Node js security: CORS, admin page and other things - javascript

I am building my first node.js webapp. I don't need to manage users registrations. I just need an admin page wich easly allow updating the content of some pages.
I have almost finished the development phase but there is something about security I would like to clarify.
ADMIN PAGE: there are 2 level of security:
1) The admin page is linked to mywebsite.com/hexadecimal_string .
Maybe it's very stupid but the admin page is a "secret" page. Linking
it to mywebsite.com/admin is too much common. Do you think that using
an hexadecimal string can be considered a first level of security?
2) Of course there is a password for admin, stored in my database. If
the password is right, a temp cookie is setted. Maybe I should
encrtypt this password while is posted but I'm not planning to use
https. Is there a way, different by using https, to make the posting
of the password more secure ?
CORS: I don't need CORS but there is a thing that is making me crazy:
In the homepage everyone can post some data to server (we are talking about newsletter emails and others personal datas)
suppose someone reads the javascript code of the home page(in particular the ajax urls) in same way and he tries to post data to the same urls but using a personal script that skip the validation phase. Of course I did the validation to server also but I'd like to not accept any req coming from personal scripts written by other than me. The server should respond only to requests coming from my javascripts, tha anyone can run accessing to www.mywebsite.com. All other requests coming from different scripts will recieve 500-server error.
Now, I read about lot's of people that is tryng to ALLOW CORS. So I was supposing that cors is disabled by default but I tried to post data from another website to mine and the data have been sent without problem and the server responds 200. Why? Can I manage this thing?
There are other common things that I need to analyze and manage for security in my situation??

Since you don't want to use https and are looking for an alternative to that I presume you don't want the password to be sniffed in transit. I suggest a simple encryption decryption algorithm might work out for you. For the second issue, you can add a validation string which the client JS will pass along with other parameters while hitting your server API's. If you generate this string each time the client loads some specific page, then duplication of string will also be tackled.
In case you don't want at all to maintain any sort of db on server side, then attach a hidden HTML field to the API hits. This hidden field again you can encrypt and sent. If you broadcast this field periodically from the server, replication of the field will not be possible.
Also in CORS, you cannot request for data from a cross domain. CORS block comes in place when the browser gets a reply back from the server. Only posting of data does not cause any issue.

Related

Reading password secured urls - Node JS - mysql - javascript

I have a list of image urls in a mysql database. When the client sends some GET request to the server, the server responds with a JSON file that will enable the client to build a template and fill tags, so, nothing complicated.
Recently, the images have been secured by password, so, for example, i can't access them anymore with :
http://www.url.com/image
but I have to use :
http://user:password#www.url.com/image
I can't change that since I am not the admin for this images location.
For now, I am doing some dirty substring operations, server side, just after my SELECT request, to add the "user:password#" information to the url string, before sending it to the client.
It works but I think it is dirty and not very secured. What can I do to make it clean ?
Thank you for your help!
Your image service has decided to adopt basic authentication over http. That means they have decided to adopt a protocol that's grossly insecure. This basic authentication needs https to avoid leaking usernames and passwords to the internet.
That's their problem. But if those usernames and passwords are valuable, it is a serious problem.
Your technique of embedding a username and password in the URL is correct. But it is presently deprecated by some browsers; you should avoid relying on it.

Howto hide Credentials in a pure Javascript HTML Web App

Is there a way to hide credentials, such as password or authentication header tokens from user 's eye in a pure HTML/Javascript app?
The AngularJS App communicates against a rails backend via CORS running on a different domain.
Beside setting up CORS being more restrictive or checking against Domains in request on backend side, I wish to send auth tokens or add tokens to headers.
Does anyone know?
kind regards,
Alex
You can only restrict what your user sees by obscurity, which is not a very good Idea.
The key here is to set up your authentication in a way so it does not matter what the user can see or manipulate. One way to do this, is to send generated keys to your client and to your second server app every time your app needs to be authenticated. Restrict usage in a way that makes sense for your app. Another possibility would be registration.
A possible workaround would be to use one server as the only node the client is talking to while the server does all the work of talking to your other server. Especially if you don't want to give your user the possiblity to call the api of your second server outside of your app logic for some reason.
I don't think there is any way out. A smart user can get to it anyways.

single page apps security issue

I'm developing a single page app with Backbone.js and I was asking myself some question.
When I'm developing an app that relies on render pages on server I do know how to show some parts or not depending on the user is admin or not (just an example).
But now, I'm using Backbone.js and underscore templating to create the views... so.... I could create a cookie that says... ok... is the admin, but anyways, someone smart-enough could just change the cookie value. I'm able to solve it just creating a check in the server side that the user is allowed to do that.
Other chance I'm thinking about is to ask the server for this concrete pieces of code and just paste them in the right site
What do you think?
Thanks
Your scenario is not entirely clear to me, but in general: If the server divulges "secret" information or allows restricted actions without having verified itself that the user is allowed to see something/do something, that's a security hole. Authentication will have to happen in the established ways: user logs in on the server and receives a secure (enough) token, e.g. a session cookie. The server then only sends information that the user is allowed to see to the client and only allows actions the user is allowed to do.
Anything client-side is always, by definition, insecure. A secure client-side-only authentication system does not exist. The server must not take the client's word for who he is. No critical action must be performed on the client without the server being able to verify that action.

Applying authorization and security to RIA's

I'm thinking about creating an RIA version of a traditional web application. In a traditional web app, most of the code is on the server, obviously, out of touch of the client. There I would have, at very least, conditional code to check if the current user has permissions to do something, or what form fields to display.
In a RIA, all code is running in the browser. So I have, it seems, two choices.
If I need to display a form, grab it dynamically from the server. This works, but it makes the server do more work than just marshal back and forth JSON.
Bring back the account data from the server, and do all authorization code on the client. I took a quick peak at basecampmobile, and seems they are doing something like this.
My question is, does hiding this information behind a closure really protect it, or is this "security by obscurity"?
I would do authorization on the server and the client. The client authenticate with the server and the server returns only data belonging to that client/user nothing else. Then on the client you check the authorization on specifics to update the UI accordingly.
Remember you can always jump into the dev tools and see the network traffic so we are not even talking about obscurity here...
When you work on a thick client, you should check for user security both on the server and client because client can be hacked easily.
I don't like RIA services role based authorization. It feels much more intuitive to use access based authorization like what SQL Server has, and it doesnt force you to re-implement the security at client side. For example instead of saying x, y, and y can access this createCustomer(..) method, it is more intuitive to say someone with the "Create" right can access this method.
I have an open source framework that faciliates this type of authorization read more here. It is called saf-framework.

How to prevent JavaScript Injection Attacks

Currently I have developed a site which is used for handle financial transactions. I have seen that some of my customers have done JavaScript injection attacks and have done some transactions which are not possible. As a example I have checked his cash balance before he place the order. But some of them did change that by running the following javascript in the address bar. They have taken the varible name by looking in to page source.
javascript:void(document.accounts.cashBalence.value="10000000")
Since this is critical I want to fixed it quickly. So is there a way to prevent JavaScript injection attacks?
You can obfuscate or hash variable names and/or values. However,
Don't use JavaScript, do every logic in the server-side instead.
In the end it's not even a problem of Javascript. Your server talks to the outside world using HTTP. It sends data using HTTP and receives data using HTTP. Anybody can request data from it using HTTP and anybody can send data to it using HTTP.
Think about this again:
Anybody can send data to your server through the very simple protocol that is HTTP.
The HTML and Javascript you're sending to people's browsers is just a nice help, an interface, to allow them to easily send data to your server. They could do the same using the curl command on their command line or by telnet'ing into port 80 and talk really low-level to it.
If your server blindly obeys any and all commands sent to it without checking their validity, you have no security whatsoever. Security and validity checks belong on the server, not on the client side interface. Because HTML and Javascript aren't the only interface to your server, nor are they in any way protectable and hence trustworthy.
Javascript runs in the user's browser. You ultimately have no control over it and should not trust it. Any verification you do in the browser is merely for the user's convenience so they can be alerted of problems as early as possible.
The backend code that accepts the order should do the authoritative check of the user's balance.
No client-side scripting (including Javascript) is good for verification, It should all be done on the server-side.
It is too unreliable to trust it specially if it is for financial records!!
It should be used for a better "user experience". Form validation while typing or whatever but not this!
Have found that if you make it to where server only excepts out going data not incoming data it works best but that poses a problem, if you are using a website that takes user input on the connected client then your preaty much screwed I sugset a simple java script line that in a sence makes it to where before you can send any java script you have to enter a basic set of variables so in a sence just have a login page start with somthing like this
System.out.printin ("Welcome, Would you like to login to edit?")
Then { System.in = "Yes"}
To prevent Javascript injection, you should have a Validation Feature whenever you allow your user to enter something. Try to use libraries that determine Javascript scripts that are entered to the form.
Also when displaying user inputs, you should Escape Texts to display it as is and will not be evaluated by the browser.
Utilize your server, your should place your business logic to the server and not to the client whether using Javascript or not. All data sent to the client are just view and should not process any business logic.

Categories