LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

NodeSecurityShield - A Developer And Security Engineer Friendly Package For Securing NodeJS Applications

2 years ago 173
BOOK THIS SPACE FOR AD
ARTICLE AD

A Developer and Security Engineer friendly package for Securing NodeJS Applications.

Inspired by the log4J vulnerability (CVE-2021-44228) which can be exploited because an application can make arbitrary network calls.

We felt there is an need for an application to declare what privileges it can have so that exploitation of such vulnerabilities becomes harder.

To achieve this, NSS (Node Security Shield) has Resource Access Policy.

Resource Access Policy (RAP)

Resource Access Policy is similar to CSP(Content Security Policy).

It lets the developer/security engineer declare what resources an application should access. And Node Security Shield will enforce it.

Installation

Install Node Security Shield using npm

npm install nodesecurityshield

Usage

// Require Node Security Shield
let nodeSecurityShield = require('nodesecurityshield');

// Enable Attack Monitoring and/or Blocking
nodeSecurityShield.enableAttackMonitoring(resourceAccessPolicy ,callbackFunction);

Sample resourceAccessPolicy

const resourceAccessPolicy = {
"outBoundRequest" : {
"blockedDomains" : ["*.123.com", "stats.abc.com", 'xyz.com'],
"allowedDomains" : ["*.domdog.io"]
}
};
Note: blockedDomains holds precedence over allowedDomains. i.e., requests checked against blockedDomains first then allowedDomains.

Sample callbackFunction for Attack Monitoring

var callbackFunction = function (violationEvent) {
console.log(violationEvent);
}

Sample callbackFunction for Attack Blocking

var callbackFunction = function (violationEvent) {
throw new Error("Request Blocked. It violates declared Resource Access Policy.")
}

Sample violationEvent

{
"violationtType": "Outbound Request",
"message": "Outbound request to 'www.malicious.com' violates declared 'Resource Access Policy (RAP)'.",
"policy": {
"outBoundRequest" : {
"blockedDomains" : ["*.123.com", "stats.abc.com", 'xyz.com'],
"allowedDomains" : ["*.domdog.io"]
}
}

Integrating with Sentry

Sample callbackFunction to integrate with Sentry

var callbackFunction = function (violationEvent) {

var e = new Error();
e.name = 'Resource Access Policy Violation';
e.message = JSON.stringify(violationEvent);
Sentry.captureException(e);

}

Screenshot from Sentry dashboard

Features

Attack Monitoring Outbound Network Calls Attack Blocking Outbound Network Calls

Roadmap

Attack Monitoring Command Execution File Calls Attack Blocking Command Execution File Calls Vulnerability Scanner

Authors

Lavakumar Kuppan Github - @lavakumar Twitter - @lavakumark Sukesh Pappu Github - @thelogicalbeard Twitter - @thelogicalbeard

License

Apache License 2.0

NodeSecurityShield - A Developer And Security Engineer Friendly Package For Securing NodeJS Applications NodeSecurityShield - A Developer And Security Engineer Friendly Package For Securing NodeJS Applications Reviewed by Zion3R on 5:30 PM Rating: 5

Read Entire Article
  3. NodeSecurityShield - A Developer And Security Engineer Friendly Package For Securing NodeJS Applications

Related

File-Unpumper - Tool That Can Be Used To Trim Useless Things From A PE File Such As The Things A File Pumper Would Add

File-Unpumper - Tool That Can Be Used To Trim Useless Things From A PE File Such As The Things A File Pumper Would Add

Mass-Assigner - Simple Tool Made To Probe For Mass Assignment Vulnerability Through JSON Field Modification In HTTP Requests

Mass-Assigner - Simple Tool Made To Probe For Mass Assignment Vulnerability Through JSON Field Modification In HTTP Requests

Psobf - PowerShell Obfuscator

Psobf - PowerShell Obfuscator

DockerSpy - DockerSpy Searches For Images On Docker Hub And Extracts Sensitive Information Such As Authentication Secrets, Private Keys, And More

DockerSpy - DockerSpy Searches For Images On Docker Hub And Extracts Sensitive Information Such As Authentication Secrets, Private Keys, And More

Ashok - A OSINT Recon Tool, A.K.A Swiss Army Knife

Ashok - A OSINT Recon Tool, A.K.A Swiss Army Knife

VulnNodeApp - A Vulnerable Node.Js Application

VulnNodeApp - A Vulnerable Node.Js Application

Trending

1. Steve Smith
2. West Indies vs Bangladesh
3. OTET Result 2024
4. Nitish kumar reddy
5. Nithin Kamath
6. Pam Bondi
7. Harshit Rana
8. Zebra movie
9. Mukesh Ambani
10. C2C Advanced Systems IPO GMP

Popular

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved