The Synopsys Software Integrity Group is now Black Duck®. Learn More

Node.js Security

Course Description

The benefits of the NodeJS platform keep growing, but it can still suffer from the same common web vulnerabilities as other web application frameworks and platforms. This course looks at solutions to common security pitfalls associated with using ExpressJS, Pug, and MongoDB. We'll also examine preventive measures for building a more secure application using a defense-in-depth approach.

Learning Objectives

  • Use bcrypt for password storage
  • Avoid common access control mistakes
  • Use HTTP headers for additional transport and session security
  • Audit third-party dependencies for known vulnerabilities

Details

Delivery Format: eLearning

Duration: 1 Hour

Level: Intermediate

Intended Audience

  • Architects
  • Back-End Developers
  • Front-End Developers

Prerequisites

Course Outline

Validating Data in ExpressJS
  • Validating Data Overview
  • What is Untrusted Data?
  • Where to Validate Data
  • Validating Data at the Request Layer
  • Validating Data at the Model Layer

Handling Authentication in NodeJS Applications

  • Protecting Passwords
  • Protecting Against User Enumeration
  • Locking User Accounts

Access Control in NodeJS

  • Principle of Least Privilege and Roles
  • Function-Level Access Controls
  • Access Control Mistakes

Session Management in ExpressJS

  • Session Hijacking
  • Enabling HttpOnly Flag
  • Enabling the Secure Flag
  • Session Timeouts
  • Session Fixation
  • Forcing Re-authentication

NodeJS Transport Security

  • TLS, SSL, and HTTPS
  • Importance of TLS
  • HTTP Strict Transport Security Header
  • Content Security Policy

Pug Security Concern

  • Cross-Site Scripting
  • Common Used Templating Systems
  • Server-Side Template Injection

Preventing MongoDB Query Selector Injection Attacks

  • Injecting JavaScript
  • Injecting Operators

Managing Third-Party Dependencies

  • Unused Packages
  • Package Popularity
  • Check for Outdated Packages
  • Check for Known Vulnerabilities

Run a Private Repository

  • OAuth 2.0 Security v3.0

The Need for OAuth 2.0

  • An Example OAuth 2.0 Scenario
  • The Valet Key Analogy
  • Valet Keys in Our Application

Delegated Access with OAuth 2.0

  • A Brief History of OAuth 2.0
  • OAuth 2.0 Terminology
  • Conceptual Overview of OAuth 2.0
  • OAuth 2.0 Clients

Overview of OAuth 2.0 Grant Types

  • Overview of Different Grant Types and Their Purposes
  • Authorization Code Grant
  • Device Authorization Grant
  • Client Credentials Grant
  • Implicit Grant
  • Resource Owner Password Credentials Grant

Delegated Access from a Confidential Client

  • A Confidential Client Scenario
  • Delegated Access with the Authorization Code Flow
  • Security Properties of the Authorization Code Flow

Delegated Access from a Public Client

  • A Public Client Scenario
  • Augmenting the Authorization Code Grant with PKCE
  • Mobile and Native Clients
  • Frontend Web Clients
  • Security Properties of the Authorization Code Flow with PKCE

Long-Term Delegated Access

  • The Purpose of Access Tokens
  • Running a New Flow
  • Using Refresh Tokens
  • Securing Refresh Tokens

Common Pitfalls and Misconceptions

  • Mistaking OAuth 2.0 for What It Is Not
  • Abusing OAuth 2.0 for Authentication
  • Modifying OAuth 2.0 Flows

Wrapping up OAuth 2.0

  • The Core Concepts of OAuth 2.0
  • High-Level Security Considerations
 

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster