2022-05-15 00:54:27
A Developer and Security Engineer friendly package for Securing NodeJS (https://www.kitploit.com/search/label/NodeJS) Applications. Inspired by the log4J vulnerability (https://www.kitploit.com/search/label/Vulnerability) (CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228)) which can be exploited because an application can make arbitrary network calls. We felt there is an need for an application to declare what privileges it can have so that exploitation (https://www.kitploit.com/search/label/Exploitation) of such vulnerabilities (https://www.kitploit.com/search/label/vulnerabilities) becomes harder. To achieve this, NSS (Node Security Shield) has Resource Access (https://www.kitploit.com/search/label/Access) Policy.
Resource Access Policy (RAP) Resource Access Policy is similar to CSP(Content Security Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)). It lets the developer/security engineer declare what resources an application should access. And Node Security Shield will enforce it. Installation Install Node Security Shield using npm npm install nodesecurityshield Usage // Require Node Security Shield
let nodeSecurityShield = require('nodesecurityshield');
// Enable Attack Monitoring and/or Blocking
nodeSecurityShield.enableAttackMonitoring(resourceAccessPolicy ,callbackFunction); Sample resourceAccessPolicy const resourceAccessPolicy = {
"outBoundRequest" : {
"blockedDomains" : ["*.123.com", "stats.abc.com", 'xyz.com'],
"allowedDomains" : ["*.domdog.io"]
}
}; Note: blockedDomains holds precedence over allowedDomains. i.e., requests checked against blockedDomains first then allowedDomains. Sample callbackFunction for Attack Monitoring var callbackFunction = function (violationEvent) {
console.log(violationEvent);
} Sample callbackFunction for Attack Blocking var callbackFunction = function (violationEvent) {
throw new Error("Request Blocked. It violates declared Resource Access Policy.")
} Sample violationEvent {
"violationtType": "Outbound Request",
"message": "Outbound request to 'www.malicious.com' violates declared 'Resource Access Policy (RAP)'.",
"policy": {
"outBoundRequest" : {
"blockedDomains" : ["*.123.com", "stats.abc.com", 'xyz.com'],
"allowedDomains" : ["*.domdog.io"]
}
} Integrating with Sentry Sample callbackFunction to integrate with Sentry (https://sentry.io/) var callbackFunction = function (violationEvent) {
var e = new Error();
e.name = 'Resource Access Policy Violation';
e.message = JSON.stringify(violationEvent);
Sentry.captureException(e);
} Screenshot from Sentry dashboard
375 viewsEH Community Feed, 21:54