Use of Zap and Bugfix

This week POC several penetration testing tools, namely Burp Suite, OWASP Zap.

Many of the features of Burp are charged, and the free version is basically only used for request interception.

So finally chose Zap to scan a vulnerability fix for an Express project. Here is a brief record of the Zap tutorial and some security practices of Express.

Installation

Zap installation is very simple, go directly to the official website https://www.zaproxy.org/ download and then step by step installation.

Proxy configuration

The principle of Zap is actually to play a proxy, and then we configure the proxy strategy of the browser to direct the requests that need to be tested to the proxy, and Zap will record and analyze these requests and attempt to attack.

So the first step is to configure the proxy, this step can go to the official website doc: https://www.zaproxy.org/docs/desktop/start/proxies/

It should be noted here that Zap 2.9.0 only supports Chrome and Firefox browsers, and ** support for Chrome should only reach version 79. The author’s version 86 will crash as soon as Chrome starts. **

Regarding the proxy configuration of firefox, everyone can go directly to the official website, which is simply a tutorial at the nanny level.

The author needs to remind here is that a prompt in the doc, this prompt is about the configuration of the localhost, because this prompt does not use a special format, it is easy to ignore:

Note: To proxy localhost (and related addresses) with newer Firefox versions (>= 67) the preference network.proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true.

Use

Zap

Zap Hub is a very useful tool set provided by zap. It actually adds an entry to the functions of the Zap client on both sides of the browser, so that we do not need to switch back and forth between the browser and Zap during the testing process.

Of course, we can also use Zap Hub, but if you want to use it and find that Zap Hub is not loaded:

Check if Zap doesn’t have the hub open.

  • If open, see if the Hub is blocked by some security policies of the project itself, such as CSP

If you load Zap Hub for the first time, it will also prompt you whether to enter the novice tutorial. This tutorial is very detailed and will guide you step by step. It is also more verbose. If you are in a hurry to use it, you can first take a look at my screenshot below:

Client

The function of Zap Client is no different from that of Hub. If you know how to use Hub, you will naturally use Client.

But here’s a reminder: ** It’s best to use Passive Scan to scan a website at the beginning, only if you confirm that you can scan a website, and then actively scan, because active scanning will try various schemes to attack the target website. **

Express security practices

When we finish scanning a website, we can export the scan report, and there are many formats to choose from.

After the author exported the report, although there were not many vulnerabilities, it was still those commonplace problems, such as XSS, SqlInjection, MIME sniffing, etc.

However, this also shows the prevalence of these problems, even impossible to guard against.

Here are a few Express security practices:

Do not use unrecommended or vulnerable

Express 2.x and 3.x are no longer maintained. Security and performance issues in these versions will not be corrected. Do not use these versions! If you have not migrated to V4, follow the迁移指南Carry out migration.

Also make sure you are not using安全性更新页面Any of the vulnerable Express versions listed in. If in use, please update to a stable published version, preferably the latest version.

Use

If the application processes or transmits sensitive data, please use传输层安全性 (TLS) to protect connections and data. This technique is used to encrypt data and then send it from the client to the server to prevent some common (and easy) hacking attacks. Although Ajax and POST requests may not be obvious and seem to be “hidden” in the browser, their network traffic is vulnerable包嗅探Attacks and中间人攻击

You may be familiar with Secure Sockets Layer (SSL) encryption.[TLS 就是下一代的 SSL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380515(v=vs.85)In other words, if you have used SSL before, consider upgrading to TLS. In general, we recommend using Nginx to handle TLS. For excellent reference information on configuring TLS on Nginx (and other servers), please refer to Recommended Server Configurations (Mozilla Wiki)。

In addition, a convenient Let’s Encrypt Tool to get free TLS certificate, which is provided by因特网安全研究组 (ISRG) Provide free, automated open certification center (CA).

Use

Helmet 通过适当地设置 HTTP 头,帮助您保护应用程序避免一些众所周知的 Web 漏洞。

Helmet actually only uses the following set of nine smaller Middleware functions for setting security-related HTTP headers:

  • csp Used to set the Content-Security-Policy header to help defend against cross-site scripting attacks and other cross-site injection attacks.
  • hidePoweredBy Used to remove the X-Powered-By header.
  • hsts Use to set the Strict-Transport-Security header to enforce a secure server connection (HTTP over SSL/TLS).
  • ieNoOpen Used to set’X-Download-Options’ for IE8 +.
  • noCache Use to set the Cache-Control and Pragma headers to disable Client caching.
  • noSniff Used to set X-Content-Type-Options to prevent attackers from MIME-sniffing the content-type declared in the response from the browser.
  • frameguard Used to set the X-Frame-Options header, providing clickjacking Protection.
  • xssFilter Use to set X-XSS-Protection to enable cross-site scripting (XSS) filters in the latest web browsers.

Install Helmet like other modules:

1
$ npm install --save helmet

Then use it for your code.

1
2
3
4
...
var helmet = require('helmet');
app.use(helmet());
...

At least disable

If you do not wish to use Helmet, you should at least disable the X-Powered-By header. Attackers may use this header (enabled by default) to detect applications running Express and then launch attacks against specific targets.

So, the best practice is to disable this header using the app.disable () method:

1
app.disable('x-powered-by');

If you use helmet.js, it will perform this function for you.

Safe use

To ensure that cookies do not open applications and expose them to risk, do not use the default session cookie name and set cookie security options accordingly.

There are two main Middleware cookie session modules:

  • express-session, used to replace the’express.session 'Middleware built into Express 3.x.
  • cookie-session, used to replace the’express.cookieSession 'Middleware built into Express 3.x.

The main difference between these two modules is the way they save cookie session data.express-session Middleware stores session data on the server; it only stores session identifiers, not session data, in cookies. By default, it uses in-memory storage and is not intended for use in a production environment. In a production environment, you need to set up scalable session storage; see兼容的会话存储List.

On the contrary,cookie-session Middleware implements cookie-supported storage: it serializes the entire session into the cookie, not just the session key. This Middleware is only used if the session data is relatively small and easy to encode as primitive values (rather than objects). Although it is assumed that the browser supports at least 4096 bytes per cookie to ensure that the limit is not exceeded, the size of each domain will not exceed 4093 bytes. Also note that the client has access to cookie data, so express-session may be a better choice if there is any reason to keep it secure or hidden.

Do not use the default session

Using the default session cookie name leaves the application open to attacks. Values such as X-Powered-By can cause problems: potential attackers can use such values to “fingerprint” the server and determine attack targets accordingly.

To avoid this problem, use generic cookie names; for example, use express-session Middleware:

1
2
3
4
5
6
7
var session = require('express-session');
app.set('trust proxy', 1) // trust first proxy
app.use( session({
secret : 's3Cur3',
name : 'sessionId',
})
);
Settings

Set the following cookie options to enhance security:

  • ‘Secure’ - Ensure that the browser only sends cookies over HTTPS.
    HttpOnly ensures that cookies are only sent over HTTP (S), not client JavaScript, which helps protect against cross-site scripting attacks.
  • ‘Domain’ - Represents the domain of the cookie; used for comparison with the domain of the server requesting the URL. If it matches, then the path attribute is checked next.
  • ‘Path’ - indicates the path of the cookie; used for comparison with the request path. If both the path and domain match, the cookie is sent in the request.
  • ‘expires’ - Used to set an expiration date for persistent cookies.

Following is the use cookie-session Examples of Middleware:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
var session = require('cookie-session');
var express = require('express');
var app = express();

var expiryDate = new Date( Date.now() + 60 * 60 * 1000 ); // 1 hour
app.use(session({
name: 'session',
keys: ['key1', 'key2'],
cookie: { secure: true,
httpOnly: true,
domain: 'example.com',
path: 'foo/bar',
expires: expiryDate
}
})
);

Ensure the security of dependencies

Npm itself has a dependency checking tool, ‘npm audit’, very easy to use, this is doc, doc is very short, and it is also very simple to use: https://docs.npmjs.com/cli/v6/commands/npm-audit/