote
Puppet Camp DC 2014: Keynote
 
iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理
iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理
iPhone/iPad开发讲座 第四讲 网络通讯和Xml处理
 
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Ansible Automation - Enterprise Use Cases | Juncheng Anthony LinAnsible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
 
Powershell'in Karanlık Yüzü
Powershell'in Karanlık YüzüPowershell'in Karanlık Yüzü
Powershell'in Karanlık Yüzü
 

Similaire à Fusker - A NodeJS Security Framework

End to end web security
End to end web securityEnd to end web security
End to end web security
George Boobyer
 
Node.js 101 with Rami Sayar
Node.js 101 with Rami SayarNode.js 101 with Rami Sayar
Node.js 101 with Rami Sayar
FITC
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
FITC - Node.js 101
FITC - Node.js 101FITC - Node.js 101
FITC - Node.js 101
Rami Sayar
 
Running hadoop on ubuntu linux
Running hadoop on ubuntu linuxRunning hadoop on ubuntu linux
Running hadoop on ubuntu linux
TRCK
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 

Similaire à Fusker - A NodeJS Security Framework (20)

Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
End to end web security
End to end web securityEnd to end web security
End to end web security
 
Container Runtime Security with Falco, by Néstor Salceda
Container Runtime Security with Falco, by Néstor SalcedaContainer Runtime Security with Falco, by Néstor Salceda
Container Runtime Security with Falco, by Néstor Salceda
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Building Fast SQL Analytics on Anything with Presto, Alluxio
Building Fast SQL Analytics on Anything with Presto, AlluxioBuilding Fast SQL Analytics on Anything with Presto, Alluxio
Building Fast SQL Analytics on Anything with Presto, Alluxio
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
Node.js 101 with Rami Sayar
Node.js 101 with Rami SayarNode.js 101 with Rami Sayar
Node.js 101 with Rami Sayar
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Containerized Data Persistence on Mesos
Containerized Data Persistence on MesosContainerized Data Persistence on Mesos
Containerized Data Persistence on Mesos
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
FITC - Node.js 101
FITC - Node.js 101FITC - Node.js 101
FITC - Node.js 101
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker security
 
Running hadoop on ubuntu linux
Running hadoop on ubuntu linuxRunning hadoop on ubuntu linux
Running hadoop on ubuntu linux
 
CXF 3.0, What's new?
CXF 3.0, What's new?CXF 3.0, What's new?
CXF 3.0, What's new?
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 

Plus de wearefractal

nodester Architecture overview & roadmap
nodester Architecture overview & roadmapnodester Architecture overview & roadmap
nodester Architecture overview & roadmap
wearefractal
 
Jade & Javascript templating
Jade & Javascript templatingJade & Javascript templating
Jade & Javascript templating
wearefractal
 

Plus de wearefractal (6)

Bdd spex
Bdd spexBdd spex
Bdd spex
 
Novajs
NovajsNovajs
Novajs
 
nodester Architecture overview & roadmap
nodester Architecture overview & roadmapnodester Architecture overview & roadmap
nodester Architecture overview & roadmap
 
Spine.js
Spine.jsSpine.js
Spine.js
 
Jade & Javascript templating
Jade & Javascript templatingJade & Javascript templating
Jade & Javascript templating
 
ChanJS
ChanJSChanJS
ChanJS
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Fusker - A NodeJS Security Framework

  • 1. Fusker – NodeJS Security Fusker Security that fights back Eric Schoffstall @wearefractal
  • 2.
  • 3. Better than when Mork Zoonerberg invented Fezbook
  • 4. Cooler than existing NodeJS security frameworks Mac Zerkerberg
  • 5. WUTS DAT? THERE ARE NO SECURITY FRAMEWORKS
  • 6.
  • 12.
  • 15. Can be used as Connect/Express middleware
  • 16. Easy to modify and integrate with any other frameworks
  • 17. All your logs are belong to us Logs are saved any time a request is detected. Socket and HTTP attacks are saved in separate files. [- ATTACK DETAILS FOR Fri Aug 12 2011 19:28:33 GMT-0700 (MST) -] --> Detective: SQLi-0 --> Request: GET /index.html?id=1'%20OR%20'1'='1' --> IP: 127.0.0.1 [- END ATTACK DETAILS -]
  • 18. Before switching to Fusker var http = require('http'); var url = require('url'); var sys = require('sys'); var fs = require('fs'); var path = require('path'); var serv = http.createServer(function (req, res) { var file = url.parse(req.url).pathname; if (file === '/') { file = '/index.html'; } fs.readFile(file, function (err, data) { if (!err) { res.writeHead(200); res.write(data, 'utf8'); res.end(); } }); }); serv.listen(8080); io = socketio.listen(serv);
  • 19. After switching to Fusker var fusker = require('fusker'); var server = fusker.http.createServer(8080); var io = fusker.socket.listen(server);
  • 21.
  • 22.
  • 23. Fusker can also treat 404s as a threat to punish people who are snooping around your server
  • 24.
  • 25.
  • 26. The blacklist payload will add users to a blacklist and drop all future incoming requests
  • 27. Configuration fusker.config.dir = process.cwd(); fusker.config.banLength = 1; fusker.config.verbose = true; fusker.http.detectives.push('csrf', 'xss', 'sqli', 'lfi', '404'); fusker.http.payloads.push('blacklist', 'bush'); fusker.socket.detectives.push('xss', 'sqli', 'lfi'); fusker.socket.payloads.push('blacklist');
  • 28.
  • 29. Loop through them and test against incoming data
  • 30. Call handleAttack if a test is positive
  • 31.
  • 32. Lots of fun to be had messing with people trying to hack you exports.run = function (req, res) { res.writeHead(302, {'Location': 'http://nyan.cat/'}); res.end(); };
  • 33. Take a HWAK at it You think you're a raw dog? You think you can beat fusker? fusker.nodester.com Come at me bro.
  • 34. Links Fusker: https://github.com/wearefractal/Fusker Other Projects: https://github.com/Contra Twitter: @wearefractal