Node.js Express Framework安全问题 [英] Node.js Express Framework Security Issues
问题描述
我正在寻找应该添加到Node / Express应用程序中的模块,以解决下面列出的一般安全问题:
- 注入漏洞(JavaScript,SQL,Mongo,HTML)
- 会话固定和劫持
- 跨站点漏洞(脚本,请求伪造)
- 大量作业
- 在此插入相关关注
感谢您的帮助!
----------
我找到的一些资源:
优秀的谈话(11/2012): http://lanyrd.com/2012/asfws/sxzbm/ (见幻灯片)
ServerFault问题(2011-2012): https://serverfault.com/questions / 285123 / is-node-js-for-enterprise-security
博客文章o主题(9/2012): http :/code / a href =https://code.google.com/p/skipfish/ =nofollow noreferrer> https://code.google.com/p/skipfish/
护照模块: https://github.com/jaredhanson/passport
EveryAuth模块: https://github.com / bnoguchi / everyauth
我写了一篇博客文章, 编写安全的Express.js应用程序的起点。它覆盖了超过csrf和头盔的其他一些东西,如zeMirco所提到的。
另一件事是你无法将express.js与rails进行比较。他们是苹果和橘子。例如,没有与Express捆绑的ORM,实现或使用第三方模块取决于您。
我会尝试并分解您的每个问题。
- 注入漏洞(JavaScript,SQL,Mongo,HTML)
内置快递。最接近的事情是XSS对模板中的注入感到担忧。通常与快速输出编码的玉或EJS模板>和默认情况下,但请记住,还有其他上下文,如用户输入JavaScript或CSS,您需要担心。
-Session固定和劫持
再次看到上面的博文,但Express是基于并使用大部分的连接中间件,其中之一是会话中间件。最重要的是,正确设置您的cookie标志。 / p>
- 跨站点漏洞(脚本,请求伪造)
参见上面,它也带有express.csrf()中间件,提到的博客文章显示了如何实现它。
-Mass作业
不是express.js的问题因为它没有这种类型的弱势群体适用的概念,但是您编写的自定义逻辑实际上可能容易受到这个问题的影响,所以再次是一个验证问题如果您的代码很脆弱,或者您使用的第三方模块是...
I'm looking for modules that should be added to a Node/Express app that address the general security concerns listed below:
- Injection Vulnerabilities (JavaScript, SQL, Mongo, HTML)
- Session fixation and hijacking
- Cross-Site Vulnerabilities (Scripting, Request Forgery)
- Mass Assignment
- insert relevant concern here
Thanks for your help!
----------
Some resources I've found:
Excellent talk (11/2012): http://lanyrd.com/2012/asfws/sxzbm/ (see slides)
ServerFault question (2011-2012): https://serverfault.com/questions/285123/is-node-js-mature-for-enterprise-security
Blog post on topic (9/2012): http://codefol.io/posts/29-Why-Rails-and-not-Sinatra-or-Node-js-
Exploit tester: https://code.google.com/p/skipfish/
Passport Module: https://github.com/jaredhanson/passport
EveryAuth Module: https://github.com/bnoguchi/everyauth
I wrote a blog post that gives a great starting point on Writing Secure Express.js Apps. It covers a few other things beyond csrf and helmet as was mentioned by zeMirco.
The other thing is you can't compare express.js to rails. They are apples and oranges. For example, there is no ORM that is bundled with Express, that implementation or use of a third party module is up to you.
I'll try and give a breakdown of each of your concerns.
-Injection Vulnerabilities (JavaScript, SQL, Mongo, HTML)
Again, these are things not built into express. The closest thing would be XSS worries over injection in templates. Jade or EJS templates that are commonly used with express output encode < > " ' and & by default, but remember there are other contexts like user input into JavaScript or CSS that you would need to worry about.
-Session fixation and hijacking
Again see the blog post above, but Express is based on and uses most of the connect middleware one of these is the session middleware. Biggest thing here is to properly set your cookie flags.
-Cross-Site Vulnerabilities (Scripting, Request Forgery)
See above. It also comes with express.csrf() middleware. The blog post mentioned shows how to implement it.
-Mass Assignment
Not an issue with express.js as it has no concepts in which this type of vulnerable would be applicable, however the custom logic you write may be in fact vulnerable to this problem, so again it's a problem of verifying if your code is vulnerable or if the third party module you used is...
这篇关于Node.js Express Framework安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
