You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The OWASP Node Goat is an educational Node.js web application vulnerable to the <atarget="_blank" href="https://www.owasp.org/index.php/Top_10_2013-Top_10"> OWASP Top 10</a> risks. </p>
47
-
<p>It is intended to show how each of these vulnerabilities can manifest
48
-
in a Node.js specific way, and provides the subsequent mitigation for each with source code examples.
46
+
The OWASP Node Goat is an educational Node.js web application vulnerable to the <atarget="_blank" href="https://www.owasp.org/index.php/Top_10_2013-Top_10"> OWASP Top 10</a> risks.</p>
47
+
<p>It is intended to show how each of these vulnerabilities can manifest in a Node.js specific way, and provides the subsequent mitigation for each with source code examples.
49
48
</p>
50
49
<p>To start hacking the application, login using the form below, or access the tutorial guide to know more.</p>
SQL and NoSQL injections enable an attacker to inject code into the query that would be executed by the database.
210
-
These flaws are introduced when software developers create dynamic database queries that include user supplied input.
209
+
SQL and NoSQL injections enable an attacker to inject code into the query that would be executed by the database. These flaws are introduced when software developers create dynamic database queries that include user supplied input.
<p>Both SQL and NoSQL databases are vulnerable to injection attack. Here is an example of equivalent attack in both cases, where attacker manages to retrieve admin user's record without knowing password:</p>
221
220
<h5>1. SQL Injection</h5>
222
221
<p>Lets consider an example SQL statement used to authenticate the user with username and password</p>
223
-
<pre>SELECT * FROM accounts WHERE username = '$username' AND password = '$password'</pre>
224
-
<p>If this statement is not prepared or properly handled when constructed, an attacker may be able to supply<code>admin' --</code> in the username field to access the admin user's account bypassing the condition that checks for the password.
225
-
The resultant SQL query would looks like:</p>
226
-
<pre>SELECT * FROM accounts WHERE username = 'admin' -- AND password = ''</pre>
222
+
<pre>SELECT * FROM accounts WHERE username = '$username' AND password = '$password'</pre>
223
+
<p>If this statement is not prepared or properly handled when constructed, an attacker may be able to supply
224
+
<code>admin' --</code>in the username field to access the admin user's account bypassing the condition that checks for the password. The resultant SQL query would looks like:</p>
225
+
<pre>SELECT * FROM accounts WHERE username = 'admin' -- AND password = ''</pre>
227
226
<br/>
228
227
<h5>2. NoSQL Injection</h5>
229
-
<p>The equivalent of above query for NoSQL MongoDB database is:</p>
228
+
<p>The equivalent of above query for NoSQL MongoDB database is:</p>
<p>While here we are no longer dealing with query language, an attacker can still achieve the same results as SQL injection by supplying JSON input object as below:</p>
230
+
<p>While here we are no longer dealing with query language, an attacker can still achieve the same results as SQL injection by supplying JSON input object as below:</p>
232
231
<pre>
233
232
{
234
233
"username": "admin",
235
234
"password": {$gt: ""}
236
235
}
237
236
</pre>
238
-
<p>In MongoDB, <code>$gt</code> selects those documents where the value of the field is greater than (i.e. >) the specified value. Thus above statement compares password in database with empty string for greatness, which returns <code>true</code>.</p>
239
-
<p> The same results can be achieved using other comparison operator such as <code>$ne</code>.</p>
237
+
<p>In MongoDB,
238
+
<code>$gt</code>selects those documents where the value of the field is greater than (i.e. >) the specified value. Thus above statement compares password in database with empty string for greatness, which returns
239
+
<code>true</code>.</p>
240
+
<p>The same results can be achieved using other comparison operator such as
241
+
<code>$ne</code>.</p>
240
242
</div>
241
243
</div>
242
244
@@ -250,7 +252,8 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
250
252
<ul>
251
253
<li>Prepared Statements: For SQL calls, use prepared statements instead of building dynamic queries using string concatenation. Stored procedures have the same effect as the use of prepared statements when implemented safely</li>
252
254
<li>Input Validation: Validate inputs to detect malicious values. For NoSQL databases, also validate input types against expected types</li>
253
-
<li>Least Privilege: To minimize the potential damage of a successful injection attack, do not assign DBA or admin type access rights to your application accounts. Similarly minimize the privileges of the operating system account that the database process runs under.</li>
255
+
<li>Least Privilege: To minimize the potential damage of a successful injection attack, do not assign DBA or admin type access rights to your application accounts. Similarly minimize the privileges of the operating system account
Copy file name to clipboardExpand all lines: app/views/tutorial/a5.html
+5-2Lines changed: 5 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -47,7 +47,8 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
47
47
Here are some node.js and express specific configuration measures:
48
48
<ul>
49
49
<li>
50
-
Use latest stable version of node.js and express (or other web framework you are using). Keep a watch on published vulnerabilities of these. The vulnerabilities for node.js and express.js can be found <ahref="http://blog.nodejs.org/vulnerability/">here</a> and <ahref="http://expressjs.com/advanced/security-updates.html">here</a>, respectively.
50
+
Use latest stable version of node.js and express (or other web framework you are using). Keep a watch on published vulnerabilities of these. The vulnerabilities for node.js and express.js can be found <ahref="http://blog.nodejs.org/vulnerability/">here</a> and
Do not run application with root privileges. It may seem necessary to run as root user to access privileged ports such as 80. However, this can achieved either by starting server as root and then downgrading the non-privileged user after listening on
@@ -82,7 +83,9 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
As browsers automatically send credentials like session cookies with HTTP requests to the server where cookies were received from, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.</p>
42
-
<p>For example, CSRF vulnerability can be exploited on profile form on the insecure demo application.</p>
42
+
<p>For example, CSRF vulnerability can be exploited on profile form on the insecure demo application.</p>
<li>An attacker would need to host a forged form like below on a malicious sever.
47
47
<pre>
@@ -75,7 +75,8 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
75
75
<divclass="panel-body">
76
76
<p>Express csrf middleware provide a very effective way to deal with csrf attack. By default this middleware generates a token named "_csrf" which should be added to requests which mutate state (PUT, POST, DELETE), within a hidden form field,
77
77
or query-string, or header fields.</p>
78
-
<p> If using method-override middleware, it is very important that it is used before any middleware that needs to know the method of the request, including CSRF middleware. Otherwise an attacker can use non-state mutating methods (such as GET) to bypass the CSRF middleware checks, and use method override header to convert request to desired method.</p>
78
+
<p>If using method-override middleware, it is very important that it is used before any middleware that needs to know the method of the request, including CSRF middleware. Otherwise an attacker can use non-state mutating methods (such as
79
+
GET) to bypass the CSRF middleware checks, and use method override header to convert request to desired method.</p>
79
80
<p>When form is submitted, the middleware checks for existence of token and validates it by matching to the generated token for the response-request pair. If fails to match, it rejects the request. Thus making it really hard for an attacker
0 commit comments