This talk is an extended version of my session at HTML5DevConf. It was held on Friday Nov. 20th 2015 at DevFest Asia / JSConf Asia in Singapore. The arena of proper authentication and data security standards is often some of the most misunderstood, confusing, and tricky aspects of building any Node site, app, or service, and the fear of data breaches with unencrypted or poorly encrypted data doesn’t make it any better. We’re going to tackle this field, exploring the proper methodologies for building secure authentication and data security standards. We’ll run through: - Building on top of OAuth 2 and OpenID Connect - Node middleware services for authentication - Working with proper hashing and salting algorithms, and avoiding others, for private user data - Common auth and security pitfalls and solutions In the end, we’re going to see that by understanding proper data security and authentication standards, pitfalls, and reasons for choosing one solution over another, we can make intelligent decisions on creating a solid infrastructure to protect our users and data.

1. Tim Messerschmidt
Head of Developer Relations, International
Braintree
@Braintree_Dev / @SeraAndroid
Node.js Authentication
and Data Security
#JSConfAsia

2. @SeraAndroid
Developer
Author
Evangelist

3. <3 Berlin

4. 4
That’s me

5. @Braintree_Dev / @SeraAndroid#JSConfAsia
+ Braintree
since 2013

6. @Braintree_Dev / @SeraAndroid#JSConfAsia
1. Introduction
2. Well-known security threats
3. Data Encryption
4. Hardening Express
5. Authentication middleware
6. Great resources
Content

8. @Braintree_Dev / @SeraAndroid#JSConfAsia
The Human Element

9. @Braintree_Dev / @SeraAndroid#JSConfAsia
1. 12345
2. password
3. 12345
4. 12345678
5. qwerty
bit.ly/1xTwYiA
Top 10 Passwords 2014
6. 123456789
7. 1234
8. baseball
9. dragon
10.football

10. @Braintree_Dev / @SeraAndroid#JSConfAsia
superman
batman
Honorary Mention

11. @Braintree_Dev / @SeraAndroid#JSConfAsia
Authentication
& Authorization

12. @Braintree_Dev / @SeraAndroid#JSConfAsia
OWASP Top 10bit.ly/1a3Ytvg

13. @Braintree_Dev / @SeraAndroid#JSConfAsia
1. Injection

14. @Braintree_Dev / @SeraAndroid#JSConfAsia
2. Broken Authentication

15. @Braintree_Dev / @SeraAndroid#JSConfAsia
3. Cross-Site Scripting
XSS

16. @Braintree_Dev / @SeraAndroid#JSConfAsia
4. Direct Object References

17. @Braintree_Dev / @SeraAndroid#JSConfAsia
5. Application Misconfigured

18. @Braintree_Dev / @SeraAndroid#JSConfAsia
6. Sensitive Data Exposed

19. @Braintree_Dev / @SeraAndroid#JSConfAsia
7. Access Level Control

20. @Braintree_Dev / @SeraAndroid#JSConfAsia
8. Cross-site Request Forgery
CSRF / XSRF

21. @Braintree_Dev / @SeraAndroid#JSConfAsia
9. Vulnerable Code

22. @Braintree_Dev / @SeraAndroid#JSConfAsia
10. REDIRECTS / FORWARDS

23. @Braintree_Dev / @SeraAndroid#JSConfAsia
Exploit Prevalence Detectability Impact Exploitability
Injection Common Medium Very High Easy
Broken Auth Very High Medium Very High Average
XSS Very High Easy Medium Average
Insecure DOR Common Easy Medium Easy
Misconfiguration Common Easy Medium Easy
Exposed Data Common Medium Very High Difficult
ACL Common Medium Medium Easy
CSRF Common Easy Medium Average
Vulnerable Code Very High Difficult Medium Average
Redirects Common Easy Medium Average

24. @Braintree_Dev / @SeraAndroid#JSConfAsia
HashingMD5, SHA-1, SHA-2, SHA-3

25. http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/

26. http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/

27. @Braintree_Dev / @SeraAndroid#JSConfAsia
ishouldnotbedoingthis
arstechnica.com/security/2015/09/ashley-madison-passwords-like-
thisiswrong-tap-cheaters-guilt-and-denial

28. @Braintree_Dev / @SeraAndroid#JSConfAsia
ishouldnotbedoingthis
whyareyoudoingthis
arstechnica.com/security/2015/09/ashley-madison-passwords-like-
thisiswrong-tap-cheaters-guilt-and-denial

29. @Braintree_Dev / @SeraAndroid#JSConfAsia
ishouldnotbedoingthis
whyareyoudoingthis
justtryingthisout
arstechnica.com/security/2015/09/ashley-madison-passwords-like-
thisiswrong-tap-cheaters-guilt-and-denial

30. @Braintree_Dev / @SeraAndroid#JSConfAsia
ishouldnotbedoingthis
whyareyoudoingthis
justtryingthisout
thebestpasswordever
arstechnica.com/security/2015/09/ashley-madison-passwords-like-
thisiswrong-tap-cheaters-guilt-and-denial

31. @Braintree_Dev / @SeraAndroid#JSConfAsia
Efficient Hashingcrypt, scrypt, bcrypt, PBKDF2

32. @Braintree_Dev / @SeraAndroid#JSConfAsia
10.000 iterations user system total
MD5 0.07 0.0 0.07
bcrypt 22.23 0.08 22.31
md5 vs bcrypt
github.com/codahale/bcrypt-ruby

33. @Braintree_Dev / @SeraAndroid#JSConfAsia
Salted Hashingalgorithm(data + salt) = hash

34. @Braintree_Dev / @SeraAndroid#JSConfAsia
use strict

35. @Braintree_Dev / @SeraAndroid#JSConfAsia
Regexowasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

36. @Braintree_Dev / @SeraAndroid#JSConfAsia
Character Encodingw3schools.com/html/html_entities.asp

37. @Braintree_Dev / @SeraAndroid#JSConfAsia
X-Powered-By

38. @Braintree_Dev / @SeraAndroid#JSConfAsia
NODE-UUIDgithub.com/broofa/node-uuid

39. @Braintree_Dev / @SeraAndroid#JSConfAsia
GET /pay?amount=20&currency=EUR&amount=1
HTTP Parameter Pollution
req.query.amount = ['20', '1'];
POST amount=20&currency=EUR&amount=1
req.body.amount = ['20', '1'];

40. @Braintree_Dev / @SeraAndroid#JSConfAsia
bcryptgithub.com/ncb000gt/node.bcrypt.js

41. @Braintree_Dev / @SeraAndroid#JSConfAsia
A bcrypt generated Hash
$2a$12$YKCxqK/QRgVfIIFeUtcPSOqyVGSorr1pHy5cZKsZuuc2g97bXgotS

42. @Braintree_Dev / @SeraAndroid#JSConfAsia
bcrypt.hash('cronut', 12, function(err, hash) {
// store hash
});
bcrypt.compare('cronut', hash, function(err, res) {
if (res === true) {
// password matches
}
});
Generating a Hash using bcrypt

43. @Braintree_Dev / @SeraAndroid#JSConfAsia
CSURFgithub.com/expressjs/csurf

44. @Braintree_Dev / @SeraAndroid#JSConfAsia
Using Csurf as middleware
var csrf = require('csurf');
var csrfProtection = csrf({ cookie: false });
app.get('/form', csrfProtection, function(req, res) {
res.render('form', { csrfToken: req.csrfToken() });
});
app.post('/login', csrfProtection, function(req, res) {
// safe to continue
});

45. @Braintree_Dev / @SeraAndroid#JSConfAsia
extends layout
block content
h1 CSRF protection using csurf
form(action="/login" method="POST")
input(type="text", name="username=", value="Username")
input(type="password", name="password", value="Password")
input(type="hidden", name="_csrf", value="#{csrfToken}")
button(type="submit") Submit
Using the token in your template

46. @Braintree_Dev / @SeraAndroid#JSConfAsia
Helmetgithub.com/HelmetJS/Helmet

47. @Braintree_Dev / @SeraAndroid#JSConfAsia
var helmet = require(‘helmet’);
app.use(helmet.noCache());
app.use(helmet.frameguard());
app.use(helmet.xssFilter());
…
// .. or use the default initialization
app.use(helmet());
Using Helmet with default options

48. @Braintree_Dev / @SeraAndroid#JSConfAsia
Helmet for Koagithub.com/venables/koa-helmet

49. @Braintree_Dev / @SeraAndroid#JSConfAsia
Luscagithub.com/krakenjs/lusca

50. @Braintree_Dev / @SeraAndroid#JSConfAsia
var lusca = require('lusca');
app.use(lusca({
csrf: true,
csp: { /* ... */},
xframe: 'SAMEORIGIN',
p3p: 'ABCDEF',
xssProtection: true
}));
Applying Lusca as middleware

51. @Braintree_Dev / @SeraAndroid#JSConfAsia
Lusca for Koagithub.com/koajs/koa-lusca

52. @Braintree_Dev / @SeraAndroid#JSConfAsia
1. Application-level
2. Route-level
3. Error-handling
Types of Express Middleware

53. @Braintree_Dev / @SeraAndroid#JSConfAsia
var authenticate = function(req, res, next) {
// check the request and modify response
};
app.get('/form', authenticate, function(req, res) {
// assume that the user is authenticated
}
// … or use the middleware for certain routes
app.use('/admin', authenticate);
Writing Custom Middleware

54. @Braintree_Dev / @SeraAndroid#JSConfAsia
Passportgithub.com/jaredhanson/passport

55. @Braintree_Dev / @SeraAndroid#JSConfAsia
passport.use(new LocalStrategy(function(username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) {
return done(null, false, { message: 'Incorrect username.' });
}
if (!user.validPassword(password)) {
return done(null, false, { message: 'Incorrect password.' });
}
return done(null, user);
});
}));
Setting up a passport strategy

56. @Braintree_Dev / @SeraAndroid#JSConfAsia
// Simple authentication
app.post('/login', passport.authenticate(‘local'), function(req, res) {
// req.user contains the authenticated user
res.redirect('/user/' + req.user.username);
});
// Using redirects
app.post('/login', passport.authenticate('local', {
successRedirect: ‘/',
failureRedirect: ‘/login’,
failureFlash: true
}));
Using Passport Strategies for Authentication

57. @Braintree_Dev / @SeraAndroid#JSConfAsia
NSPnodesecurity.io/tools

59. @Braintree_Dev / @SeraAndroid#JSConfAsia
Passwordless Authmedium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb

60. @Braintree_Dev / @SeraAndroid#JSConfAsia
OWASP Node Goatgithub.com/OWASP/NodeGoat

61. @Braintree_Dev / @SeraAndroid#JSConfAsia
Node Securitynodesecurity.io/resources

62. @Braintree_Dev / @SeraAndroid#JSConfAsia
Fast Identity Onlinefidoalliance.org

63. @Braintree_Dev / @SeraAndroid#JSConfAsia
Security Beyond Current Mechanisms
1. Something you have
2. Something you know
3. Something you are

64. @Braintree_Dev / @SeraAndroid#JSConfAsia
Favor security too much over the
experience and you’ll make the
website a pain to use.
smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form

65. @SeraAndroid
tim@getbraintree.com
slideshare.com/paypal
braintreepayments.com/developers
Thank You!